Len Rose wrote:
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed.
See my other post. MAPS assists users in closing their "innocent" relay capable systems. And, FWIW, pro-active probing -can- provide a great service to the "less than clueful" end users. Scenario: MR. ISP A, we received over 300mbs from your network last week, as it participated in a 1500-bot attack of K ROOT SERVER... We have determined, via access list, that the following IP's appear to be the source of this attack, and we suspect have been compromised by the "koo-koo-ka-chooo" worm. We have not confirmed the identity of the worm, as the attack worm has yet to be identified, and isolated, conclusively. However, we have found all sources that participated in this attack had port 6667 and ports 7777 open. This lead us to hypothesize that it was the "koo-koo-ka-choo" worm... Several of these sites are under your Administration.... Attached, please find the list of infected servers.... Any information regarding this worm, and the servers subsequent sterilization, would be appreciated. Signed, The Admininstration of -=Your=- NSP.
In my opinion there is no legitimate reason to scan a remote host or network without the permission of the owners. Otherwise it is in fact excessive behaviour.
See above.