Forgive the top posting, but Lookout is the corporate standard. Now, on to the topic at hand. Why would you scan the address space in the first place? Wouldn't it be easier to compromise a known host and look at the ARP table? Or better yet, the router on the edge? If it's moving packets, something on the network has mapped the MAC address to its IP at some point. Jamie -----Original Message----- From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Friday, September 03, 2010 3:42 PM To: NANOG list Subject: Re: just seen my first IPv6 network abuse scan, is this the startfor more? On Sep 4, 2010, at 12:19 AM, Steven Bellovin wrote:
I've seen it and concur with regards to worms (which don't seem to be very popular, right now, excepting the 'background radiation' of old Code Red, Nimda, Blaster, Nachi, SQL Slammer, et. al. hosts). I believe that hinted scanning is still viable, and I'd argue that the experience of the OP who kicked off this thread is an indication of same. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.