Dan Hollis <goemon@anime.net> wrote:

On Sat, 18 May 2002, Scott Francis wrote:

...

On Sat, May 18, 2002 at 11:05:34PM -0400, woods@weird.com said:

...

attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. Agreed there. Defense is important. It might be good to note that I'm not giving a blanket condemnation of all portscans at all times; but as a GENERAL RULE, portscans from strangers, especially methodical ones that map out a network, are a precursor to some more unsavory activity.

And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it.

There are three aims of the landmine project:

1) early warning 2) defensive response 3) deterrence

I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far.

Not that this neverending thread hasn't been an absolute blast, but I was thinking maybe if I pointed out that this has been and is already being done by several commercial and non-commercial groups, we could put an end to the "landmine" discussion? For example, see, http://isc.incidents.org/top10.html For a list of naughty hosts and nets. And there are any number of commerical solutions. For example, I believe SecurityFocus's ARIS does this kind of thing, http://www.securityfocus.com/corporate/products/tmsFAQ.shtml Pretty much all of the big IS security companies do. NIDS data from various sites is shipped off to a central database where the data is crunched, and then the distilled information is pushed back out. Pretty much the same concept? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org