North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Re[6]: "portscans" (was Re: Arbor Networks DoS defense product)

  • From: Ralph Doncaster
  • Date: Sun May 19 12:14:47 2002

> RD> I think that's pretty stupid.  If I had my network admin investigate every
> RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt.
> RD> Instead we keep our servers very secure, and spend the time and effort
> RD> only when there is evidence of a break in.
> I didn't say investigate every portscan, I said assume every portscan
> is hostile.  There is a big difference.

So you assume it's hostile and do what?  Automatically block the source
IP? If you do that then you open up a bigger DOS hole.  Then if someone
sends a bunch of SYN scans with the source address spoofed as your
upstream transit providers' BGP peering IP, poof! you're gone.