A few problems with that:
1) Sometimes portscans aren't malicious, that is I (at least) have
used quick scans to determine services that a remote host provides, ie
anon ftp and whatnot.
2) (big one) any ISP worth its salt will set its border routers to
reject packets with obviously forged source ip's.
3) you can be involved in a DoS/illegal/harassing activity if someone
spoofs the source address for a portscan, and your system
automatically responds.
Don't get me wrong, how you choose to deal with people who portscan
you (I run OpenBSD, so I tend to get a small smile at the thought) or
who do active scans for vulnerabilities (I report them like the
weasels they are) is entirely your business, however setting up an
autmated response opens you up to more problems than the benefits
would suggest.
jeff
> I'm getting kind of tired of sending reports of
> port scans and attempted break-ins to people who
> don't really seem interested in doing something
> about the problem. I always ask them to keep me
> informed about how they deal with those
> responsible, but very few have the courtesy to
> actually do so. It leaves me wondering if they
> did anything at all or if they just ignored the
> problem.
>
> So something else is needed.
>
> Suppose we set up a firewall that, when it detects
> a port scan, would spoof the source address and
> perform a port scan against the port scanner's ISP?
> That way, the ISP would see a port scan coming
> from one of his own customers and would be more
> likely to take an active interest in putting a
> stop to it.
>
> Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
