Jeff Bachtel wrote:
>
> A few problems with that:
>
> 1) Sometimes portscans aren't malicious, that is I (at least) have
> used quick scans to determine services that a remote host provides, ie
> anon ftp and whatnot.
But then the services you are trying to find are not BackOrifice or
other trojans.
By the way, I see frequent few port scans from people looking for
open news servers! And that is on a system that doesn't run a
news server at all. While I don't see that as a security problem,
I am puzzled since it never happened before the first week of
October.
> 2) (big one) any ISP worth its salt will set its border routers to
> reject packets with obviously forged source ip's.
It seems that the small ISPs who are more likely to respond to
complaints are those that are less likely to use access lists
effectively. I can see that if you have never got a complaint
about one of your users scanning for system vulerabilities, you
are more likely to respond than a large ISP who gets many
complaints every day.
Thus, one of the big arguments against this (other than legal
liabilities) is that the ISPs that would be more likely to let
the traffic through in the first place are not the problem.
> 3) you can be involved in a DoS/illegal/harassing activity if someone
> spoofs the source address for a portscan, and your system
> automatically responds.
The port scanning would have to be throttled down to make sure that
it doesn't overwhelm anyone.
> Don't get me wrong, how you choose to deal with people who portscan
> you (I run OpenBSD, so I tend to get a small smile at the thought) or
> who do active scans for vulnerabilities (I report them like the
> weasels they are) is entirely your business, however setting up an
> autmated response opens you up to more problems than the benefits
> would suggest.
How about just running a port scan against whoever is portscanning you.
If someone sees port scans coming from a system they are trying to break
into, it would hopefully scare them off.
Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
