Arbor Networks DoS defense product

But how do you plan to arbitrate disputes about what merits blackholing
and not on behalf of others? And what guidelines do you use to decide
on how to initiate black holing? (not critical here, just curious?)

Thats the beauty here, one can provide multiple databases (eg rogue
networks which refuse to shutdown their portscanners, proven spamhausen in
bed with spammers, proven active attackers, etc.) and service providers
can opt in as they like, and apply whatever policy to those routes that
they like.

> Why are you sending funny packets?
Any number of reasons... like I have a compromised host
and I'm watching what it does before shutting it down...

So you have a compromised host attacking sites, you know about it, and
you're allowing it to continue. Whoops it just defaced a federal
government site, and now it has your ip address all over it...

I don't think i'd want to open myself to that kind of liability...

When we catch compromised hosts, we cut their balls off instantly.

Or maybe the packets don't look funny to me :-).
Or perhaps the packets were so funny I thought I'd share. :wink:
Humor is often in the eye of the beholder :-).

Military networks arent well known for their sense of humor, and neither
are federal interest sites...

-Dan

On Fri, May 17, 2002 at 01:00:52AM -0700, Dan Hollis <DH> said, in response
to a message on Thu, 16 May 2002 by Dragos Ruiu <DR>:

<DR> But how do you plan to arbitrate disputes about what merits blackholing
<DR> and not on behalf of others? And what guidelines do you use to decide
<DR> on how to initiate black holing? (not critical here, just curious?)

there are no disputes. It's like using the RBL - what I decide to do with my
network is my business. If somebody else doesn't like it, they can do
business elsewhere. Everybody wants to do as they please on the Big Wide Net,
but they also want to be able to tell everybody else how to play. Can't have
it both ways.

<DH> Thats the beauty here, one can provide multiple databases (eg rogue
<DH> networks which refuse to shutdown their portscanners, proven spamhausen in
<DH> bed with spammers, proven active attackers, etc.) and service providers
<DH> can opt in as they like, and apply whatever policy to those routes that
<DH> they like.

The simple addition of a default action in the land mine/blackhole BGP idea
would take away most of the protests, I think: after X scans, mail WHOIS
contact for the network in question saying "You have scanned us. Please clean
up your network, or risk being blackholed." If no response is received, and
scans continue, blackhole. Simple as that, and puts responsibility back on
the shoulders of the offending network.

<DH> > Why are you sending funny packets?

<DR> Any number of reasons... like I have a compromised host
<DR> and I'm watching what it does before shutting it down...

There's no point to what you have just said. When you find a machine has been
rooted, unplug it from the network and commence forensic analysis. Knowingly
allowing it to attack other networks is foolhardy at best.

<DH> So you have a compromised host attacking sites, you know about it, and
<DH> you're allowing it to continue. Whoops it just defaced a federal
<DH> government site, and now it has your ip address all over it...

<DH> I don't think i'd want to open myself to that kind of liability...

<DH> When we catch compromised hosts, we cut their balls off instantly.

<DR> Or maybe the packets don't look funny to me :-).
<DR> Or perhaps the packets were so funny I thought I'd share. :wink:
<DR> Humor is often in the eye of the beholder :-).

<DH> Military networks arent well known for their sense of humor, and neither
<DH> are federal interest sites...

Neither are network operators whose networks are constantly under attack.
This kind of thing loses its novelty the first time one of your machines is
rooted and has to be wiped and rebuilt.

Whether or not it's amusing to you is immaterial. If the person being scanned
does not find it so, scans should cease, period.

[snipage throughout]

> up your network, or risk being blackholed." If no response is received, and
> scans continue, blackhole. Simple as that, and puts responsibility back on
> the shoulders of the offending network.

Oh but there _WILL_ be disputes. Even with spam there is considerable enough
gray area that I find solutions like the RBL distasteful, and the questions
surrounding what is and isn't a portscan will be much, much, worse. The
simple fact is that there are no good definitions of a portscan. I say this
because I work on developing IDSes and portscan detectors amongst other
things.

there doesn't have to be a good definition. If network B receives what they
consider to be a scan from network A, and network A does not reply to emails
requesting explanation, network B can blackhole. Heck, network B can
blackhole whoever they want for any or no reason. It's _their_ network. An
agreed-upon definition of what constitutes a portscan is not required, by any
means.

Port agile trojan scans won't be caught by any of your "portscan" detectors.
Your "portscan" detection will likely only catch admins who have misfired with
nmap, or kids playing, or legitimate network applications that have high

In which case, a simple email to the network operator in question should
clear up the confusion early in the game, with no harm done. If people can't
be bothered to properly manage their contact information for netblocks,
that's nobody's fault but their own.

Bitching about portscans is misdirected and stupid, while lacking a good
definition

again, definition is not necessary. I think many network operators are simply
tired of dealing with crap from other networks and operators that can't be
bothered to clean things up. Consider it fair warning. As long as network
operators are responsible for their networks, they can do as they please,
including denying contact from arbitrary other networks for any or no reason.

of what a "portscan" is (with all deference to the popularity of nmap :-).
If you think you have some information there you do not want to leak, put in
measures to stop this, but route blocking based on contravention of some
dubious "portscan" regulation is like trying to swat flies with atomic bombs,
you may get the fly, but arguably the cure is worse than the disease.

Maybe so, but that decision still belongs to the individual network
operators.

> There's no point to what you have just said. When you find a machine has
> been rooted, unplug it from the network and commence forensic analysis.
> Knowingly allowing it to attack other networks is foolhardy at best.

There we agree to disagree. Blindly shutting down attackers without any ID or
attempt to discern motive seems unwise. But your policies may differ. :slight_smile:

This is what forensic analysis is for. You cut off the machine and then
analyze it. Motive is generally pretty obvious - Yet Another Zombie for use
in DDoS, an IRC shell, or a jumping point for further network penetrations.
*yawn* The motives are mind-numbingly common at this point. If proper logging
is in place, you won't lose any information by unplugging the machine as
opposed to allowing the intruders to continue to do whatever they're doing.

I work with several groups that attempt to study intrusions and intruder
techniques. If the villains have broached your defenses and you simply
patch up the defenses with the same construct that was broached initially,
blindly hoping they'll go away... well... further more, if you don't
even look at the villains to identify their motive, strength and number,
simply pretending they aren't there... then you aren't being a good
defender.

Forensic analysis after an intrusion does not require continuing to allow the
intruders to do as they please. For honeypots, of course, this is a different
matter.

Their loss if true. I pity the fool that cannot laugh.

Just because I have a sense of humor, does not mean I find it amusing when
people penetrate, or attempt to penetrate, my network.

> Neither are network operators whose networks are constantly under attack.
> This kind of thing loses its novelty the first time one of your machines is
> rooted and has to be wiped and rebuilt.
>
> Whether or not it's amusing to you is immaterial. If the person being
> scanned does not find it so, scans should cease, period.

By all means if you are under attack, filter and protect yourself.

However a "portscan" is not an attack.

Precursor to an attack, certainly. As you mentioned earlier, forewarned is
forearmed. If I find myself being scanned, as a responsible network operator
I will contact the operator of the block in question, and if things are not
cleared up to my satisfaction, I will take proactive measures to protect
myself from the attacks that are sure to come by whatever means seem
appropriate and necessary to me.

regards,

[ snip ]

[ more snip ]

> By all means if you are under attack, filter and protect yourself.
>
> However a "portscan" is not an attack.

Precursor to an attack, certainly. As you mentioned earlier, forewarned is
forearmed. If I find myself being scanned, as a responsible network operator
I will contact the operator of the block in question, and if things are not
cleared up to my satisfaction, I will take proactive measures to protect
myself from the attacks that are sure to come by whatever means seem
appropriate and necessary to me.

somewhat OT, but this was an interesting article from the NYTimes:
   Linkname: Museum's Cyberpeeping Artwork Has Its Plug Pulled
        URL: http://www.nytimes.com/2002/05/13/arts/design/13ARTS.html

   "An Internet-based artwork in an exhibition at the New Museum of
   Contemporary Art was taken offline on Friday because the work was
   conducting surveillance of outside computers."

   "The work in question is "Minds of Concern: Breaking News," created by
   Knowbotic Research, a group of digital artists in Switzerland. The
   piece is part of "Open Source Art Hack," an exhibition at the New
   Museum that runs through June 30. The work can be viewed as an
   installation in the museum's SoHo galleries or online at
   newmuseum.org."

   "The dispute calls attention to one of the very points the piece is
   intended to make. Because the lines between public and private control
   of the Internet are not yet clearly defined, what artists want to do
   may be perfectly legal, but that does not mean they will be allowed do
   it."

And why, pray tell, would some unknown and unaffiliated person be scanning my
network to gather information or run recon if they were not planning on
attacking? I'm not saying that you're not right, I'm just saying that so far
I have heard no valid non-attack reasons for portscans (other than those run
by network admins against their own networks).

I often like to know if a particular web server is running Unix or
Winblows. A port scanner is a useful tool in making that determination.

<sarcasm>
And why, pray tell, would some stranger be carrying a concealed gun if
they were not planning on shooting someone?
</sarcasm>

Scott Francis <darkuncle@darkuncle.net> writes:

[...]

And why, pray tell, would some unknown and unaffiliated person be scanning my
network to gather information or run recon if they were not planning on
attacking? I'm not saying that you're not right, I'm just saying that so far
I have heard no valid non-attack reasons for portscans (other than those run
by network admins against their own networks).

Before choosing an onling bank, I portscanned the networks of the
banks I was considering. It was the only way I could find to get a
rough assessment of their network security, which was important to me
as a customer for obvious reasons.

I'm not sure if I would have been impressed or annoyed if they had
stopped accepting packets from my machine during the scan. :slight_smile:

-----ScottG.

Hello,

Saturday, May 18, 2002, 7:17:43 PM, you wrote:

And why, pray tell, would some unknown and unaffiliated person be scanning my
network to gather information or run recon if they were not planning on
attacking? I'm not saying that you're not right, I'm just saying that so far
I have heard no valid non-attack reasons for portscans (other than those run
by network admins against their own networks).

I often like to know if a particular web server is running Unix or
Winblows. A port scanner is a useful tool in making that determination.

[allan@ns1 phpdig]$ telnet www.istop.com 80
Trying 216.187.106.194...
Connected to dci.doncaster.on.ca (216.187.106.194).
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8
Last-Modified: Sat, 18 May 2002 06:05:35 GMT
ETag: "68807-9ff5-3ce5ef2f"
Accept-Ranges: bytes
Content-Length: 40949
Connection: close
Content-Type: text/html

Connection closed by foreign host.

(make sure you hit [Enter] twice after the "HEAD / HTTP/1.0"). Gets
you all of the information you need, and you don't have to do a
portscan. I have a perl script that automates the task if you would
like it, let me know.

allan

Date: Sat, 18 May 2002 21:50:34 -0400
From: Allan Liska

[allan@ns1 phpdig]$ telnet www.istop.com 80
Trying 216.187.106.194...
Connected to dci.doncaster.on.ca (216.187.106.194).
Escape character is '^]'.
HEAD / HTTP/1.0

Or

  lynx http://www.istop.com/

and press the '=' key for similar info. Or echo the HEAD request
to a program that opens a TCP socket. Or go to www.netcraft.com.

Of course, firewalls munching on TCP/IP can screw up IP stack
fingerprinting, causing nmap et al. to report "IIS on <favorite
*ix flavor>" when it really means "IIS on ??? behind firewall
running <favorite *ix flavor>".

I wonder how many people enjoy recompiling their *ix httpd to
report itself as IIS? Watch for requests matching certain IDS
strings... what was that again about mad fast honeypots? :wink:

[ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ]

Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)

And why, pray tell, would some unknown and unaffiliated person be scanning my
network to gather information or run recon if they were not planning on
attacking? I'm not saying that you're not right, I'm just saying that so far
I have heard no valid non-attack reasons for portscans (other than those run
by network admins against their own networks).

I scan networks and hosts very regularly for legitimate diagnostic
purposes as well as occasionally for curiosity's sake. I've never
attacked any host or network that I was not directly responsible for.
If you don't want the public portions of your network mapped then you
should withdraw them from public view.

BTW, please be one heck of a lot more careful with your replies. My
original reply to you was not copied to the list and I did not give you
permission to post a response quoting my words back to the list.

[snip]

> network to gather information or run recon if they were not planning on
> attacking? I'm not saying that you're not right, I'm just saying that so far
> I have heard no valid non-attack reasons for portscans (other than those run
> by network admins against their own networks).

I often like to know if a particular web server is running Unix or
Winblows. A port scanner is a useful tool in making that determination.

a full-blown portscan is not required here. A simple telnet to port 80 will
do the job.

<sarcasm>
And why, pray tell, would some stranger be carrying a concealed gun if
they were not planning on shooting someone?
</sarcasm>

Show me how to defend myself from attack by portscanning the networks of
random strangers, and I will concede the point. :slight_smile:

[snip]

> network to gather information or run recon if they were not planning on
> attacking? I'm not saying that you're not right, I'm just saying that so far
> I have heard no valid non-attack reasons for portscans (other than those run
> by network admins against their own networks).

Before choosing an onling bank, I portscanned the networks of the
banks I was considering. It was the only way I could find to get a
rough assessment of their network security, which was important to me
as a customer for obvious reasons.

In that case, I would not consider the scan to have come from an
'unaffiliated' person. I'm sure if the bank's network operator noticed it,
and contacted you, things would have been cleared up with no harm done. To
make it a bit more clear: cases where the scanner can demonstrate a good and
benign reason for scanning (they do occasionally exist[1]), no blackhole is
required. Sending an email notification prior to putting in a blackhole is a
good first step to eliminate potential false positives.

[1] Random strangers unaffiliated with your network will almost never have a
valid & benign reason for portscanning you.

I'm not sure if I would have been impressed or annoyed if they had
stopped accepting packets from my machine during the scan. :slight_smile:

Loss of a customer, probably. :slight_smile:

[ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ]
> Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
>
> And why, pray tell, would some unknown and unaffiliated person be scanning
> my network to gather information or run recon if they were not planning on
> attacking? I'm not saying that you're not right, I'm just saying that so far
> I have heard no valid non-attack reasons for portscans (other than those run
> by network admins against their own networks).

I scan networks and hosts very regularly for legitimate diagnostic
purposes as well as occasionally for curiosity's sake. I've never

Legitimate diagnostic purposes would mean that you would not fall into the
category of "unknown and unaffiliated". Curiosity's sake, well ... depends on
whose network it is.

attacked any host or network that I was not directly responsible for.
If you don't want the public portions of your network mapped then you
should withdraw them from public view.

Agreed there. Defense is important. It might be good to note that I'm not
giving a blanket condemnation of all portscans at all times; but as a GENERAL
RULE, portscans from strangers, especially methodical ones that map out a
network, are a precursor to some more unsavory activity.

BTW, please be one heck of a lot more careful with your replies. My
original reply to you was not copied to the list and I did not give you
permission to post a response quoting my words back to the list.

Apologies; my finger was a bit too quick on the 'g'. As this message came to
the list, I will assume it is safe to cc the list on my reply. Sorry about
that last.

[ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ]

Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)

Apologies; my finger was a bit too quick on the 'g'. As this message came to
the list, I will assume it is safe to cc the list on my reply. Sorry about
that last.

Apology accepted, but I strongly recommend you learn to use some more
reliable mail reader software -- something that doesn't accidentally
invent reply addresses! There was no hint that my message to you was in
any way associated with the NANOG list -- it was delivered directly to
you and CC'd only to the person you were responding to. Some outside
influence had to have associated it with having been a reply to a list
posting and connected your desire to reply with inclusion of the list
submission address. According to your reply's headers you're using
Mutt-1.3.25i, and according to the Mutt manual 'g' is the group-reply
command. I don't find any hint in the description of that command to
indicate that it will magically associate a given message with a list,
especially one that was not received from the list. Even the
'list-reply' command should not be able to associate a private reply
with the list address. If Mutt really does magically associate private
replies with list addresses by some mysterious mechanism then it's even
more broken than I suspected.....

And what the critics keep missing is that it will take several landmine
hits across the internet to invoke a blackhole. Just scanning a few
individual hosts or /24s won't do it.

There are three aims of the landmine project:

1) early warning
2) defensive response
3) deterrence

I realize such a project won't be absolutely, positively perfect in every
aspect, and it won't satisfy 100% of the people 100% of the time. But
that's hardly an excuse to not do it. IMO the positives outweigh the
negatives by far.

-Dan

It doesn't. I cc'd the list because I thought the message to be germaine to
the public thread, and no mention was made of the message being private. That
was a misstep on my part, for which I apologize, and that was what I meant by
"a little too quick on the 'g'". I will in the future assume all replies not
cc'd to the list to be private, or else get permission before cc'ing the list
on a reply.

Mea culpa.

[snip]

And what the critics keep missing is that it will take several landmine
hits across the internet to invoke a blackhole. Just scanning a few
individual hosts or /24s won't do it.

There are three aims of the landmine project:

1) early warning
2) defensive response
3) deterrence

I realize such a project won't be absolutely, positively perfect in every
aspect, and it won't satisfy 100% of the people 100% of the time. But
that's hardly an excuse to not do it. IMO the positives outweigh the
negatives by far.

This is what I have been (unsuccessfully) attempting to state. I apparently
need more practice in being coherent. :slight_smile:

Scott Francis <darkuncle@darkuncle.net> writes:

[...]

> And why, pray tell, would some unknown and unaffiliated person be scanning my
> network to gather information or run recon if they were not planning on
> attacking? I'm not saying that you're not right, I'm just saying that so far
> I have heard no valid non-attack reasons for portscans (other than those run
> by network admins against their own networks).

Before choosing an onling bank, I portscanned the networks of the
banks I was considering. It was the only way I could find to get a
rough assessment of their network security, which was important to me
as a customer for obvious reasons.

I would argue that this is not good practice and you dont have the right
to intrude on the workings of the banks network just because you have the
technology to do so.. if a telnet port was open would you also check that
you were unable to brute force your way in? That is to say.. what exactly
were you hoping to find and then do with the results?

I'd also say your reason for this is void, its not your responsibility to
assess the bank's security. If they screw up they have insurance and
you're not at risk.

I'm not sure if I would have been impressed or annoyed if they had
stopped accepting packets from my machine during the scan. :slight_smile:

But surely if all their prospects do this they will not be able to handle
the volume of attacks and will be unable to keep up with blocking the more
minor benign scans. And you as a customer ought to prefer their time is
spent on legitimate attacks which means no one scans then 'for good
reasons' and all scans are therefore malicious and worthy of
investigating...

Steve

So for your offline banks, do you also go to the local branches at night
and jiggle all the locks to make sure their doors and windows are locked?

-Dan

> I often like to know if a particular web server is running Unix or
> Winblows. A port scanner is a useful tool in making that determination.

a full-blown portscan is not required here. A simple telnet to port 80 will
do the job.

A simple telnet to port 80 will sometimes do the job, but often not.
And even your statement "a full-blown portscan is not required" concedes
that a portscan will work in making this determination.