Home page logo
/

nanog logo nanog mailing list archives

RE: Stealth Blocking
From: "David Schwartz" <davids () webmaster com>
Date: Wed, 23 May 2001 17:24:04 -0700


From: David Schwartz [mailto:davids () webmaster com]
Sent: Wednesday, May 23, 2001 4:54 PM

In the PURE war, one ONLY shoots confirmed bad-guys and has ZERO
collateral damage.

    So if someone has a machine gun and is firing randomly,
you don't act to stop him until he happens to hit someone?

Lottsa mitigating circumstances here;
.Are they shooting spam?
.Are they trying to hit anyone?

        How can you tell if you don't check? As soon as you have reason to believe
they're creating a hazzard to innocent people, you are justified in checking
if they really are. This has been standard Internet practice since day one.

        Think about ident for a second. If someone makes a TCP connection to you,
many people make a return TCP connection to port 113 to log the user name of
the user making the connection. But maybe the adminstrator of the machine
considers connecting to port 113 to check who his users are an invasion of
his privacy. What about that?

        And the answer is really simple. If you went around connecting to port 113
on random machines, there'd be a justifable grounds for complaint. But if
somebody else connects to you, you can connect back to them to decide how
you want to handle their connection. They fired first.

One spammer is no justification for nuking their entire city. Targeted
response, sir ... targeted response. That's what MAPS is, a laser
beam, not
a hand granade.

        Absolutely. Probe the machine that is of concern, not whole blocks
randomly.

That's madness. [I] don't advocate
random scanning, as it is unethical to probe random people for
vulnerability. However, once you know there is in fact an
open relay, you are entirely justified in blocking it.

Agreed, but its open-relay status is irrelevent. The fact that one has
proof-positive of spam, from that site, is.

        No, its open-relay status is not irrelevant. If you know a site is an open
relay, however you know this, and you want to block open relays (which I do)
and it's my right to block open relays, then I will block them. How I find
out they're an open relay is another story. The usual way is you probe a
site when it becomes an actual problem.

        So let me ask you three questions:

        1) If I find out a site is an open relay by legitimate means, do you agree
that I have the right to block it if I want to?

        2) If a site sends me spam or otherwise inconveniences me, do you agree
that I have the right to probe it to see if it's an open relay if I wish to
do so?

        3) Do you think it's unreasonable to block known open relays as a
protection against future spam.

        Notice I'm not asking anything about probing random blocks. You and I agree
that this isn't justifiable.

And if you have legitimate reason to
suspect a site is an open relay, you are entirely justified
in probing it to see whether or not it is.

No you are not, by your own ethical standards. Suspicion is not
proof. Only
a piece of spam, in hand, from that specific site, is sufficient grounds.

        If you really believe what I think you're saying, then you would have to
object to, for example, the ident protocol.

    If your neighbor is aiming a gun at you, you are
justified in checking to see if it's loaded.

No you are not, you assume that it is and fire first <grin>. But, you are
not justified in taking out his whole block, including the other
neighbors.
You are not allowed ANY collateral damage. Anything less is sloppy anyway.
What's the matter, ain't you that good? Can't you aim?

        The only collateral damage is that the man's children lose their father.
There's nothing you can do about that. Similarly, if you block a site that's
a known problem, you inconvenience any legitimate mail traffic that might
have passed through that site. But that's the kind of collateral damage
that's unavoidable. Unfortunately, you have to make hazardous
misconfigurations inconveniencing or they won't be fixed.

        DS



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault