Home page logo

nanog logo nanog mailing list archives

Re: Stealth Blocking
From: Valdis.Kletnieks () vt edu
Date: Thu, 24 May 2001 01:30:01 -0400

On Wed, 23 May 2001 16:18:12 PDT, David Schwartz said:
      ORBS claimed originally to be a list of confirmed open relays, which it
once was and nobody really complained too much. The problem is, some sites
began getting complaints about the ORBS probers probing their networks. As a
result, some large sites (like abovenet) blocked the ORBS probers. ORBS
countered by blacklisting all of abovenet's address blocks, incuding all of
their non-multihomed customers. This blacklisted thousands of machines that
had no open relays.

Well.. half of this is a red herring.

The last time I checked (which was a re-check as I was writing this),
ORBS had different ways of listing "known open relay" and "unable to
check because of a block".  Therefore, a carefully worded ORBS query
should result in no blacklisting of "thousands of machines that had no
open relays" (although of course, you would then not get a heads-up from
ORBS regarding an actual open relay in a blocked address block.

It's the site's decision whether it prefers false positives or false negatives.

See http://www.orbs.org/usingindex.html for details... lot of options there.

Flame-fests regarding ORBS probing should be redirected to /dev/null.

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]