Re^3: RFC: CPAN module for blocking open proxy requests

Despite your good intentions and noble goals, I hold that there is no valid reason for a web server to try to make unsolicited connections to my system. A port scan detector I sometimes run on my network would automatically start dropping packets from your host and notify me and your ISP's IP range abuse admin of the attack.It has to be manually overridden not to take those actions for a particular host or network range.

You may want to announce somewhere near your comment entry box that you'll be using this type of countermeasure so people don't think you're the one stirring up trouble. In most instances, I don't think people look any more kindly on port scanning of their systems than they do on spam. If you make it clear what's going on and why, you're likely to get more support for it.

I know I'm always happy to allow anti-cheating tests during games and such if I know what they are going to do and why. By agreeing to use a service which I know will be port scanning my systems, I would be agreeing to the scan. That's a much better scenario than you just scanning my network without telling me.

How do you deal with multiple people in the same community who share a pool of short-lived DHCP leases if you only check once per week?

Comment on Re^3: RFC: CPAN module for blocking open proxy requests

Replies are listed 'Best First'.
Re^4: RFC: CPAN module for blocking open proxy requests by Gunnar (Novice) on Aug 11, 2010 at 02:28 UTC
Thanks for sharing your concerns, mr_mischief. Needless to say I don't agree. ;-) Despite your good intentions and noble goals, I hold that there is no valid reason for a web server to try to make unsolicited connections to my system. Don't all serious admins of Internet connected systems have to endure some traffic in order to help fighting the bad guys out there? I think they have. Provided that your system does not carry an open proxy, we are talking about max one scan per week, comprising just a few ports that are often used for open proxies. My belief is that very few system admins would care, irrespective of their general view on "unsolicited connections", as you put it. You may want to announce somewhere near your comment entry box that you'll be using this type of countermeasure so people don't think you're the one stirring up trouble. For the above reason, I don't think that 'innocent' admins would ever read such an announcement. Informing them about the purpose would be a good thing, but I can't see how it could be done. If admins of open proxies feel troubled, I couldn't care less. How do you deal with multiple people in the same community who share a pool of short-lived DHCP leases if you only check once per week? HTTP::ProxyTest tests IP addresses; what else can I say?	[reply]

Replies are listed 'Best First'.

Re^4: RFC: CPAN module for blocking open proxy requests
by Gunnar (Novice) on Aug 11, 2010 at 02:28 UTC

Thanks for sharing your concerns, mr_mischief. Needless to say I don't agree. ;-)

Despite your good intentions and noble goals, I hold that there is no valid reason for a web server to try to make unsolicited connections to my system.

Don't all serious admins of Internet connected systems have to endure some traffic in order to help fighting the bad guys out there? I think they have.

Provided that your system does not carry an open proxy, we are talking about max one scan per week, comprising just a few ports that are often used for open proxies. My belief is that very few system admins would care, irrespective of their general view on "unsolicited connections", as you put it.

You may want to announce somewhere near your comment entry box that you'll be using this type of countermeasure so people don't think you're the one stirring up trouble.

For the above reason, I don't think that 'innocent' admins would ever read such an announcement. Informing them about the purpose would be a good thing, but I can't see how it could be done.

If admins of open proxies feel troubled, I couldn't care less.

How do you deal with multiple people in the same community who share a pool of short-lived DHCP leases if you only check once per week?

HTTP::ProxyTest tests IP addresses; what else can I say?

[reply]