Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
The Internet

What's Wrong With Port Scanning? 96

Posted by Cliff from the nothing-as-long-as-you-don't-try-to-break-in dept.
Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.
This discussion has been archived. No new comments can be posted.

What's Wrong with Port Scanning? More

What's Wrong with Port Scanning?

Comments Filter:

  • Port Scanning (Score:3)

    by gorilla ( 36491 ) on Friday August 11, 2000 @03:09AM (#863015)
    What's wrong with walking along a corridor trying all the doors you see?
  • I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in.

    But isn't port scanning akin to trying all the doors and windows on the house, to see which ones are open? Say I come by and try to open all your house's doors and windows, then find some are unlocked. So what if I never actually enter your house - simply my checking all your doors and windows would probably bother you. I know it would me. Let me put it this way: if you try that on my house, get ready to meet my Glock. Likewise with my computer.

    I think the people complaining are probably doing so because there isn't any reason to port scan someone else's computers except to determine a way to break in to those computers. Please let me know if you can think of any reason such activity would be legitimate.

  • Port scanning has its uses, but by a very limited number of people. Let's look at a few examples:

    A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard). ORBS uses limited port scans to detect and document open mail relays.

    Within corporate networks, netadmins regularly scan inside IP addresses looking for security holes -- particularly of publically accessible servers. Services offered are correlated with lists of possible problems, and the software examined to apply appropriate patches.

    Some research depends on Internet-wide port scans to further worthwhile projects. For example, the "fingerprinting" of public servers provide statistics of what software is being used. A mapping project sponsored by NASA generates a sample of "working" systems by using a limited port probe -- I see this all the time in my firewall logs and traced down the project to find out just what was going on. (At some point, I will update my firewall filters to pass through the well-identified IP addresses of this activity, so that their research will reflect reality a bit better.)

    Unfortunately, the good works that honest researchers (both pro and amateur) do is far outstripped by the number of people who use the "burgler tools" indiscriminately, or for nafarious purposes. Mass fingerprinting identifies systems ripe for root/admin compromise, or for potential denial of service if the wish arises to do so.

    Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling." Most firewall appliances and software sold today will detect and block even "stealth" scans of their assigned IP addresses. As they should.

    The sad part is that people who run port scanners are considered guilty until proven innocent of trying to commit an unsocial act. AS THEY SHOULD BE. This posture makes sense, because port scanning, like UCE/UBE, uses resources that the user of the port scanning software isn't paying for, and in all too many cases isn't desired by the receiver of the scan packets.

  • >>I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in.

    It depends. Here's an example: Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary. That's right - if you are walking through a parking lot, see something interesting on the front seat of a parked car, and stop to look at it, you can be arrested for attempted burglary. The theory is that even looking into the car is none of your business and to do so means that you have actually begun the process of committing a burglary.

    So there are lots of people who think, in plenty of contexts other than just network administration, that engaging in actions that are a necessary precursor to a crime is the equivalent of beginning to commit that crime. The question, of course, is where do you draw the line.

    "There should be no fair use. Quoting is just a form of piracy."

    "He was reading a magazine about guns. Convict him of murder! Quick! Before he gets a chance to actually do it!"

    There are even people who take this to the most ridiculous extreme:

    "Of course all men are rapists. Why else would they be born with the tools to do the crime?"

    Now, port scanning is in one of those grey areas. It's not bad in and of itself, but it is often a precursor to bad things. So people tend to mix it up with the acts that often follow. Don't blame them. That sort of fuzzy thinking happens all the time, as the examples above illustrate.

    This is my response to the original question of "Why do people get so upset?" Frankly, I haven't a clue as to how to deal with them. They have a point. You have a point. And if you try to decide who's right (since both sides have valid positions), you wind up having to sacrifice reason and truth to make a decision.

    Good luck. This is the sort of conundrum that makes life interesting.
  • I was recently using one of the port scanners to see what kind of fingerprint it would return on a new server I was deploying. This process actually shot down an OpenSource application server running on the box. It's not a huge problem for me because this was a FastCGI connection only used for communication between the Web Server and the App Server, so I had put in a filter rule to block connections from the outside world. But, this happened to me years ago on a production machine which was scanned. So, scans are more like somebody throwing rocks at your house than someone checking the door knobs. Some windows are likely to get broken... ;-(

    Mike

  • I can do a portscan on my box, from a friend's box, to show him how much more secure my system is. perfectly legit. I can do it the other way round, from my box to his, to show how insecure it is. Both legit. And luckily pulling a gun on someone IS a crime in most of europe.

    //rdj
  • Actually, a port scan would be more like, what wrong noticing where the doors and windows are. A port scan doesnt attempt intrusion, just finds out what services are running. There are legitimate reasons for port scans.

    /*
    *Not a Sermon, Just a Thought
    */
  • So whos fault is it for leaving your window unlocked? I'm not saying it is right to hop in and take all your goods or destroy anything, but that isn't how other people think.

    When one of my production servers get scanned, I reverse scan them for a fingerprint and to try and determine if they are a box that got hacked ( usually solaris with rpc running :) ) or just someone who happened to port scan me.

  • Re:looking versus opening (Score:3)

    by Royster ( 16042 ) on Friday August 11, 2000 @04:44AM (#863023) Homepage
    The difference is that you can give yourself permission to scan your own box and your friend can give you permission to scan his.

    Scanning without permission is being a very poor neighbor.

  • Most anti-cracking laws (no, I haven't done a formal comparative exercise, nor am I likely to) work on the basis that causing someone else's machine to execute any instruction without you being authorised to do it constitutes a crime.

    Port scanning without asking is certainly rude, but there's no way of knowing that you're not allowed to do it - the mere fact that the system is connected to a public network is enough that you can assume it's OK to scan. Doing it after you've been asked not to is potentially a crime (check local law for details).

    I guess the answer in most places, is that if you've got a legitimate reason to do it, ask first. If you have got a legitimate reason, it should be OK, no? If there's good reason for refusal and the admin you're asking gives it, everyone's happy. This is more of a good manners point than a legal one, though: local laws may or may not make unnanounced scanning Bad and Wrong, or require something over and above execution of code to make up the offence of Cracking.

    When administering students' access, I guess the thing to do is make damned sure that port scanning leaves an audit trail, so that when you get Mr Angry on, you can pass on the complaint to the guilty party. Ignoring that kind of warning and scanning the same target again should certainly be contrary to a fair use policy: whether you want to go further and maintain a list of People Who Complain About Port Scans that users are required to consult before starting a scan depends on what the administrative overhead of maintaining the list will be against the overhead of dealing with repeat complaints.

    The answer really depends on what you regard as good administrative practice in relation to an activity that annoys third parties. As to your potential liability, ask someone at the university's law faculty for a few pointers: I guarantee you won't hear a dull word in response (some or all of this sentence is intended to be construed as humour). There's certainly enough in what you say and in what people have been posting here to ring a few alarm bells in my mind about what you ought to be doing, if only at the good-neighbourliness level.

  • Running a port scan on a friend's system wasn't the example given, though. We're talking about UNAUTHORIZED scans.

    There's no reason to portscan someone without their prior permission.

    (And I can't believe you euros would criticize our "make my day" laws here in the US! ;)
  • Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling."


    To continue this analogy to ridiculous extremes, in the good old days when cops walked a beat, they would often walk down the street checking door knobs to make sure shops had remembered to lock up, and to make sure nobody had unlocked the door since the shop keepers had gone home. A white-hat port scanner could be placed in that category. Nobody would have objected to that cop doing that door knob checking. But if a stranger was walking down the street checking door knobs, you'd be damn suspicious, and rightly so. And anybody who port scans without without either asking my permission or having a web page up describing the purpose of their scanning is violating my privacy and will be treated like a potential intruder.


    --
    A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.

  • That's a pretty poorly written service, if it can't handle a port scan. Error handling - use it!

    I haven't heard of any service damaged by a portscan before... Sounds like it was expecting only perfect communication from one trusted source. Not a good model on a network.

    --
  • >Scanning without permission is being a very poor neighbor.

    I agree. But it's still a big step from being a nasty neigbour or complete bastard to being a criminal.

    //rdj
  • But it's still a big step from being a nasty neigbour or complete bastard to being a criminal.

    My point about the gun thing was that if you are trying the windows and doors of my house, chances are very high that you are going to then enter my house. As soon as you do that, I can legally pull my gun on you for my own protection - you are trespassing on my property.

    Same goes for my computer. If you are scanning my computer (as has been pointed out: without my permission), chances are good you are attempting to locate an open "door" through which to enter my computer. Don't expect me to respond kindly.

  • Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary.

    Dude, in Texes, Bush can *fry* you for looking in someone's car.

    InitZero

  • There are legitmate reasons to port scan someone.

    However you need to ask why any student would port scan from his own comptuer. If it is for reasearch then his department (CS most likely) should provide the machine.

    For many students I would guess that if their machine is port scanning someone, that means that the machine is compromised and a remote cracker is looking for more holes.

    IMHO, the last point is the one you should consider most likely.

  • What if I use my home ISP account to portscan and probe my employer's web server via Nessus to look for potential security problems from outside, and my ISPs T&Cs forbid portscanning?? This is something I propose to do for work when we move offices later this month. Would I still be in the clear?

    My home ISP changed ownership last week, and I havn't looked at the new T&Cs in detail to see if this affects this one.

  • I think a lot of people are way too uptight about port scanning. They get cable/DSL, install Black Ice or ZoneAlarm and because they see all this activity, they think they're under seige. And I see professional admins that don't act much better. Should ISP X really care if one of their customers scanned your subnet looking for ftp servers?

    Chances are, if an admin knows their machines were scanned, they're probably not going to have a problem anyway. By notifying the admin on record for a domain the scan originated from, they might be doing that other admin a favor if the scan looks very suspicious. More suspicious than pings or searches for common ports (even if those ports are often exploitable) like ftp, SMTP, POP3, NFS, etc.

    I think an admin should alert that other admin when scans are looking just for common "cracker" ports like 31337. The chances that scanner is up to no good is much higher.

    Now if the scanner also tries to connect to an open port like ftp or telnet, that's already more serious but I still wouldn't send an email unless the attempted connections are coming from root and the hostname doesn't look like a commercial ISP (email admin when the remote client is from research.hi-techu.edu, not 28-128-dhcp.isp.com). Again, it doesn't improve my security, but it alerts the other admin that there's likely a security problem on their network.

    Of course if any activity gets to the point that it truly interferes with service or a particular host is wasting your time because of all the log records, then an admin should alert the remote domain and expect action.

    Overall I think a zero tolerance policy just wastes an admin's time and doesn't really improve anyone's security.
  • And anybody who port scans without without either asking my permission or having a web page up describing the purpose of their scanning is violating my privacy and will be treated like a potential intruder.
    How does a port scan violate your privacy? All the scanner sees is an active IP address with ports X Y and Z open. On the Internet, theren't nothing private about that information.

    Sure port scanning is suspicious behaviour and the scanner may very well try to break into your computer. So what? You keep your machine secure by configuring it and installing software to make it so, not by crying wolf every time a "stranger's" packet comes knocking at your door.

    How should a potential intruder be treated anyway? How would you treat other potential criminals?

  • Rude and suspicious, but nothing to worry about. (Score:3)

    by elbuddha ( 148737 ) on Friday August 11, 2000 @05:52AM (#863035)

    To borrow a commonly used metaphor: Port scanning is akin to looking at all the windows of a house to see which ones don't have their curtains drawn. While this behavior is certainly rude, it is not inherently evil.

    Much more suspicious are probes of specific ports for daemons known to have vulnerabilities. Most crackers/kiddies don't run full scans against hosts. They choose a handful of ports and check those to determine if there is something listening there and more importantly what version of that daemon is listening there. This is the behavior that is akin to checking to see if the windows are locked.

    Port scanning of the first type shouldn't get any seasoned admin's hackles raised - every host connected and available is going to get scanned eventually.

    Port scanning of the second type shouldn't get any seasoned admin's hackles raised either - as long as they've taken proper security measures (Mr. Cracker/Kiddie's scanner will simply log the host as "not vulnerable" and move on). Furthermore, since such probes will either be stealthed or blend in with normal traffic, it is unlikely that they will even be noticed.

    What does raise my hackles is when a host gets scanned over and over and over and over within a very short period of time from the same source. Such behavior, while not a DOS attack, can be resource-intensive on the target and is very rude. But there again, it is not suspicious per se because it is most likely indicative of a certain degree of cluelessness on the part of the scanner.

    The bottom line to me is that port scanning happens but it is nothing to worry about as long as proper and normal security precautions have been taken anyway beforehand and continue to be taken as exploits emerge.

    The admins that complain to the source network about port scans are worried about the wrong things, or worse want someone else to be responsible for their own security.

    As for liability, who knows. Common sense would dictate that A) The target is responsible for their own security, and B) The source is responsible for their own actions. But since when has common sense born any resemblance to the law, especially in the context of a civil suit?

  • "Noticing where the doors and windows are" is fine when you're on a public sidewalk (so you're not trespassing) or you have business with me. Standing on the sidewalk and watching someone 24 hours a day is a different matter, or if there are thousands of people walking around the block looking and blocking traffic.

    But going above the "public" low port numbers or testing for bugs is "rattling doorknobs" and you'd better have reason to be checking if a door is unlocked. If I don't have a link pointing to cgibin/test.pl then you have no reason to be looking for it.

  • I heard of one site where the sysadmin shut down their router after every port scan attempt. Given that some script kiddies seem to scan subnets at random, it lead to a lot of denial of service.

    Maybe they should have shut down the sysadmin instead.

  • It depends on the school but if a port scan was originating from a ResNet connection, I think it's most likely that student doing it, not someone else who's cracked the student's machine.

    It's silly to expect a department to provide a machine for any old project a student might do for a class or independent research project. Lab machines may not be configured to allow students to run the programs they want to run to do the scan unless port scanning was a task all students in a class were expected to use. Even if they have the equipment, the student may want to (or need to) run the scan during hours the lab is not open and may not have the ability to run it remotely. What if the student wants to use a software package for a research project and the department doesn't have a machine that it can be run on?

  • Let's not forget some folks pay for bandwith (Score:3)

    by scotpurl ( 28825 ) on Friday August 11, 2000 @06:17AM (#863039)
    Bandwith ain't free. We all know unsolicited email ain't nice, so why do we think unsolicited network packets ARE nice?
  • I'm glad I won't get shot for being a poor neighbour..

    //rdj
  • Unsolicited packets aren't "nice" but they're not evil either. Port scan packets are so small that you'd have to be constantly scanned to really impact a bandwidth charge.

    The actual kilobyte size of a spammed message isn't the problem, it's the time one is forced to spend getting rid of it. Collectively spam is wasteful of bandwidth but on an individual basis the bandwidth waste is far less significant than the time waste. If you get so much spam that you can actually associate a bandwidth dollar amount to them, well, that's a lot of spam! I would consider arranging with an ISP or uplink some kind of filtering at their end so it doesn't cost more bandwidth. Of course such service will cost something but if it's less than what the bandwidth costs, it's a good idea.
  • A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard).

    Actually, for a while, I got into the habit of portscanning anyone who portscanned me, just to let them know I did it. As it turned out, I got a letter from @Home telling me that if I violate their terms of service again, they'd terminate my account. Since I didn't portscan anyone who didn't already do it to me, this means one thing:

    Someone had the audacity to portscan me, then complain to @Home when I returned the favor!

    As it turns out, any use of portscanners, valid or not, is against the TOS.
  • I've seen a plain old nmap scan send a stock solaris box into a syslogging frenzy, ending only when the /var partition filled up and the sysadmin noticed that there were some disk-space issues.


    Not too impressive...

  • But it's still a big step from being a nasty neigbour or complete bastard to being a criminal.

    View my "nasty neighbor" comment as being reverse hyperbole. When you don't know your neighbors, even minor acts that violate your privacy reduce your security. On the Internet, everyone are neighbors to one another and most everyone are strangers to one another. University AUPs should promote good neighborliness on the net.

  • Plain and simple (Score:1)

    by Anonymous Coward
    Nobody at your university has any business portscanning my network. For what possible "good" purpose would ANYONE at your university be scanning my network? What, they're going to let me know they found a hole/exploit? I don't think so. What, they're portscanning me in the interest of academia? I don't think so.

    If I want to be portscanned in the name of security, I'll go to dslreports.com and have them run a scan on my network. So, you and your script kiddies are relieved of that noble duty. Now, what's left? Nothing.

    I'm not saying "throw the haxors in jail". But your policy should be no off-campus portscans (without written permission from staff). None. Do it, and your account is turned off until you have a meeting with (appropriate staff/dean). Whether you let them portscan on-campus computers is your choice.

    Nobody at your university has any business portscanning my network.

  • I currently use @Home (Cox@Home, specifically, here in Phoenix), and prior to hooking up with them, I asked about running a server (I even asked about changing the contract to allow this, paying more, etc - I actually told them I would pay the MORE to let me run a server - and they turned me down!), and after talking to a "tech", he said that as long as I wasn't running a wide-open public server, I would be fine.

    I know the TOS says that you can't run servers. I am not so uptight about the contract that I wouldn't try such a thing (it ain't like you are going to go to jail or something for doing it - yet...), but I wonder what would happen if I did?

    Which ports does @Home scan? Only the low numbers? High numbers? Random? What if I ran a web server on say port 45830 - what are the chances I would be caught? Especially if the only traffic is myself (from my work or elsewhere)? What if I made you log into the server before letting someone through (so only I could get in)?

    I would like to set up only a few servers - a web, ftp, maybe telnet as well - for my own personal use. Since I would be the only one using them, I would even be willing to put them on funky ports, instead of the common public ones.

    Anybody have ideas or comments?
  • I think you could actually get away with running at least an HTTP server on port-80. Here's why:

    A friend of mine and I were talking about peer-to-peer apps (ala Gnutella or ICQ) and he said he was shocked to find out that ICQ listens on all sorts of ports, including 80 if it's available, for messages.

    Apparently, the ICQ engineers wanted to try solving the "behind a firewall" problem of receiving inbound packets and choose commonly opened ports, incl. 80. So, I think it'd be tough to monitor on a home network like @Home because so many people use ICQ.

  • This is an educational facility. People are there to learn. What better way to learn what "Joe average webmaster" has for open ports than to scan them. If you're learning system admin, you'll scan whoever, see what's running, question yourself why they're doing what they're doing, etc...

    The internet is a public network. Things that are public get used BY the public. One poster had a comment on Texas law stating that by looking in someones car window, you have started the act of burglery. But that law does not mean that if you're looking in the windows of a city bus, that you then plan to steal that city bus.

    The machine is private, the data is private, but anything connected to a switch and given internet access, is fair game in my book.

    xrayspx
  • If you walked down a corridor, and tried every door, but did not open one even if it was unlocked, would that be bad? Thats what port scanning is like. Plus, I have often scanned a friend of mine's machine to figure out what port certain services are supposed to run on. In that regaurd it is unlike looking at doors in a coridor b/c you don't get anything useful out of it.

  • There is a difference between checking if someones door is wide open and wiggling the doorknob to see if it is unlocked.

    Port scanning is more like the former, you look and see if someones door is open or closed. The door might be open because, someone wants you to come in, for instance port 80 at 64.28.67.48 (slashdot.org)

    wiggling the doorknob would be equivalent to checking to see if the sysadmin used 'god' as their password for 'root' or worse simply doesn't have a password.

    At least, that is how I see it.

  • Re:The obvious reason (Score:1)

    by Anonymous Coward
    Oh, bullshit. Nobody's running portscans to "learn". They're running portscans as part of their rootkit, trying to find exploitable computers.

    If someone really needs to run portscans to "learn", they'll have no problem asking (and getting) permission. The AUP should say "no portscans without permission".

    As far as legality, yes portscans are legal and should be. Fair game, indeed. Just because they are legal, though, doesn't mean they are acceptable (as in acceptable use policy). Spamming people is legal. The university should also frown upon that in their AUP.

  • I disagree. I think a student trying to set up his own linux box might want to be sure his services are running on the standard ports, or might want to check to be sure he doesn't write a program to take a port that is used by some standard service.
  • 1. Portscanning is harmless. 2. If you were really worried about security, you wouldn't be running Windows. 3. You are paranoid. 4. You are an asshole. 4a. You're probably an asshole because of small genetalia, controlling parents, and the lack of intelligence that forced you to become a MCSE. 5. You've almost certainly not been the on-call responsible entity for any network. Your attitude tells me that.
  • 1. Portscanning is harmless. 2. If you were really worried about security, you wouldn't be running Windows. 3. You are paranoid. 4. You are an asshole. 4a. You're probably an asshole because of small genetalia, controlling parents, and the lack of intelligence that forced you to become a MCSE. 5. You've almost certainly not been the on-call responsible entity for any network. Your attitude tells me that. Oh, yeah. Forgot one. 6. Consider yourself fed, troll!!
  • I have some cursory knowledge of networking and I'm learning a little bit more all the time. Out of curiousity, are there any security concerns that one should be aware of if ICQ is listening on many different ports? Thanks :)

  • It dependes on what port is beeing scanned. Port 80 is like "I would like some HTTP content? Can I", but a port like the one's used by Netbus and the like is like walking around a house and see if there are any windows open.

    --
    "Trying is the first step towards failure."
  • I haven't heard of anyone having problems running servers on @home. I personally run telnet, ftp, http, and ssh (its nice to have access to my home computer from work). That, and I haven't even detected port scans from @home admins to detect servers. YMMV.

    However, be careful. Every server you have running is a potential security hole. You might think nobody cares about your box, or nobody will find it. I thought the same thing til my box was cracked (damn you wu-ftpd!). Keep up to date with the latest security exploits, keep your software up to date and monitor your logs.

  • Almost every post on here uses some kind of analogy to show why port scanning is or isn't bad. Analogies are interesting, but ultimately useless in proving your point. Deal with the facts of the issue as they are. It's just like when record company execs say "downloading copies of songs is no different than walking into a store and stealing a CD." Yes, it is different. Deal with the facts as they are. Don't cling to analogies your mind has already come to terms with.

    --jb
  • To me, portscannign is like walking down the street and jiggling every handle on every door. Sure, you might not do anythign bad, but it does raise some suspicion. Also, could someone tell me a real use for a portscanner, except done by the admin himself?

    Alexander

    CmdrTaco: can you please implement a spellchecker for the comments? :)
  • >we have come to wonder why so many admins get so >uptight about being scanned.
    It is folklore among sys admins, that portscanning is the noisy preamble of a script kiddie attack.
    Therefore, they usually install some kind of "port scanning" detection device, for early warning.

    A massive portscanning of such a site, may trigger all kinds alarms, and notify the sys admin, who then has to check out what triggered the alarm.
    I guess, that at that point, the sys admin transforms into a BOFH. When he discovers that the portscanning came from a uni, he turns into an even more angry and paranoid BOFH, since unis traditionally have been known as script kiddies CO-LOs; lots of unsecure unix boxes, and lots of bandwith.

    There is nothing wrong with portscanning, but the present climate makes it a rude thing to do, especially if it is a massive portscan (walking up and down on every port on the entire IP segment).

    I think it would be a fair "Acceptable Use Policy", to state, that (massive) portscans, without prior permission from the scanned site, is a no-no. And if someone needs to play around with portscan tools (developing Netcraft like mapping tools and such), they better inform their own sys admin first.

    Of course, such rules should only apply to (l)users; sys admins and other divine creatures, knows the craft, and should be allowed such things as portscanning when having a good cause (since they know the implications of portscanning, and take the heat anyway).

    It must be said though, that some sys admins seems to regard even the tiniest ping or trace, as a full scale attack on their network, or at least as a personal insult. That is a too stuck up attitude of course.

    --
    Regards
    Peter H.S. (sys admin in spe)

  • Looking is OK as long as you don't try to break-in.
    Actually, no. Looking In is also called 'peeping Tom' activity, loitering, or voyerism, depending on the state. See this list of such laws by state [about.com] (which may be out-dated, but proves the point).

    When I advertise my TCP services, that is a welcome mat, or an invitation for entry. Probing my system to find openings (even if you don't enter) is invasive and counter to decency.

    Ergo, I report every TCP Port Scan of my systems to the proper authorities (ISPs, etc.). When I find someone running a SATAN-type scanner (more aggressive than just TCP port scanning) against my systems I report to legal authorities. Have a nice day.

    Now hiring experienced client- & server-side developers

  • > Plus, I have often scanned a friend of mine's
    > machine to figure out what port certain
    > services are supposed to run on.

    Which was done with permission of the 'admin'.
    That's like getting in a security firm to check your doors and windows. You are allowing them to check the security of the place. People doing this without authorisation are liable to be arrested...

  • Stop it, this talk of "knob rattling" is getting me all hot 'n bothered.
  • I'm a student at California Polytechnic State University, San Luis Obispo. [calpoly.edu] A friend of mine, a sophmore computer science student named Paul, was accused and found guilty of port scanning, under a proposed Responsible Use Policy. You heard me correctly, proposed. Sigh.

    I summarize some of the details below, but you can read all about it at the site his friends set up. FreePaul [freepaul.org] has details, transcripts, audio recordings, musings, and propaganda for you to enjoy.

    Basically, Paul had a job in town doing admin work on some computers. He was working on those machines from his dorm room, and had to reboot them a few times (I don't know why. I do know he runs Linux on his personal box.), so each time they rebooted, the dynamically allocated IP was new. Meaning he had to find it again. He knew what range the IP would be in, so he scanned that range to find his machines. He did this, depending on who you believe, between four and a dozen times, over a day or three (again, conflicting stories). He then set up a script enabling the computer to email him with its IP when it reboots, so he didn't need to scan anymore. But someone had already complained.

    Apparently, the school networking guys got a complaint from off-campus ("Hey, I'm being scanned by x.y.z.r on your campus. Do something!") and called up Paul, saying 'Don't do that anymore.' This was after Paul had set up the script, so he had no more reason to scan. School networking seemed OK with this, so it seemed everything was hunky-dory (um, that's slang for "just fine").

    Then the school's Judicial Affairs department heard about it. And they started going after Paul with a vengance. Paul wasn't told about certain rights he had in the process, rights declared in California State Law. Judicial Affairs violated State law in the course of the investigation and prosecution (Notice of Hearing was a big one). It seems like Judicial Affairs was trying to make an example of him. Even if all the accusations against him are true, JA still was out of line in the details of the prosecution of the case. I happen to beleive that the charges aren't right, but even if they are, there has been a mis-carraige of what I think of as Justice.

    Now, how does this affect you, and your department's struggle with your Acceptable Use Policy? Be careful. Look at the mechanisms used to prosecute students who violate policies. If you think certain problems are minor compared to others (pinging isn't as bad as running BackOrifice on your professor's computer), try to put those judgements of relative harm into the policy as recomendations for punishments. The people who are now in charge of prosecuting students may be great people, kind, generous, wanting to help. But those people may leave, and the replacements may get on a power-trip, or may think that making a few 'examples' will "keep the little buggers in line". Do your best to make that very hard.

    Good luck.

    Louis Wu

    "Where do you want to go ...

  • Actually it is suspicuosly timely that this story is posted. A few weeks back I was suffering a regular and time conistent number of attempts at port scanning on my machine. The port in question was 31337 ( can any one say back orifice?). Anyway IPChains blocked this and reported the IP, time and date. NSlookup reported who the IP belonged to ( the Same ISP as I was on as it happened, oh and another Big UK ISP ). So I wrap up the Log files, break down the data give the document the relevant information and forward it to the support departments of the ISPs in question. The response was ..... well lets just say I think MS will go open source before they respond to my emails.

    See I can believe cracking attempts will always occur and that ISPS should not be responsible for them. In the same way that the law is not responsible for someone breaking it. However if that person is identified with having made the Attempted break in then surely they should be punished. In this instance I was providing documentary evidence which should tie up with their own access records.

    Clearly the ISPs dont maintain those records. Maybe for issues of privacy and if so how does recording the time you spend online affect your privacy really.

    I would have thought though that the ISPs in question would like to have shown their ability to respond to the issues concerned and in turn acted on them... Fat Chance.

    So here I am. Still online, grepping my message log for DENY and user and access and waiting for the next attempt.

    I think for the benefit of society some ports should be blocked if they have become associatted with abuse. After a while we get down to the common methods of communication and with that we can better patrol our networks.

  • Ergo, I report every TCP Port Scan of my systems to the proper authorities (ISPs, etc.).

    Sure, why not, it's your time to waste. Get your jollies how you like 'em. I wish the folks local to me would do it by email instead of newsgroups (or that a newsgroup be set up *just* for that) but it's no big deal.

    When I find someone running a SATAN-type scanner (more aggressive than just TCP port scanning) against my systems I report to legal authorities.

    That's definitely someone looking cause trouble (unless they go the IP wrong). I'd still go to your ISP and offenders ISP first. The offender deserves to get their wrists slapped. You get law enforcement involved straight off, you're either going to start annoying them (because it's gonna happen more than once) or if an investigation actually gets anywhere, the process is going to get your time tied up. Again, it's your time.

  • How does a port scan violate your privacy? All the scanner sees is an active IP address with ports X Y and Z open. On the Internet, theren't nothing private about that information.

    There isn't anything "private" about the locked or unlocked state of your car door as with many cars it can be ascertained just by looking, but if I'm at the shopping mall and I see a guy testing car door handles, I'm going to tell mall security.

    How should a potential intruder be treated anyway?

    By denying them access even to services that others have a legitimate right to, like my mail, usenet and web servers. If I were as paranoid about security in practice as I am in theory, the first thing I would do if I saw a port scan would be to totally black hole every packet that came from that source, no matter what port or protocol.


    --
    A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.

  • I agree with you on the point that a student at the university probably has no reason to scan you. Though you're so adamant about it, I wonder if you're trying to hide something. Obscurity is not Security.

    What I do not agree with is what you propose as a solution. Shutting down a user's account becuase it was used for a port scan is simply wrong. First, the owner of the account was mostlikely not the person resposible for the scan if they had any intent of cracking your computer. Second, even if the owner of the account was responsible for the scan, it might very well have been done by accident while trying to scan something else.

    A policy such as you proposed, would in no way stop scanning from student accounts. Morelikely, the policy would be used as a means of revenge by crackers against particular students.

  • Clif says:
    • I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.

    Is port scanning looking, or is it turning the knob on the front door to see if it is locked? I'd get pretty uptight if I found someone standing on my front porch, if they had their hand on the door I'd be calling the cops.

    In an academic environment I can think of valid reasons for legitimate port scanning on machines where the scanner had an account (you're there to learn, right?). I cannot think of a reason for someone to be port scanning a machine that they do not otherwise have access too, unless their intent is to crack the box. If someone is curious about how a machine is configured they can walk right up to most popular open ports and ask. Most protocols have ways to query the system (SMTP HELO for example). This is different than walking up and determining which ports are open. Maybe I'm trying to draw too subtle of a distinction here, so I'll try to give a concrete example. When I get spammed I check the headers and see where it came from. If it looks like someone has a machine open for relaying I'll telnet to port 25 and see if that is the case. If the machine is open I then send an email asking them to fix it. Is teleting to port 25 port scanning? Not to me. That is walking up to the front door and knocking. Scanning all ports with nmap is walking up and rattling the doors and windows.

    At the very least port scanning is rude. I feel that it is basically a threat to hack.


  • It's silly to expect a department to provide a machine for any old project a student might do for a class or independent research project.
    Not to mention that research might be purely personal. I'm a mechanical engineering student, the CS department isn't going to provide me with tools and sanction to learn networking architecture, and it shouldn't have to.

    I should be allowed to do personal network research. If I want to see how network tools work, and see what kinds of services can be run, I shouldn't need anyone's sanction to do so. I'm doing runtime research, why is that different from library research?

    Louis Wu

    "Where do you want to go ...

  • The only ports I know @home scans for is 119 or NNTP. They're doing this only for because of the fact that they got threatened with a blacklist because of the amount of spam from @home.

    I've known several people who run servers on @home and none of them have ever got into any trouble. The bottom line is, it is against the TOS. You "could" theoretically lose your access. But I highly doubt it will ever happen. For me, I'm content running my servers on high numbered ports and redirecting them to the standard ports on the inside of my lan. Considering I'm the only one who uses my servers, it shouldn't matter if I have to connect to some odd, high numbered port. I'm very doubtful that @home would scan all 65,000 ports on thier 24/8 subnet.

    I've heard rare cases of @home services (Media one I believe) redirecting inbount port 80 traffic to one of thier own web servers, preventing you from running on port 80. That would be the _smart_ way to do it if you ask me. Then again, I don't think thier too smart.

    Bottom line is unless they get a complaint or your using an unreasonable amount of bandwidth, they have no reason to kick you off. Your paying you monthly bill and they probably don't want to spend the man hours enforcing some stupid TOS.

    LiNT

  • Re:It happens to me (Score:1)

    by Anonymous Coward
    grepping my message log for DENY

    check out logcheck [psionic.com].

  • Other than testing systems you own for security purposes, I can think of no legitimate reason to engage in portscanning against systems which are not yours.

    Everytime I get portscanned, I report it, and in one case, I received a very nice thankyou note from the site's admin, saying that the machine which did the scan had been compromised.

    If you start allowing portscanns from your network, you can expect complaints from me. If it happens too many times, then I'll complain to your ISP. I don't mean to sound threatoning, but as an admin who has lots of other legitimate work that I could be doing, I hate having my time wasted by some script kiddie.


  • By that rationale, conserving water is a waste of time. Personally, I could only save a few hundred gallons each year if I'm careful.

    That water savings mean only a couple bucks savings each year. Takes more time to conserve water than it's worth... so why bother?

    -sid
  • Weather you allow (or don't specifically disallow) port-scanning, many sysadmins view it as rude, and some look at it as a prelude to a cracking attempt. If it goes on, you will hear about it from some sub-set of those scanned. Is it worth your time to investigate these events? You (or your boss, or his boss) will get emails and calls. Is it worth your bosses time?

    When I have reported port-scans I have gotten thanks from the sysadmins of the systems because that was the first warning that their system was compromised. Unless I've been notified of it beforehand, I look at all port scans suspiciously, and I would be very happy to hear from someone detecting a scan from my network. New exploits are being developed all the time- you can't be up-to date on everything, all the time.
  • If you're secure, then a portscan won't make a difference to you; the scan will be detected, the packets will be dropped, and life will go on. A *single, one pass* scan isn't abuse.

    Go back ten years, and you'll hear the same discussion about wardialing. If, in the process of calling all the numbers in an exchange, I happen to hit your phone number, the worst that will happen is that you'll answer and I'll hang up. If someone called my phone company because I called them *once*, should my phone line be disconnected?

    "Intent!" someone screams from the back..."You're going to h4x0r me!" Maybe, maybe not. But if your machines are secured, why are you so worried?

    Today's h4x0rs are tomorrow's network engineers who have been playing with the internet their entire lives...
  • >>>Here's an example: Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary.

    >>I seriously doubt that...States can pass whatever laws they want. Thank goodness the Supreme court can discard ridiculous laws (if indeed Texas has such a law).

    That's a good observation and a reasonable extrapolation from common sense. Allow me to pontificate a bit and, hopefully, illustrate.

    We had a flap in the newspapers here recently about a district attorney (in Brazoria county) who refused to prosecute some questionable cases. She caught hell from people who said "But you MUST prosecute! It's the law!"

    One of the most telling commentaries on the whole fiasco was a statement from a local organization, The Public Official Oversight Forum, that read, in part: "Her critics do not understand that 85 percent of the 2000 or so laws passed by our Legislature every session do not pass constitutional muster. No officer of this state has any kind of ridiculous 'duty' to enforce an unconstitiutional law." (For the whole story, check the last few issues at www.houstonpress.com.)

    If something like this can make the mainstream press, please trust me when I say that we have such a law. It was even highlighted a few years ago when a "trap" car (I forget what they put in the front seat to make it so interesting to passers-by) was set up at a local beach and used by officers to establish probable cause for detaining people.

    One last note - Last time I checked (and I admit to being totally out of touch with state politics for many years), here in Texas we have a part-time legislature that meets for 140 days every 2 years. It's always been a political cliche that the people would be better served if they met for 2 days every 140 years...
  • I can understand an admin being alittle annoyed by portscanning, but really nothing more. If an admin is so worried about a port scanning that he would goto the trouble of reporting it, then he probably isn't very confident in the security of his machines and maybe he should do alittle more reading. If your house got broken into because you forgot to lock your front door you know the cop is thinking "Stupid people", and thats exactly what an employer would think if you left such a gaping hole in your machines.
  • Please let me know if you can think of any reason such activity would be legitimate. I have found a cool web site that I really like, www.satan.hell. Then, I ftp to the system and find alot of cool h4x0r w4r3z and I download a bunch. Then, I think to myself, "Self, I wonder what other neato stuff is on this computer." So, I run a port scan and find a port that streams live pr0n to my player, so I get in some personal time. Now I have: 1)port scanned a host; 2)used the resulting information for a legit purpose; 3)and done some quality jerkin'. Hmmm, kinda sounds like a Friday night, huh?
  • Everyone has there own opinion of port scanning. My personal experience is, many time attacks come soon after a port scan. If I have a service thats available for public viewing, it will BE PUBLICIZED!

    As far as the jiggle the door handle analogy goes. Why would someone jiggle a door handle to see if its open, unless they were planning on entering??!! If you don't have express consent to "peer in" from the owner, port scanning (or house peeping) is WRONG plain and simple.

    Can anyone here honestly say that they WOULD NOT be offended by a stranger peeking into their bedroom window??? Its not much different!!

    Come on people, its wrong....and you know it!

  • You can't really compare port scanning with looking in someone's windows. That would make port 80 analagous to a window that the homeowner is inviting people to look into. How is the looker supposed to know which windows the owner would like looked into or not?

    Port scanning is more analagous to calling a repair shop and asking what services they will provide for your car.

    port open="Why yes, Mr. Cronack, we do change oil."
    port closed(or stealth)="Sorry, we don't do mufflers."
  • Cronack, I have to disagree with you there. If you want to know if your allowed to look into someones Port 80 window, fire up Netscape and type in the url or IP. If you REALLY MUST know anything about someone's network, email the admin, if he has services he wants you to know about, he will tell you.

    I think port scanning is more like going into an Autoshop and nosing around to see what equipment they have there, and then making a best guess as to what services they offer instead of asking. Asking gives the owner the OPTION of telling you what he thinks you should know.

    What if you walk into the shop and open the chief mechanics toolbox, to see whats in it?? You think he would mind?? My dad is a mechanic, he doesnt even like ME to look in his toolbox. Is he hiding something...no. Its his property and if he wants me in it, he will tell me its OK. Regards

  • What's wrong with walking along a corridor trying all the doors you see?
    There are two points here:
    1. Actually, nothing, especially when you know you're explicitly allowed to be in the corridor in the first place. What else would be the point of having corridors, or doors? However, note that I'm not talking about LANs and the Internet and the many varied ways people can receive the right to operate there, because...
    2. More importantly, port scanning is not trying doors, and a network is not a corridor. Just because those two abstractions happen to resemble each other in your banana-eating head doesn't mean they do or should have anything to do with each other in the real world. If you can't consider a question on its own terms without committing a logical fallacy and erroneously redefining it as something else you happen to like and be familiar with, refrain from comment on the damn thing.
  • Well, my post was kinda OT, but no problem - I'm not a karma whore, so I don't really care.

    Thanks to everyone who responded - right now I am running a Win95 box set up as a proxy/firewall server, using AnalogX proxy and ZoneAlarm for the FW (it's my GF's box, ok? I plan on doing a Linksys router/NAT combo soon anyhow). I probably wouldn't run a server on this box, due to security issues - heck, I am nervous about the proxy/FW combo I chose, but I needed something cheap, and they did the trick, plus they seemed to be pretty highly recommended, and easy to set up.

    Eventually I will move the the Linksys device (or set up an imasq Linux box, once I get the skills) - then I will think further about this server thing - however, the info you guys provided has eased my mind a bit. Thank you!
  • Only in Louisiana can you pull a gun to protect property in every other state you have to have reasonable belief that your, or someone else's, life is endangered in order to use deadly force.
    • Someone stops me on the street, and says "Excuse me, do you know what the time is?"
    They are wasting my time.
    They are wasting my resources.
    • Someone scans my ports.
    They are wasting my bandwidth.
    They are wasting my resources.

    Should I be able to sue you for asking me what the time is?

    Your point is entirely correct, but I think putting up with things that are inconvenient to us is part of living in a liberal democracy.

  • Wow Logcheck is the reason I love open source... Cheers... it works for me and my customers ;-)
  • There is policy like this at EarthMindLinkSpring (wtfe) (not going to rant about local politics here..)

    Anyway, Earthspring's AUP prohibits portscanning and may even prevent the use of BO (which would also prohibit SMS and VNC, et al). When they brought this up in indoctrination, I freaked..
    It turns out that they selectively enforce this rule (and some others) to get spammers and kiddies, but I don't like having it there at all.

    There is something to the point that they can do whatever they want on their network, but it seems awfully restrictive when all a user buys from them is an IP and a mailbox ..
    (This is the dialup AUP, which applies to ADSL too)

    <ot rantlevel=moderate>
    Then again these are the same guys who (get this)
    shut off your email box when you go over their 5 meg quota .. causing all of your email, including their invoices(!) to bounce .. this of course means the bot that sends out invoices removes your address (it bounced, right?) and you don't get your bill ... not to mention getting kicked off every listserv you are on, etc
    </ot>

    anyway,
    adric at ccactus dot com (has almost finished paying off ELNK from that fiasco)
  • Here in Canada, port scanning is actually illegal - it's called "Theft of Computer Services"

    This makes perfect sense to me - the person doing the scanning is forcing *my* computer, that I own, to respond to their scans by updating my IPCHAINS rules to block them forever. I don't want to waste my processer time defending my system.

    Does anyone know if this si illigal in the US? If so, we should start nailing every script kiddie to the wall - that will teach them to "probe" me...

  • I think that portscanning is kinda like those annoying hangup phone calls - the ones that ring and ring until you pick up and say "hello". Then they hang up.

    Dang the telemarketers.

  • Pretty much wherever you go, ignorantia juris neminem excusat, I'm afraid. Everyone is presumed to know the law, except judges, who have the Court of Appeal to correct their mistakes. (This is a lawyer joke. And my colleagues wonder why they have no non-lawyer friends).

  • Time? I certainly have time to press "submit" and send the automated attck report when queried. No time issue here.

    And I've been party to a police investigation and cracker "takedown" once already. Rewarding and satisfying.

    Time?

    Now hiring experienced client- & server-side developers

  • INTENT (Score:2)

    by schon ( 31600 )
    The big question that determines whether portscanning is good or bad is the INTENT of the person performing it.

    Now, let's look at it from a sysadmin's perspective:

    Someone is scoping my system to see what I have available.

    They are doing this without invitation.

    They are doing this without telling me.

    Now, from MY point of view, this is cause for alarm. People here are saying "It's not that big a deal" - but it IS.

    There are two possibilities that are being tossed about here: someone is just doing it because they feel like it, and they have no ill intent.

    The other option is that it's someone scoping my network because they want to break in.

    Well, since I don't really KNOW what the intent of the person doing the scanning, which one is the best to choose from?

    Pretty easy answer: If someone is scanning me, they want to break in, and I'll do whatever is necessary to stop them.


  • We notice portscans quite often, as we have
    boxes on most of our collision domains that
    detect such activity.

    But we do more a tad more than "notice".

    The large majority of these port scans
    end abruptly when our machines respond with
    a series of well-known attacks, proving that
    the script kiddies can dish it out, but they
    can't take it.

    The small number of scans that continue after
    an automated response get exactly the sort of
    personal service and assistance they deserve.
    We do no permanent damage, but we do respond
    in a manner designed to both halt the packets
    and deliver a clear message.

    What's WRONG with portscanning? Nothing, as
    long as you portscan a network you OWN, where
    such activity may have value to as an admin.

    ...but don't portscan my networks.
    Ever.
    That's our job, and we don't need any "help".

    And what's wrong with our response to portscanning?

    Also nothing. We noticed unauthorized use of
    our expensive network resources, and halted it
    in the most humane manner possible.


  • This post sounds too uninformed to be anything other than a troll, but whatever.

    Why port scans are a Good Thing:
    If I'm going to do business/trust someone, I need to check the security of their boxen.

    I always run port scans on any "unknown" net company I'm dealing with. I once ran a port scan on a web hosting service a friend of mine was using, and it was wide open. He got a better provider, and my paranoia was further cultivated.

    I figure one of two things can happen from port-scanning someone who doesn't expect it:

    • They are incompetant, and their gaping security holes warn me away. Other net-saavy people follow this lead, and soon all such careless businesses die off. Bereft of such wide open targets, script K1dd3z give up on UNIX boxes and stick to windows, leaving the net a safer, happier place.

      Yeah, right.

    • They are not incompetant, and their box is sound. If my probing freaks out an already paranoid sys-admins, no harm is done, and they will be all the more likely to keep up to date on any security advisories. Thus prepared, they will be able to resist attacks from more malicious intruders, and the net will be a safer, happier place because of it.


    So I have to ask, if someone is a competant sys-admin, why be afraid of a portscan?

  • first off, i'd like to thank everyone for their replies. you've given us some issues to think about.

    now, if i may reply to a few ideas in the thread:

    re: analogies
    i have to agree with the poster who pointed out that we can analogy ourselves to death and never really accomplish anything. the Texas story about looking into cars made for interesting reading, though :).

    re: valid uses
    port scanning for the purposes of understanding the security of your box cannot be overrated. we've found lots of problems by playing with nmap (sendmail's listening on what port? portmap is still running on that debian machine?).

    but as someone else pointed out (i'm far too lazy to assign credit; my apologies), how about just for the purpose of pure learning? most of us grew up (or are still growing up) hacking on computers. if the Internet had been as widespread when i was 11 as it is now, i'm sure i would have done a good deal of exploration and learned a lot about networks by doing it. as it is, i'm still trying to learn more and more about network infrastructure and good sysadminning practices and the like. learning by example and experimentation are some of the best ways to learn. and for someone who had less guidance in system administration than i first did, it might be the only way to learn anything at all.

    how about port scanning as market research? not too long ago i used nmap on the primary webserver of a webspace provider my friends were thinking of using. the nmap showed me a default Redhat box, complete with telnet, linuxconf, lpd, and NFS running (and clearly not tcp wrappered or firewalled)! in this case, maybe i could have just asked the admin what she was running, but do you think she would have told me, even if she'd known? i'd wager she would have told me she was running apache and ColdFusion and whatever else she thought i might care directly about, but wouldn't feel the need to mention that her company used telnet for authentication. as it was, i strongly recommended my friends look elsewhere for a webspace company that had some competent sysadmins. unfortunately, my friends' webmaster thinks that ssh is only useful "if you run the government of a small nation," so my advice may go unheeded. and yes, i've tried edumakating this webmaster, but he's the one trying to write the site in ColdFusion, so...

    what about port scanning out of idle curiosity? what if i'm sitting in my dorm room and i want to know what kinds of boxes are plugged into the local network? nmapping the subnet tells you all kinds of neat stuff. this is not something i need to do for any reason, but i also don't really see the harm in it. i personally would inform people if i found insecure services on their boxen, but i realize this doesn't apply to everyone.

    what if i happen to go to a particular website a lot, and just sort of wonder what's kicking around under the hood? nmap slashdot.org and i now have more information than i did before. (slashdot might be a bad example since they publish most of their setup already, but this is all very pedantic anyway.) i'm well aware of what is said about curiosity and felines and grisly murder, but learning is nonetheless something i very much enjoy.

    the harsh reality
    this debate is very interesting, and i'm glad to have had it with a larger community than just my colleagues here. it seems that the comments are about evenly split between the "always bad" and "generally innocent" camps. the problem is that as long as there are "always bad" types out there, it will be hard for us not to have to deal with people who experiment with port scanners, because a complaint means someone has to look into it and deal with it. this means someone playing around and looking at stuff could generate a large amount of work for someone to deal with, which is bad, as all but a few of us are overworked students as it is (that is, all but a few of us are students; i'd wager that for all X where X is a student, X is overworked...but i digress).

    anyway, i see this as an unfortunate state of affairs. i don't like having to institute a policy i don't agree with, but, to quote Radiohead (though it is uttered ironically in "fitter happier"), "Pragmatism Not Idealism."

    hopefully this reply isn't too late to be viewed by a few of the discussion's participants. again, thanks for your thoughts.


    tyler

  • I've been portscanned numerous times on a cable modem connection - but in tracing the IP back to the ISP, I often find their AUP/TOS doesn't have a contact email for reporting such abuse.

    What does everyone use to reach a responsible human being at the portscanner's ISP? Is postmaster@isp.com acceptable in a case like this?

  • If port scanning is illegal, then if i put a web server up on my machine, and someone accesses it without my express permission, should they be guilty of a crime? Come on, if you're OS and software provide crap security out of the box, take it up with the manufacturer. If you can't figure out how to deploy a secure server, don't run one. If you leave the door open while you go on vacation, are you really surprised when you return and fine your TV gone and some bum camping in your living room. The internet is a hostile place, in a global context.. Neither you, nor the US government can criminalise the act of requesting information from your computer any more than you can criminalise shark attacks. 'I didn't give that shark permission to bite my ass, lets drain the oceans just to be sure it doesn't happen again.' If you don't want requests being made to your IP address, unplug your machine from the internet. You're computer is constantly pinged and polled by your ISP to make sure youre still connected. Is that illegal? When you type a URL into your browser, should you be required to ensure you have the permission of the site you are trying to access first?? Give me a friggin break.
  • Port scanning isn't used by only those wearing black hats. It can be used for legitimate purposes by those other than admin. For example, let's say that I don't remember if a server that I have an account on offers IMAP, IMAP/SSL, POP3, etc. access, so instead of starting up Netscape Messenger and trying every possibly combination, I just do a quick port scan and now I know which services are available. There's also the case of running something such as eggdrop on a shell and forgetting what port you set it for. I also use port scanning as a cracking deterrant. If I find someone scanning me (PortSentry is great for detecting this), I use nmap to scan them back just to let them know that I'm well aware of what they are doing. I don't do anything with the scan results, other than laugh at the fact that they're Windows boxes almost all of the time. I know that not everyone will be notice my return scan, but some might and hopefully it'll discourage them from messing with my machine. And for those who are going to say "two wrongs don't make a right": well, this is the real world, not 3rd grade, and that kind of thinking won't get you anywhere.
  • As a consultant I deal with a number of companies on an ongoing basis. One of the things I do (& charge for) is help them develop policies.

    Recently scanning became an issue at one of my clients. They're a big firm that handles financial information online. They have a number of sub-companies all with different IS groups/policies.

    It turned out that they were getting hit by an extremely large number of probes by one of the local universities (and for this client to notice it's a LOT of probes.) A polite email was sent to the regular addresses requesting that the activity be halted. No response. As it continued a phone call was made - nobody at the school was willing to take the message. Ok. A letter was sent and they simply cut off the school's block of IP address from all access inbound & outbound.

    Two things happened. A few days later my client got a call from the school's Financial Dept - apparently they used some of client's services and after some confused research discovered that they couldn't access them and the trouble was at the financial services co's end. As the school was using free services my client simply responded (after running it past the appropriate depts.) that the school was being blocked - and why. Apparently this caused some internal reaction at the school.

    At the same time the client had some graduates of the school working for them, as well as a number of the faculty. They also discovered they couldn't access the school & vice-versa. This also caused a reaction and after some rumors and many calls to the internal support desk an email was sent out internally explaining why they were blocking access to the school. BTW all the while the probes were still getting worse and had they been getting through would have been starting to impact some services in a small way.

    Apparently someone finally mentioned this to the President of the school (likely over golf.) Apparently he didn't like the fact that my client was blocking his school, nor that they had notified their employees that they were doing so nor that the school had been portrayed as unresponsive (the company did have a receipt for the certified letter at this point & no one had ever returned any message.)

    Shortly there after the probes stopped abruptly. The client also got a couple of very nice letters from the school asking them to stop blocking them and implying the school would like them to let their employees know that the school wasn't a bunch of louts (not a rep. most schools want for their graduates apparently.) I also heard through the grapevine that some staff at the school got in some very hot water for neither overseeing the school's network activities nor for responding to complaints and their ensuing fallout.

    So - what are the result of probing others sites? Well in this case a bad reputatio & an upset school administration. There's also been a new set of policies put in place at the company regarding folks from the schools and the access they have to the systems. Essentially they're now almost a suspect class and a revaluation is taking place of giving these folks access to proprietary information the client has. This will of course limit exposure on the clients side but also unfortunately dramatically limit what the interns, co-ops & part-timers can do (& learn about) at the company.

    Finally there is still somewhat of a bad impression of the school for the whole thing. Indeed the school had been trying to get my client to buy into some net-based telecourses but my client's IS staff decided they simply didn't want to deal with the school's IS staff and kiboshed the idea (I believe it was 'bandwidth reliability concerns'.)

  • There isn't anything "private" about the locked or unlocked state of your car door as with many cars it can be ascertained just by looking, but if I'm at the shopping mall and I see a guy testing car door handles, I'm going to tell mall security.

    And what about the person trying keys in all those car doors? I doubt he's just checking to make sure no one else can get into them.

  • Personally, if there's someone peeking into my bedroom window, I'd be rather upset with myself that I didn't close the blinds.
  • And what's wrong with our response to portscanning?

    That you are most likely shooting down compromised systems? Contacting the admin would be more appropriate if you want the attacks to stop, instead of just throwning dirt around.

    Besides, an automated retaliations doesn't sound as satisfying as doing it manually. ;-)

  • The Public Official Oversight Forum

    Offtopic: What a bad choice, acronym wise...

    If something like this can make the mainstream press, please trust me when I say that we have such a law. It was even highlighted a few years ago when a "trap" car (I forget what they put in the front seat to make it so interesting to passers-by) was set up at a local beach and used by officers to establish probable cause for detaining people.

    Glad to see entrapment is still legal in some places. Not.

  • Of course the intelligent 1% look down on you flatlanders.

  • I used to watch a semi-major Internet site. We got tons and tons of scans against our web server. Soon I learned that at least one of the patterns seen *did* point to systems that were compromised. I likely would have never associated a scanning pattern as being related to a particular tool used on broken-into systems until I spotted an IP address from our hosting ISP scanning us. They quickly confirmed that that system I had seen was indeed compromised. I subsequently sent off a bunch of emails, some to of which went to other quite signficiant players on the Internet that you would have never guessed would have poor security.

    Telling someone that their system is portscanning often is not a threat. In my case, I wanted to warn other admins that I thought their systems had problems. If I had chased every portscanner we got, I never would have had time for anything else.

  • hey to the Anonymous user thanks for the technical response. I did not feel like educating the particular responder regarding IPSpoofing as if they did not realise it then they might already be misusing it .. mistakenly . Still maybe a lesson in ping/pung/pang might be in order ;-)
  • So,even if you HAD closed your blind and caught someone on your property trying to peer in your bedroom window, because the blinds were drawn, that would be OK? Or would you still chase him off and/or call the police?? An uninvited guest has no business on your property even if you have it locked down tighter than Fort Knox. Right or wrong?
  • Couldn't have said it better myself......glad to see a similar point of view. :)
  • I think that is also true in Nevada.

Slashdot Top Deals

Old programmers never die, they just hit account block limit.

Close