Secretive Company Scanning the Net 268
Zarf writes: "A start-up called Quova is pinging and tracerouting the entire Internet, causing firewalls and Intrusion Detection Systems to go crazy, and some security-types to get mad, according to this story at Security Focus. What's interesting is that the company won't say what they're doing with the information they're gathering, but records with the Patent and Trademark Office suggest it has something to do with selling "psychographic" information, i.e., matching advertisments to particular lifestyles and beliefs."
Re:So what's the problem? (Score:1)
if your so afraid then lock your system down to the point where they can't get in. Encrypt you sensitive data, etc.
Its not paranoia to object.. (Score:4)
Many folks have dismissed the concerns about Quova with comments along the lines of "Its just some paranoid sysadmins getting in a knot..." but it isnt paranoia. The usual precursor to an attack on any system is a ping sweep or portscan of your subnet looking for places there might be sploits, therefore its usual for these probes to set off alarms and usual for sysadmins to block them and bitch about them whenever they catch 'em.
I'm not paranoid but I know that by the time a vulnerability is analysed and patched its usually been in the hands of a couple of script kiddies for a while so as well as keeping up to date with my patches I make damn sure that my network gives out as little info as possible - I may have patched my bind but it is still configured not to tell anyone its version, just in case. If somebody is walking down the street jiggling doorknobs to see if they are unlocked, peering over every garden fence and through any windows they can reach how long do you let them do it before calling the cops? So what do you do if there aint no cops? At the very least if you lived on that street you'd want a decent door lock, heavy curtains and you'd warn your neighbors when you saw a total stranger wandering down the road like that. In some parts of town those neighbors might well grab that stranger and try to convince him not to come back...
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Re:You ARE "worrysome" (Score:1)
Please, don't insult me in such a disgusting way.
I'm a physics major, and for all I care, the engineering dept. can get blown off the face of the earth by aliens;)
btw, secrecy is legal, protected under the consitution. they have the *right* to hide their intentions. as long as they don't break the law, it's none of our business. if that bothers you, stop using the net, it's one big anonymous underground
here's their blocks (Score:2)
Quova Inc. (NETBLK-UU-63-109-88-104) UU-63-109-88-104
63.109.88.104 - 63.109.88.111
Quova, Inc (NETBLK-UU-63-102-181) UU-63-102-181 63.102.181.0 - 63.102.181.255
and I put this in my linux 2.2 firewall script:
$IPCHAINS -A output -d 63.109.88.104/29 -j REJECT
$IPCHAINS -A output -d 63.102.181.0/24 -j REJECT
Have a nice day!
Re:I disagree (Score:1)
It is not even comparable. Someone pinging your system isn't going to open any door, regardless of your security. You're probably one of those people that compares downloading mp3s to stealing cars, aren't you?
Wow, we're paranoid! (Score:4)
I've dealt with some of this before. I used to run a web hosting company's network. As a result of us hosting 100s of websites (we were small - I hate to see what the big guys deal with), we would daily get pings, traceroutes, port scans, attempted attacks, DOS attacks, VRFY/EXPNs, telnets, etc. Now, note that we only provided four services: WWW, FrontPage, FTP, and mail.
If I even looked at all the logs for these "attacks", I would not be doing my job! I can hear it now, "He wasn't doing his job; he wasn't being alert about his systems." No, I disagree. I would get litterally hundreds of these "attacks" daily, and only a couple DOS attacks a month would be "serious" enough to disrupt things (and very mildly, I'll add). Yes, I noticed things that affected our customers. But, I didn't care about the rest of the $#@^! After all, if they got in, the logs would no longer exist. If they didn't, it is kind of pointless to look at logs for attacks that failed.
I have to wonder what the people complaining about this do for a living. Obviously, they can't be complaining about a ping scan of a significant network, for they wouldn't have time to do that!
As for the "ping is dangerous" theory, yes it is used sometimes by crackers. But, I bet that I could send your system an IP fragment and determine if it existed or not. I could even traceroute with it. Chances are, even if your system is behind a packet filter (vs. a real firewall), I would *STILL* be able to map your topography! It wouldn't show up on your filters, either. Do we really believe that our network design is so unusual and important that we need to protect it using "closed source" methods?
Personally, I don't care if you look at my network. $#@^ with it, however, by causing DOS or breaking in, and you can bet that I'll call the FBI. Before then, though, because of the state of the Internet, I'm going to ignore you. I have no time to investigate every hacker coming through a chain of 10 trojaned Windoze boxes.
Or you could just call the founders and ask... (Score:1)
There is one R. Bhargava listed in the state of CA and he lives in San Jose:
408-985-0603
One Andrew Sack in Redlands, CA:
909-335-9574 and 909-792-0080 (Modem or Fax on 2nd number???)
Return the favor... (Score:1)
Personal port scan, huh? (Score:1)
hmmm... let's see...
Looks like the well-known vulnerability "mouth" is open. This port should be blocked or bacteria, viruses and "poison" trojan horses may enter, denying service to such vital daemons as "heart", "brain", and "liver".
The "nose" port is open - this port should usually be left open for oxygen filtering purposes. If "nose" becomes blocked or firewalled, "mouth" may be used as a substitute.
"ear" is open. This port is necessary for audial input. If an overload of audio is expected, the common firewalling solution "earplugs" may be utilized to block DOS attacks which can result in disruption of services like "eardrum".
Hmmm - I think I should let Jerry know he should install a firewall.
Re:Sinister? (Score:1)
> possible IP addresses [...] 34 years of scanning
34 years with 1 machine. 17 with 2. 0.68 years with 50 machines, which im sure this company can afford, seeing as a perfectly suitable x86 clone goes for about $400 now.
Re:Misleading Figues (Score:2)
So what's the problem? (Score:5)
If you don't want companies like this to see it, lock it down. It's not hard.
-carl
And? (Score:2)
--
Re:Wow, we're paranoid! (Score:2)
True points, but there's one difference. You're talking about, most likely, pings of specific hosts, or VRFYs of specific e-mail addresses. No, those aren't enough to raise flags. But Quova is running scans of entire networks. Repeated pings through your entire address space, or repeated VRFYs scanning all possible mail addresses, are just a little more alarming than individual ones. And the fact that they want to do their scans without alerting me to the fact that they're scanning is even more alarming. That they want to scan is bad enough, but why do they want me not knowing they're scanning?
Now what the .. (Score:2)
Re:I disagree (Score:3)
I don't really think that those two are comperable. Ping tells you almost nothing. It gives no information about level of security (except "not blocking ping packets"), and there is no implication that someone would "come in" if the door was unlocked. Ping checks if something exists or is alive; it's information that anyone could get by a lot of methods, and this is probably the most "polite" one. It isn't someone jiggling a door, by telnetting into another port and playing patty-cake with your daemons; it's someone looking at the sign on the door that says "The doctor is not dead".
No harm, no foul.
"Sweet creeping zombie Jesus!"
Re:Better than doing a port scan on my person. (Score:2)
Would you object if someone came along and started rubbing your windscreen, out of nowhere? *Precisely* the same analogy. You got no business touching my car, you get lost off my front-facing webservers too, thank you very much
~Tim
--
Misleading Figues (Score:5)
Yes, but it's possible many others didn't detect it and would have complained if they knew about it. Look at the last quote:
"...To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."
They don't care about the people or their complaints; they just care about getting caught.
Being with you, it's just one epiphany after another
IP Address Ranges (Score:2)
63.109.88.104 - 63.109.88.111
63.102.181.0 - 63.102.181.255
Re:I disagree (Score:3)
Babykong dun said:
Actually, this can vary from not only state to state but from county to county and even city to city or township to township.
Most notably, here in Kentucky if anyone goes knocking on all the doors in an area where it is marked "POSTED NO TRESSPASSING" (yes, there is actually a legal status to a "posted" No Tresspassing sign--you actually register it with the county courthouse) or in areas with "No Soliciting" ordinances, they can quickly find themselves taken to the county jail and charged with tresspassing. Yes, this even applies to Girl Scouts/Girl Guides, Jehovah's Witnesses, those annoying folks selling magazines, etc. Literally the ONLY things that "No Soliciting" ordinances don't cover are census workers and police with warrants; I'm not entirely sure that even census workers are allowed on posted property (I think they may have to actually get police escort or a warrant to perform census to legally go on the land without permission of the landowner).
For the record, yes, I not only am part owner of property that is "posted" but live in an apartment complex with a "No Soliciting" rule. Yes, I do have people removed who are tresspassing and/or soliciting without my permission (as it is, in my area the Girl Scouts generally don't go door-to-door both out of safety concerns and because a lot of apartments and even entire communities have "No Soliciting" ordinances--they sell outside grocery stores and to family members and friends of family). :)=
Saw them, warned them,... (Score:2)
I don't think they believed me.
I passed on the job for other reasons, and unless they've gone off into a wildly different direction in the past 6 months or so they really do need a lot of data and they really are attempting to extract innoculuous information. But I can't talk about it, sorry!
Quova Website (Score:2)
Just a note,
I've been in contact with Digiweb (an Interliant company).
Just FYI, the scans are not coming from them. Their website is simply hosted there. But in response and to avoid security "problems", the site has been taken down. Gotta love security precautions
So for now, at least they can't spread anymore of their corporate mumbo jumbo
Also it appears the DNS is in the process of changing. We're seeing odd IP changes here (I'm right off the Digiweb network) so it appears they are moving the site.
Any info on the source of the IP scans would be appreciated.
Anybody wanna start a pool... (Score:2)
Re:Are networks private property? (Score:2)
But it leaves me wondering about those roads with no gate, but the sign, "Private Road - no tresspassing" on them. They don't receive town snowplowing, and are usually (though not always) unpaved.
What's the net analog to Private Roads?
This discussion makes me wonder if their "No Tresspassing" is as toothy as a pre-UCITA shrink-wrap license.
My opinion (Score:2)
The solution is simple - ping em back. (Score:3)
Everybody ping them back and run traceroutes to their systems.
Go on, ping www.quova.com today.
Re:So what's the problem? (Score:2)
sure, no problem. everyone on
Re:Now what the .. (Score:3)
Where ping fits in, I dunno, other than perhaps it provides the IP addresses for traceroute to digest. And there is useful information in being able to ping a machine and identify that it's still online in the dead of night: that implies it's a full-time connection, which means you're a cut above the average dial-up user.
Here's how ping fits in
A traceroute is a number of pings. Here is how it works:
Each ICMP packet is sent out with a "Time-To-Live" (TTL), as the packet passes each router the TTL is reduced by one, when the TTL reaches zero the ICMP-echo packet is returned to the source IP with TTL expired.
When doing a traceroute the source IP sends out a "ping" (ICMP-echo) packet with a TTL of 1, the TTL expires at the first hop and you get the reply "Reply from router.at.hop.1: TTL expired" then it sends out a ping to the same address with a TTL of 2, it passes the first host (usually router.at.hop.1) and gets to "router.at.hop.2" where, once again the TTL expires and the echo gets sent back with "Reply from router.at.hop.2: TTL expired" this goes on until the destination IP is reached or some other thing happens ("Network Unreachable" for instance)
That is how traceroute works. It is just a load of pings.
Aside: TTL wasn't designed for traceroute - it's main use is to prevent packets entering cyclic routes and taking up enormous bandwidths ad infinitum.
Hope this is informative to you.
Re:I disagree (Score:2)
As long as the ICMP packets are normal and not maliciously malformed so as to either do a DOS or get more information than ICMP was designed to give. Then I don't have a problem with it.
That is why I have a network inside my firewall which you can't ping, and a network outside my firewall, provided by my company for public access, which you can ping.
Hosts on the Internet are there for public access, the internet is a public place. Use of these tools is designed to improove that access which is apparently what this company is trying to do.
ON THE OTHER HAND.
Might be fun to play with a gentle (not a DOS, throttle it back a little) Nmap scan on THEIR network. Since they are in stealth mode, they can't complain very loud
Re:I disagree (Score:2)
Well, if you get a ping back, you know they're "not blocking ping packets" ; )
But your point is definately valid; from the standpoint of ping (or traceroute), there's no difference between a system that is blocking certain packets and one that has bought the farm. You're probably right that that information can be extracted somehow, but it would take more work. And it reinforces the idea that the threat posed by these guys pinging and tracerouting random systems poses roughly as much danger as a wrong number on the telephone ("Some stranger knows my phone number works! Run!").
"Sweet creeping zombie Jesus!"
Re:where they're operating out of... (Score:3)
Why I followup portscans (Score:2)
Ryan
Who cares (Score:2)
The fears of malicious intent are also blown way out of proportion. People have said if they dont have any ill-intent why are they doing it so secretely. Read these post, its fairly obviously, because you get lots of idiots that get all paranoid about people portscanning them. Doing it secretely possibly reduces the amount of people who go crazy because they think they are under attack.
Thier are alot of legitamate uses for this data. For one, internet topology maps. There are multiple internet mapping websites that scan the internet and creat a graphs and maps of the data they find. Statistics are vary valuable, and it helps governments and companies to make descisions based on internet usage in certain areas. Two, like mentioned before, they could possible using the information to find geographic locations with high latency. With this information companies can best locate servers to provide the fastest speed to their customers.
Basically everyone needs to loosen up. IF they were running a vunerability scan on your network, that is one thing to get upset about. That is still perfectly legal, and they could do that if they wish. But they are not, they are traceroute and portscanning.
They won't be scanning EVERYONE (Score:3)
i just added their IP address range as a DROP rule to my company's ipchains configuration. we can no longer view their web page, and they can no longer ping or traceroute us. we will appear dead to them.
i encourage the rest of you to do the same until we know what happens to this information. remember, the human genome is patented (by the company across the street from me, celera!) so i'm pretty sure the "web genome" or "web topology" could be patented too... think about it...
interesting... (Score:2)
"You must be a professional and able to communicate on all levels of business. Technical skills are Internet and RDBMS technologies, including XML, C++, UNIX, client-server applications, RDBMS applications, middleware applications, and 3-tiered architectures. Experience with schema design and deployment, application development, and database tuning desired, in an Oracle 8 and Oracle 8i environment. "
I don't like the sound of them operating in "stealth mode". Their could be some privacy issues that they might be violating. I wonder what they do when they don't find a firewall or other security protection. I think they need to come clean sooner rather than later.
Another possibilty is they may be trying to map the most efficient ways to get from point a to point b at certain times. The way it is described, it seems that this could be used to build a map of the web itself. I don't know what they would use it for. If you put all the information you'd get from this into a database, you can easily start to analise the patterns.
Either way, I don't like it. I won't like it until they come clean. Maybe this is another Microsoft company try to get info on us.
Re:Security survey? (Score:2)
Re:And? (Score:2)
That's great! I believe in the tooth fairy. ;)
But seriously folks, scanning a network should not be invasive. If you're running services that give you cause to worry -- turn them off! Making comparisons to jiggling the door knob is well and good, but it's a just a comparison -- doors and services are two totally seperate things and I just don't see how the analogy applies.
Scanning someone might be rude, but it's not invasive. Invasive is someone hAx0ring your boxen and replacing login. ;)
Security survey? (Score:5)
Something like a year or two ago something really similar was done. A group of people had gotten together and decided to survey the 'net on security. They did this, as I recall, by doing your standard ping/traceroute/portscan for just about anything. IIRC, they also 'tested' to see if the then 10 most common exploits were vulnerable.
Two interesting things came about from this. One, of course, was the results. Only something in the vicinity of 12% of their search space was 'secure' by their tests. .com's and .gov's were the most vulnerable, as well.
The second was the people they pissed off. Scr1pt K1dd13s DoS'd once or twice. Some network admins sent and e-mail asking why portscans had come from that domain. Others threatened legal action and had 'sent logs to the FBI.' And then there was this one guy... I can't even do him justice, but in .7 seconds he'd fscked their systems like you wouldn't believe.
Anyway, it wouldn't surprise me to find that something similar was happening again. I've got no problems with my box being probed. Honestly, if you freak at a portscan, you're a liittle paranoid.
Oh, and hey... some karma whore go dig that link up. May very well have been from this site ;)
Pinging and tracerouting ... (Score:2)
In fact I am writing my master thesis about something similar right now, but active network probes (like traceroute) consume too much bandwith to be usefull in performance monitoring
A strange Thing is, that they only traceroute from their hosts. IIRC I read some paper (about 2-3 years old) that stated that they used about 120 public traceroute servers
Samba Information HQ
Running in stealth mode? (Score:2)
Conceivably, isn't that *also* the same goal any well educated cracker/hacker has? Not that I know, since I am neither, but being able to observe without arousing suspicion is pretty important, isn't it?
In which case, wouldn't the goal of security experts be to be better able to discriminate between a dangerous scan and a harmless inquery? So unless Quova has a clearly nondangerous fingerprint, won't they always be triggering alarms as hacks/cracks start using similar techniques?
-AS
Sinister? (Score:3)
I find it disturbing that this is one of Quova's goals, coupled with the fact that they won't reveal what their service is. Does he mean that his goal is to hit servers across the Internet without being detected?
Scary.
Re:Misleading Figues (Score:2)
I disagree. If they're trying to get _behind_ the firewall, then they are de facto trying to make the firewall transparent to their scan. I guess it depends on how you interpret "fly stealthily beneath the radar of firewalls and intrusion detection systems." I say that means they're planning on getting behind firewalls.
Good distinction, though. It's an important one.
Re:Now what the .. (Score:2)
Quova Lying to the PTO? (Score:2)
SecurityFocus notes that the Quova service mark is registered at the USPTO for "providing demographic, geographic and psychographic information to others."
SecurityFocus also paraphrases Quova CEO Bhargava as asserting that the "service mark description is a broad category crafted by company attorneys, and has little to do with Quova's business plan."
Registering a mark whose service description exceeds the actual services provided can result in that mark being invalidated by the PTO. In other words, it's illegal.
Sounds to me like Quova is being disingenuous here, at best, and trying to pass it off as an inevitable result of their secrecy or their lawyers' overreaching. I'm not buying it.
So? (Score:3)
It's a free country, internet, whatever. Of course people will find bigger and better ways to do "market research". It's all part of the game. I'm a lot less worrysome about some advert company spying on me than the FBI, Uncle Sam, etc. Companies are more concerned with making money from you than censoring and opressing you...
The information is public until... (Score:4)
Btw, does anybody know Quova's IP address range, so that we know what to block?
Re:The information is public until... (Score:4)
Concentric Network Corporation (NET-CNCX-BLK-5)
1400 Parkmoor Avenue
San Jose, CA 95126-3429
US
Netname: CNCX-BLK-5
Netblock: 208.36.0.0 - 208.37.255.255
Maintainer: CNCX
Coordinator:
DNS and IP ADMIN (DIA-ORG-ARIN) hostmaster@CONCENTRIC.NET
(408) 817-2800
Fax- - - (408) 817-2630
Domain System inverse mapping provided by:
NAMESERVER1.CONCENTRIC.NET 207.155.183.73
NAMESERVER2.CONCENTRIC.NET 207.155.184.72
NAMESERVER3.CONCENTRIC.NET 206.173.119.72
NAMESERVER.CONCENTRIC.NET 207.155.183.72
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
*RWHOIS information on assignments from this
*block available from: rwhois.concentric.net 4321
Record last updated on 21-Jan-2000.
Database last updated on 7-Jul-2000 06:54:50 EDT.
So there you have it: 208.36.0.0 - 208.37.255.255
Re:where they're operating out of... (Score:5)
Nessus Scan Report
Number of hosts which were alive during the test : 1
Number of security holes found : 5
Number of security warnings found : 1
Number of security notes found : 2
List of the tested hosts :
[ Back to the top ] [slashdot.org] 205.177.226.233 :
List of open ports :
[ back to the list of ports ] [slashdot.org]
Vulnerability found on port www (80/tcp)
as a CGI. This is like giving a free shell to anyone, with the
http server privileges (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CAN-1999-0509 [nessus.org]
Vulnerability found on port www (80/tcp)
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0260 [nessus.org]
Vulnerability found on port www (80/tcp)
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Note that we could not actually check for the presence
of this vulnerability, so you may be using a patched
version.
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0147 [nessus.org]
Vulnerability found on port www (80/tcp)
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0021 [nessus.org]
Vulnerability found on port www (80/tcp)
a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
Warning found on port www (80/tcp)
The 'finger' cgi is installed. It is usually
/cgi-bin.
not a good idea to have such a service installed, since
it usually gives more troubles than anything else.
Double check that you really want to have this
service installed.
Solution : remove it from
Risk factor : Serious
CVE : CAN-1999-0197 [nessus.org]
Information found on port www (80/tcp)
The remote web server type is :
Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
Information found on port general/udp
For your information, here is the traceroute to 205.177.226.233 :
?
Network maps != psychographics (Score:2)
Gotta love our ultra-paranoid online culture, eh?
My point: what do pings and traceroutes have to do with psychographics or even demographics for that matter -- Let them draw their network maps and conclusions. Whatever.
On a side note, my firewall has been blocking some NetBIOS attempts over the last few days...--
A little more info on 'Quova' (Score:5)
A little more info (at this stage) on 'Quova' from the description of an opening they had for a Senior Network Developer :
http://www.e-oasis.com/rmiug-jobs/1223. html [e-oasis.com]
cheers
front
I have a solution (Score:4)
echo 1 > proc/sys/net/ipv4/icmp_echo_ignore_all
Now add this line to your rc.local file, so when you have ever have to reboot your system, you won't have to remember to do it. This line make it so your system will not respond to ICMP packets, meaning ping and traceroute. I don't know if Windows has a similar feature or not.
---------------------------------------------
Jesus died for somebodies sins, but not mine
Re:I disagree (Score:2)
"Sweet creeping zombie Jesus!"
Information from a ping/traceroute? (Score:2)
As for the stealth part, though, I don't quite see how they'll ``fly stealthily beneath the radar of firewalls and intrusion detection systems'' unless they have some truly `1337 TCP/IP h4x0rs at their site. :-)
-pf
When Freedom Becomes Abuse (Score:2)
This is VERY different from the sorts of freedoms technophiles, hobbyist security gurus, geeks and Random Users expect, where the emphasis is on learning, experimenting and developing, not profiling and advertising.
But how to prohibit one and not the other?
It's a conspiracy! (Score:2)
They're just a cover company for the script kiddies. [slashdot.org]
Census workers (Score:3)
Census workers, by federal law, are given the right to canvas all residences, including those that are officially "posted". Their Census ID badge serves as their warrant for that purpose. This law is authorized by the Constitution, which provides that a census shall be taken of all residences every 10 years. It's one of the few laws passed over the past 200 years which does abide by the Constitution :-}.
However, you are correct that there are some residences where census workers will not go without a police escort. Specifically, those where the resident's reaction to the census worker was to poke the barrel of a gun out the door! Our instructions when such things happened was to get the bleep out of there, and turn it over to a supervisor, who would probably give it to a cop who would go out there and give the guy a nice little talking-to about the inadvisability of brandishing guns at census workers. If we could talk to a neighbor and get the information, great. If not, then the next step was the supervisor and a cop going to the guy's house to politely question him about who was living in his house on Census day.
-E
Re:Sinister? No, fool! (Score:2)
Re:Information from a ping/traceroute? (Score:2)
don't worry about it (Score:3)
Doesn't Akamai do geographic id'ing already? (Score:2)
Re:Yanno... (Score:2)
This shows my second point: not everyone is likely to respond to pings. We linux users don't *have* to respond to pings either.
I also totally fail to see how RTTs give demographic data anyway.
~Tim
--
Re:Security survey? (Score:2)
He was some major security buff who just happened to maintain this mud server
Perhaps he was a buff, but he certainly didn't know what he was doing. LOL, good story. Unless they're stuck on a dialup connection, getting scanned hardly constitutes a denial of service attack. Running "nmap -sS" against 1024 ports will send exactly 1024 SYN packets (plus a RST to the ports which replied), so if you assume, say, 32 bits per packet and 0% loss, that scan will throw at most a whopping 12k of data transfer. Sheesh.
I think it's scary that any random sysadmin could write your ISP and get them to shut down your account over some perceived slight. Anybody else smell a social engineering exploit?
Re:Security survey? (Score:5)
Your friendly karma whore,
--
-jacob
Paranoia run rampant (Score:4)
Yes, running a portscan of a host is a lot like checking to see if any windows or doors are unlocked. However, pinging hosts is not like trying doors. It's not even like knocking on doors. It like driving down a street and taking note of which lots have houses on them. Having somebody ping your host has zero negative impact on your performance, and the only security related information it reveals is whether or not the address is in use at all.
Traceroute is the same way. It's not revealing anything personal, private, or security related to the person running traceroute. It's most akin to somebody driving around your neighborhood building a map of the streets. Thank god the paranoids around here aren't making up the laws in meat space. They would make it illegal to drive into a neighborhood and even look at the houses without being escorted by a resident. After all, if a person doesn't live in your neighborhood, they don't have any business there, right? And everyone knows that criminals drive around looking at the houses trying to figure out which one to rob, right? So lets make it illegal to drive thru any neighborhood without the permission of the residents. Never mind that on the Internet, there is no zoning and there is no way to distinguish "residential" addresses from "business" addresses.
And I could care less if some of you get paged when these folks ping your network. That's your problem, that you let something this innocuous interrupt your life. You could have your pager go off every time time_t takes on a prime value, also. That doesn't make prime numbers evil.
Similar To Ebay's Complaint About Metasearch (Score:2)
<offtopic>It is odd that a company officer would so completely contradict the statement concerning the company's mission. If the company is causing all of these problems without even being certain of its own function, let alone business plan, then how the f*** were they able to get funded?</offtopic>
Re:Security survey? (Score:3)
That's okay, because nobody asked for your permission anyway. I can understand why one would be nervous about getting scanned, but if your system is secure [openbsd.org], you have nothing to fear.
Anyhow, there's a legend about Werner Von Braun at NASA that goes like this: In the early days of the space program, Von Braun was in charge of the facilities at the Redstone Arsenal in Huntsville Alabama. They needed to build a large neutral bouyance tank to simulate weightlessness, so they just built one. Later when government officials were visiting, they saw the large tank and were upset that Von Braun never went through any red tape in Washington to get an official budget to build the tank.
<feds>: We never gave you permission to build the neutral buoancy tank! ;)
<VonBraun>: That's OK, I never asked
Re:Information from a ping/traceroute? (Score:2)
Re:And? (Score:2)
-------
Internet Traffic Report? (Score:2)
Here's a thought about what they're doing. They're pinging and tracerouting to record latencies and packet loss broken down by geographical area and service provider. I know, I know this changes day by day if not hour by bour, but there are persistent trends. So, they might be compiling quality metrics for Internet service in your neighborhood. That would be a very valuable dataset to businesses of all sizes.
Re:Now what the .. (Score:5)
Based on the senior engineer job posting that someone else mentioned, some of the discussion here and a bit of creative thinking, here's what I believe they are doing:
They are developing localized web advertising. They are working to resolve IP addresses to physical locations: cities and neighbourhoods.
Once they've built a map that translates virtual space to realspace, they can sell advertising services that are far more effective.
Your local retailers, for instance, can advertise to you. Just like they do in your newspaper, only in banner format.
Further, they will be able to target your demographic specifically. Some neighbourhoods are richer than others. No point in selling you McDonald's advertising if you're of La Maison Rouge quality.
The traceroute information is a useful tool in narrowing the location. Plot a traceroute on a map, and you'll intuitively start guessing what part of the country it's going to end up in. At some point it resolves to your local ISP, which gives them your county or city.
Where ping fits in, I dunno, other than perhaps it provides the IP addresses for traceroute to digest. And there is useful information in being able to ping a machine and identify that it's still online in the dead of night: that implies it's a full-time connection, which means you're a cut above the average dial-up user.
What we'd all better hope is that there's no way for them to patent the map. Doing so would be the equivalent of having the patent for the map of all the roads in the country.
ooooh... and tie the IP addresses to DoubleClick's personal database, and they'll be able to do targeted snailmail advertising. If you've got a fulltime connect, your IP is as good as your street address. If you're dialup, the number is shared with others in your locale... but all of you are a distinctly different demographic than the population that doesn't access the Internet.
And, tied to the DC's database, they can really get into the psychographic stuff. "This IP reads a lot of pr0n; this one is a snowboarding junkie; here's one that's been researching home decorating..."
I'm more and more positive that this is their goal!
--
Re:Sinister? (Score:2)
Funny, I get a warning on my logs whenever my router gets a packet that's not a reply to a packet that came from inside the network. How are they going to do this without setting off any alarms?
Secondly, there are 2^8*2^8*2^8*2*8=2^32 possible IP addresses - how are they going to hit them all in any possible sort of time? Even if only half those are taken up, that's still 2^31 IP addresses! If it takes a half-a-second to verify that an IP address is valid and traceroute it (very low, considering the time of a traceroute), that's 2^30 seconds==34 years of scanning!
nervous? (Score:2)
Now, they say they are pinging and tracerouting. According to the article no one is complaining that Quova is portscanning or attempting connections. They haven't even started trying for reasonable connections like having a web browser attempt to get index.html via port 80 from IP addresses they've verified. So, at most what they have is a semi-accurate picture of which addresses have working machines connected to them (successful pings) and which IPs are wired to which other IPs (traceroute)--and based on ping times they might get a sense of where small pipes and/or congestion occur. The only thing that's annoying about this so far is that they are keeping this publicly available information to themselves in its compiled form. Any one of us could write simple Perl scripts that hook into a SQL db to record the same or similar information. Why I would care or who I could possibly sell this information to is beyond me, though.
If they were portscanning machines, they would be stretching the boundaries of courtesy, but they have still done little more than add information to their map of the network. Whether you've advertised the existence of your "private" ftp or apache server is irrelevant, especially since these guys don't appear to be planning anything harmful, perhaps immoral, but not harmful. If you are concerned about regular, non-damaging network traffic to your machine, either build different firewall rules or pull the plug.
Disclaimer: IANAPornStar or RealGeek and if I actually know what I'm talking about it's coincidence. These opinions are for entertainment purposes only.
Re:So what's the problem? (Score:2)
Psychographic (the word) is a combination of Psychology and Demographic. Basically it's an analysis of what you've shown a preference for in the past. For instance, a psychographic profile that shows a predilection for 'Herb Alpert and the Tijuana Brass' could be used to determine that you might also like the 'Baja Marimba Brass'. This is a somewhat simplified explanation.
Re:Sinister? (Score:2)
This number can be reduced somewhat because there is knowledge of subnetting and so on. What is interesting is that Quova could take a lead position, because it will build maps, data and correlations which are largely stationary over time. For instance, a large domain will remain 'relatively' static and does not need to be revisited with a high frequency.
Kind of like someone trying to get into the search engine business: they need to allow for the bootstrapping period to scan the net before the large databases are built, and once the databases are built, they can exploit caching, compression and other information optimisation techniques to maintain leadership over peers.
Re:Misleading Figues (Score:2)
I agree with the other poster, these people are basically script kiddies. I hope they don't map the UK internet topology, that information is the property of the companies that set it up, and would be covered by the Data Protection Act 1998. Possibly.
And I don't get how this information would help them do what their aim is?
Re:Psycographics (Score:2)
No, it's from looking at old Jimi Hendrix posters. You know, the ones with fuzzy day-glo appliques that seem to undulate under a black light.
Data vs. Information (Score:2)
It appears that somebody thinks they have found a way to juxtapose relatively innocuous data about network topology with some other data to create what for them is useful information, such as: Joe likes to look at pr0n; Joe likes to look at pr0n at work; Joe likes to look at pro0n at work through the company firewall.
Re:Misleading Figues (Score:3)
There has been a lot of traffic on the SecurityFocus mailing lists over the last couple of weeks about Quova. Many people are upset with them because they see port scans and ping scans as the equivalent of casing a building for break in. There is nothing strictly illegal about rattling doorknobs, but you can imagine that it will not win you any favor with your neighbors.
By the way, I heard Cheswick speak a couple of years ago at a SANS conference. He was one of the most widely knowledgable and overall brilliant speakers I have ever heard. He's a cool guy and definitely *not* in the same league as Quova.
Yea and...? (Score:2)
I always think its funny when some loser admin sends us an email saying a host on our network "Attacked" his box and to prove it shows a log saying he was port scanned.
Oh the horrors, a port scan! My god! What will they do next? Traceroute? telnet to it and read the banners to see what its running?
Of course...many of these people run chocolate^H^H^H^H^H^H^H^H^HFire Walls, so I can see why they might have some pretty silly notions of what an attack is....
Re:Security survey? (Score:3)
I do a lot of mud hacking, I love muds. A friend of mines mud runs at xyz.com
It is a mud hosting service so as you can guess they have multiple muds running on their site. I downloaded nmap and was learning to use it. So I scanned 1-1024 ports first I think that is the default not sure.
Anyways I did it again and let it go 1-10000 to find most any mud on their, I can give a crap about any of their other services I think using exploits on peoples systems is just so lame but I digress from my story
He had port sentry setup and it detected nmap as a DoS attack from the type of packets it was using. Ugh I cant remember the word for them, Im losing it. Anyways Port sentry shut down their ROUTER!!!!
They emailed my ISP and my ISP shut down my account with them! I was livid.
No You dont have business port scanning but I mean come on!!SOOOOO
I log onto the net with another account and I send him my phone # and tell him to call me.
I have a little chat with him established my intentions and hes all talking if it happens again they are pressing charges because they have it set up so that it detects this as a DoS and just freaking locks downt he router and ALL their systems hardcore. I felt this was a bit paranoid but I was not certain of my rights and if I indeed was violating any laws, he believed I was. He was some major security buff who just happened to maintain this mud server.
Ahhhh. I just found the entire thing a bit hmmmn.. interesting. So he calls my ISP up says the issue is resolved and my account is restored.
Hmmmn?
Jeremy
Me have started to think (Score:4)
Thus it is plain, the dumbest thing we ever did was to tell the idiots about the internet !!!
Re:I wonder what OS they're using. (Score:2)
How should one go about mapping the net? (Score:2)
But on a different note: how should one go about network mapping? Try using UDP or ICMP traceroute to anywhere and you can look forward to a flood of complaints to your ISP about 'hack attempts' as people interpret your actions as inbound scans (and UDP traceroute can look a lot like a straight scan of high UDP ports).
It isn't practical to contact every sys/network admin along the route -- remember you don't know what the routes are until you've mapped them. Even if you could, there are two problems: it's just your word you aren't doing anything nefarious; it's still going to set off a lot of intrusion detection systems, and why should anyone switch an IDS off just to avoid false alarms from your network mapping?
Some network maps are available, but they aren't necessarily useful (they don't typically include BGP parameter and ACLs or equivalent for all boxes en route).
So my question is: is it possible to map the network in an 'ethical' fashion that's still practical?
Re:Now what the .. (Score:2)
Lifestyle of 209.165.23.3: Preliminary Report
Recommended Action:
Further study is recommended, perhaps with an attempt to follow and study some of the close associates of the subject, namely 209.143.25.4 and 208.132.43.31.
Secretive Company Scanningthe Net? Nah... (Score:5)
...someone just typed by accident:
root@quova:~$ ping *.*.*.*
root@quova:~$ traceroute *.*.*.*
--
where they're operating out of... (Score:5)
whois -h whois.networksolutions.com quova.net
Registrant:
David Naffziger (QUOVA2-DOM)
333 W Evelyn
Mountain View, CA 94043
US
Domain Name: QUOVA.NET
Administrative Contact, Technical Contact, Zone Contact:
hostmaster (HO8675-ORG) hostmaster@QUOVA.COM
Quova, Inc.
333 W. Evelyn Ave.
Mountain View , CA 94043
US
(650) 962-2933
Fax- (650) 962-2025
Billing Contact:
billing (BI4691-ORG) billing@QUOVA.COM
Quova, Inc.
333 W. Evelyn Ave.
Mountain View , CA 94043
US
(650) 962-2933
Fax- (650) 962-2025
Record last updated on 23-May-2000.
Record expires on 16-Nov-2001.
Record created on 16-Nov-1999.
Database last updated on 6-Jul-2000 18:55:18 EDT.
Domain servers in listed order:
NS1.QUOVA.COM 208.37.145.35
AUTH50.NS.UU.NET 198.6.1.161
www.quova.net is running Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3 on Solaris netcraft [netcraft.com]
AND SINCE THEY shouldn't mind!!!
cherrycoke:~$ sudo nmap -sX -vv -O www.quova.net
Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host (205.177.226.233) appears to be up
Initiating FIN,NULL, UDP, or Xmas stealth scan against (205.177.226.233)
The UDP or stealth FIN/NULL/XMAS scan took 69 seconds to scan 1525 ports.
For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled
Interesting ports on (205.177.226.233):
(The 1520 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
80/tcp open http
111/tcp open sunrpc
514/tcp open shell
2049/tcp open nfs
TCP Sequence Prediction: Class=random positive increments
Difficulty=132682 (Good luck!)
Sequence numbers: 6A1BA7D9 6A255F59 6A2A5515 6A2F4624 6A37B2F6 6A3CE0D6
Remote OS guesses: Solaris 2.6 - 2.7, Solaris 7
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=2064A)
T1(Resp=Y%DF=Y%W=2297%ACK=S++%Flags=AS%Ops=NNTNWM
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 83 seconds
Some "security company," with all those notoriously insecure services running on their webserver (NFS, telnet, shell, RPC). Oh well. It looks like their webserver is colocated with some company.
cherrycoke:~$ traceroute www.quova.net
traceroute to www.quova.net (205.177.226.233), 30 hops max, 40 byte packets
1 orangecrush (192.168.0.1) 2.638 ms 2.239 ms 2.238 ms
2 quincy-asx-2.ziplink.net (206.15.185.18) 509.732 ms 203.12 ms 219.374 ms
3 206.15.185.17 (206.15.185.17) 209.86 ms 215.767 ms 199.762 ms
4 * zl-qnz-cisco2bcn.ziplink.net (206.15.158.150) 205.427 ms 214.611 ms
5 zl-pru-h20-1z172h209.ziplink.net (206.15.172.209) 219.845 ms 214.564 ms 219.459 ms
6 206.15.185.217 (206.15.185.217) 219.572 ms 216.462 ms 199.567 ms
7 bay4-322.quincy.ziplink.net (208.196.109.82) 279.498 ms 274.794 ms 259.6 ms
8 zl-sf-e20-2sf7k.ziplink.net (206.15.172.6) 279.477 ms 265.691 ms 279.473 ms
9 pacbell-1.globalcenter.net (198.32.128.32) 279.597 ms 272.632 ms 279.56 ms
10 pos4-2-155M.cr1.SNV.gblx.net (206.132.150.25) 269.622 ms 272.892 ms 299.483 ms
11 pos2-0-622M.cr1.IAD3.gblx.net (206.132.113.102) 337.01 ms 333.853 ms 339.512 ms
12 pos0-0-0-155M.br2.IAD3.gblx.net (206.132.253.26) 339.529 ms 343.903 ms 349.513 ms
13 digiweb.s2-1-1.br2.IAD.gblx.net (204.152.166.190) 349.878 ms 273.863 ms 299.393 ms
14 209.143.145.194 (209.143.145.194) 309.769 ms 277.821 ms 299.558 ms
15 ucla.digiweb.com (206.161.225.11) 299.497 ms 292.234 ms *
Re:I disagree (Score:2)
Make you a deal, Sebastard: Post your physical address, and I'll come over and jiggle your front door some evening. Hey, if it's locked, it's not a problem, is it?
I think you'd be a little disturbed were this to happen, and I think you'd have a problem with it. If not, then you are far too trusting a soul for the world we find ourselves in.
I would offer to give you my physical address, but I find cleaning blood off my wooden front porch to be rather difficult....
I disagree (Score:2)
My computer is connected to the Internet 24/7 via DSL. However, I do not provide any services to the Internet, and in fact have my firewall configured to deny (do not accept, do not respond) any inbound connections. There is no good reason anybody should be pinging my system: you ping to test connectivity, and since you cannot connect to my system, you have no reason to be testing if you can connect.
I consider pinging my system to be the electronic equivalent of jiggling my front doorknob to see if the door will open: Is it "fair use" of my front door?
It's one thing to ping a public site ("Hello? Slashdot? You alive?") but randomly pinging hosts is wrong!
Reminds me of when Israel was scanned from leb.net (Score:2)
When the "Internet Operating System Counter" scan reached the .il (israel) domain [leb.net] it caused some concern! At least they did give a plausible explanation, publish their results, and stop querying areas where people complained (like all of .il!).
When people start measuring your neighbourhood in great detail, and refuse to explain just what it is for, I think you have a right to be suspicious and uncooperative. I hope those who have the right tools in place will just set themselves to ignore (i.e. fail to respond to) traffic from these people. If they get no answer to their pings, it will server them right for being so secretive.
Re:Network maps != psychographics - Spam?? (Score:2)
Re:Security survey? (Score:3)
Then the job of a systems administrator is to be paranoid. If my systems are being portscanned, I *better* investigate it and figure out what is going on.
Onto the bigger issue, I can see both sides. On one hand, I consider "ping" to be a _public_ network service. That is, if I send a ping packet to your machine, and it responds, it isn't intrusion (or "theft of CPU time") because you provide ICMP responses to the world as a regular service.
On the other hand, if someone is pinging my network in order to scan it, I am going to get miffed. Nothing I can do about it.
Re:Yea and...? (Score:5)
For instance...
Running Windows 95/98/NT - Will buy anything, start spamming immeadiately.
Running BeOS - Will buy anything, so long as it is obscure or different. Try to sell them some gas-powered boots.
Running Linux - Likes bandwagons. Try to off-load britney spears and pokemon.
Running Commercial Unix - Resists bandwagons. Try to sell them some more 5,000 dollar operating systems.
Running Windows 3.11 - Too stupid and/or poor. Don't bother.
Disclaimer: Please don't take these personally.
Re:Security survey? (Score:3)
Quova and the Auditing Project (Score:2)
Re:Yea and...? (Score:2)
That's what loser net admins always think, until they start getting their network blocked everywhere.
Spoofed Intent? (Score:2)
I don't think people trust that these guys aren't looking to distribute vulnerability profiles of major companies--what if the psychographics are regarding the IT staffs of major companies?
The Internet Auditing Project detected bugs, but did not identify those who were specifically vulnerable. If this startup goes under, who buys their *ahem* Customer Database?
That being said, they're in a nasty situation. They probably have something innocuous and cool and can't explain what they're doing or why because it'll spark off competition. They should NDA Mudge and let him say whether or not we should be worried.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Little Caesars? You do pizza?"
Did anybody think... (Score:2)
They come right out and say that they want to get past alarms. Could it be that they really want to come up with a new security model? Maybe they really want to see how we (sysadmins) respond and what security we have.
Also, mapping networks could help to strategically (sp?) place some kind of security servers that they might be developing....
...And being secretive about developing security will help keep the script kiddies away until release.
Re:Misleading Figues (Score:2)
Or possibly not. The DPA '98 covers information held by data controllers about data subjects or from which data subjects might be identified, where:
(The foregoing definitions are rather more colloquial than the ones the Act uses, but they'll do for present purposes).
Basically, mapping information on .uk net topology will not come within the Act unless information about individuals forms part of that (eg. as a result of copying scads and scads of whois info.)
For further info, see The Data Protection Registry Site [dpr.gov.uk] generally.
For the record, I am a lawyer, and the foregoing is not offered as specific advice for your specific circumstances. This is: don't base decisions that could cost you money or liberty on /. postings. Take advice from a lawyer who's acting specifically for you.
Re:Security survey? (Score:2)
Are networks private property? (Score:5)
However, the IP address space is a public resource, documented and available to any who are willing to participate. You can look up any address block and find out who owns it if you want (like a Registry of Deeds here in most US states). And in order to get a block, you have to agree to the "rules".
The question I'd ask here is "where is the boundary between public and private property?" Obviously, if a system is accessible over the Internet and a service is available, then that service, at least, probably meets the requirements of "public", even if the owner doesn't realize that the service is accessible. Using that service may be public, even though it's not polite.
I'd say if it's behind a firewall that blocks the pings, or not accessible through a NAT export, then it's private. Kind of like the difference between a gated community and a regular old subdivision, to use an imperfect analogy. I can drive into a subdivision, map and photograph every street and house I see, and then use the information for whatever legal purpose I want (I could legally sell it to people wanting, for instance, to publish guides to preferred neighborhoods). I'm free to look at the houses so long as I don't actually trespass on the private property that they rest on.
If I want to map and document a gated gommunity, though, the street is private and blocked off, with restricted access. I need the permission of whoever runs the gatehouse to go inside and map the streets and houses within. If I can see all the houses without having to go through the gatehouse I can still take my photographs, though.
And there's the conundrum. If I block all inbound access to my network (except for exported hosts), then the scans will be stopped at my gatehouse (firewall), and only the things I have chosen to make visible will be mapped. Those systems are public, though my network is private.
Where this company is being unethical is in trying to do this activity as stealthily as possible. If a surveyor wants to try and map my neighborhood, fine. Let them show me their credentials and announce their presence. If I see someone skulking around in the middle of the night in a car with the lights dimmed, who pauses in front of each house for a while, I just may think they're up to no good. And someone else may think that and either call the cops (the offending visitor's ISP) or just shoot 'em.
If I don't want to be mapped (and I, for one, don't), I'll erect my own gate and cordon off my address space that way. If someone sneaks in anyway then I may shoot the varmint myself.
- -Josh Turiel