Slashdot Mirror
What's Wrong With Port Scanning?
Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.
What's wrong with walking along a corridor trying all the doors you see?
But isn't port scanning akin to trying all the doors and windows on the house, to see which ones are open? Say I come by and try to open all your house's doors and windows, then find some are unlocked. So what if I never actually enter your house - simply my checking all your doors and windows would probably bother you. I know it would me. Let me put it this way: if you try that on my house, get ready to meet my Glock. Likewise with my computer.
I think the people complaining are probably doing so because there isn't any reason to port scan someone else's computers except to determine a way to break in to those computers. Please let me know if you can think of any reason such activity would be legitimate.
A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard). ORBS uses limited port scans to detect and document open mail relays.
Within corporate networks, netadmins regularly scan inside IP addresses looking for security holes -- particularly of publically accessible servers. Services offered are correlated with lists of possible problems, and the software examined to apply appropriate patches.
Some research depends on Internet-wide port scans to further worthwhile projects. For example, the "fingerprinting" of public servers provide statistics of what software is being used. A mapping project sponsored by NASA generates a sample of "working" systems by using a limited port probe -- I see this all the time in my firewall logs and traced down the project to find out just what was going on. (At some point, I will update my firewall filters to pass through the well-identified IP addresses of this activity, so that their research will reflect reality a bit better.)
Unfortunately, the good works that honest researchers (both pro and amateur) do is far outstripped by the number of people who use the "burgler tools" indiscriminately, or for nafarious purposes. Mass fingerprinting identifies systems ripe for root/admin compromise, or for potential denial of service if the wish arises to do so.
Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling." Most firewall appliances and software sold today will detect and block even "stealth" scans of their assigned IP addresses. As they should.
The sad part is that people who run port scanners are considered guilty until proven innocent of trying to commit an unsocial act. AS THEY SHOULD BE. This posture makes sense, because port scanning, like UCE/UBE, uses resources that the user of the port scanning software isn't paying for, and in all too many cases isn't desired by the receiver of the scan packets.
>>I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in.
It depends. Here's an example: Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary. That's right - if you are walking through a parking lot, see something interesting on the front seat of a parked car, and stop to look at it, you can be arrested for attempted burglary. The theory is that even looking into the car is none of your business and to do so means that you have actually begun the process of committing a burglary.
So there are lots of people who think, in plenty of contexts other than just network administration, that engaging in actions that are a necessary precursor to a crime is the equivalent of beginning to commit that crime. The question, of course, is where do you draw the line.
"There should be no fair use. Quoting is just a form of piracy."
"He was reading a magazine about guns. Convict him of murder! Quick! Before he gets a chance to actually do it!"
There are even people who take this to the most ridiculous extreme:
"Of course all men are rapists. Why else would they be born with the tools to do the crime?"
Now, port scanning is in one of those grey areas. It's not bad in and of itself, but it is often a precursor to bad things. So people tend to mix it up with the acts that often follow. Don't blame them. That sort of fuzzy thinking happens all the time, as the examples above illustrate.
This is my response to the original question of "Why do people get so upset?" Frankly, I haven't a clue as to how to deal with them. They have a point. You have a point. And if you try to decide who's right (since both sides have valid positions), you wind up having to sacrifice reason and truth to make a decision.
Good luck. This is the sort of conundrum that makes life interesting.
Mike
Most anti-cracking laws (no, I haven't done a formal comparative exercise, nor am I likely to) work on the basis that causing someone else's machine to execute any instruction without you being authorised to do it constitutes a crime.
Port scanning without asking is certainly rude, but there's no way of knowing that you're not allowed to do it - the mere fact that the system is connected to a public network is enough that you can assume it's OK to scan. Doing it after you've been asked not to is potentially a crime (check local law for details).
I guess the answer in most places, is that if you've got a legitimate reason to do it, ask first. If you have got a legitimate reason, it should be OK, no? If there's good reason for refusal and the admin you're asking gives it, everyone's happy. This is more of a good manners point than a legal one, though: local laws may or may not make unnanounced scanning Bad and Wrong, or require something over and above execution of code to make up the offence of Cracking.
When administering students' access, I guess the thing to do is make damned sure that port scanning leaves an audit trail, so that when you get Mr Angry on, you can pass on the complaint to the guilty party. Ignoring that kind of warning and scanning the same target again should certainly be contrary to a fair use policy: whether you want to go further and maintain a list of People Who Complain About Port Scans that users are required to consult before starting a scan depends on what the administrative overhead of maintaining the list will be against the overhead of dealing with repeat complaints.
The answer really depends on what you regard as good administrative practice in relation to an activity that annoys third parties. As to your potential liability, ask someone at the university's law faculty for a few pointers: I guarantee you won't hear a dull word in response (some or all of this sentence is intended to be construed as humour). There's certainly enough in what you say and in what people have been posting here to ring a few alarm bells in my mind about what you ought to be doing, if only at the good-neighbourliness level.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
To continue this analogy to ridiculous extremes, in the good old days when cops walked a beat, they would often walk down the street checking door knobs to make sure shops had remembered to lock up, and to make sure nobody had unlocked the door since the shop keepers had gone home. A white-hat port scanner could be placed in that category. Nobody would have objected to that cop doing that door knob checking. But if a stranger was walking down the street checking door knobs, you'd be damn suspicious, and rightly so. And anybody who port scans without without either asking my permission or having a web page up describing the purpose of their scanning is violating my privacy and will be treated like a potential intruder.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
There are legitmate reasons to port scan someone.
However you need to ask why any student would port scan from his own comptuer. If it is for reasearch then his department (CS most likely) should provide the machine.
For many students I would guess that if their machine is port scanning someone, that means that the machine is compromised and a remote cracker is looking for more holes.
IMHO, the last point is the one you should consider most likely.
My home ISP changed ownership last week, and I havn't looked at the new T&Cs in detail to see if this affects this one.
I think a lot of people are way too uptight about port scanning. They get cable/DSL, install Black Ice or ZoneAlarm and because they see all this activity, they think they're under seige. And I see professional admins that don't act much better. Should ISP X really care if one of their customers scanned your subnet looking for ftp servers?
Chances are, if an admin knows their machines were scanned, they're probably not going to have a problem anyway. By notifying the admin on record for a domain the scan originated from, they might be doing that other admin a favor if the scan looks very suspicious. More suspicious than pings or searches for common ports (even if those ports are often exploitable) like ftp, SMTP, POP3, NFS, etc.
I think an admin should alert that other admin when scans are looking just for common "cracker" ports like 31337. The chances that scanner is up to no good is much higher.
Now if the scanner also tries to connect to an open port like ftp or telnet, that's already more serious but I still wouldn't send an email unless the attempted connections are coming from root and the hostname doesn't look like a commercial ISP (email admin when the remote client is from research.hi-techu.edu, not 28-128-dhcp.isp.com). Again, it doesn't improve my security, but it alerts the other admin that there's likely a security problem on their network.
Of course if any activity gets to the point that it truly interferes with service or a particular host is wasting your time because of all the log records, then an admin should alert the remote domain and expect action.
Overall I think a zero tolerance policy just wastes an admin's time and doesn't really improve anyone's security.
Sure port scanning is suspicious behaviour and the scanner may very well try to break into your computer. So what? You keep your machine secure by configuring it and installing software to make it so, not by crying wolf every time a "stranger's" packet comes knocking at your door.
How should a potential intruder be treated anyway? How would you treat other potential criminals?
To borrow a commonly used metaphor: Port scanning is akin to looking at all the windows of a house to see which ones don't have their curtains drawn. While this behavior is certainly rude, it is not inherently evil.
Much more suspicious are probes of specific ports for daemons known to have vulnerabilities. Most crackers/kiddies don't run full scans against hosts. They choose a handful of ports and check those to determine if there is something listening there and more importantly what version of that daemon is listening there. This is the behavior that is akin to checking to see if the windows are locked.
Port scanning of the first type shouldn't get any seasoned admin's hackles raised - every host connected and available is going to get scanned eventually.
Port scanning of the second type shouldn't get any seasoned admin's hackles raised either - as long as they've taken proper security measures (Mr. Cracker/Kiddie's scanner will simply log the host as "not vulnerable" and move on). Furthermore, since such probes will either be stealthed or blend in with normal traffic, it is unlikely that they will even be noticed.
What does raise my hackles is when a host gets scanned over and over and over and over within a very short period of time from the same source. Such behavior, while not a DOS attack, can be resource-intensive on the target and is very rude. But there again, it is not suspicious per se because it is most likely indicative of a certain degree of cluelessness on the part of the scanner.
The bottom line to me is that port scanning happens but it is nothing to worry about as long as proper and normal security precautions have been taken anyway beforehand and continue to be taken as exploits emerge.
The admins that complain to the source network about port scans are worried about the wrong things, or worse want someone else to be responsible for their own security.
As for liability, who knows. Common sense would dictate that A) The target is responsible for their own security, and B) The source is responsible for their own actions. But since when has common sense born any resemblance to the law, especially in the context of a civil suit?
It depends on the school but if a port scan was originating from a ResNet connection, I think it's most likely that student doing it, not someone else who's cracked the student's machine.
It's silly to expect a department to provide a machine for any old project a student might do for a class or independent research project. Lab machines may not be configured to allow students to run the programs they want to run to do the scan unless port scanning was a task all students in a class were expected to use. Even if they have the equipment, the student may want to (or need to) run the scan during hours the lab is not open and may not have the ability to run it remotely. What if the student wants to use a software package for a research project and the department doesn't have a machine that it can be run on?
Bandwith ain't free. We all know unsolicited email ain't nice, so why do we think unsolicited network packets ARE nice?
A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard).
Actually, for a while, I got into the habit of portscanning anyone who portscanned me, just to let them know I did it. As it turned out, I got a letter from @Home telling me that if I violate their terms of service again, they'd terminate my account. Since I didn't portscan anyone who didn't already do it to me, this means one thing:
Someone had the audacity to portscan me, then complain to @Home when I returned the favor!
As it turns out, any use of portscanners, valid or not, is against the TOS.
Not too impressive...
If I want to be portscanned in the name of security, I'll go to dslreports.com and have them run a scan on my network. So, you and your script kiddies are relieved of that noble duty. Now, what's left? Nothing.
I'm not saying "throw the haxors in jail". But your policy should be no off-campus portscans (without written permission from staff). None. Do it, and your account is turned off until you have a meeting with (appropriate staff/dean). Whether you let them portscan on-campus computers is your choice.
Nobody at your university has any business portscanning my network.
I currently use @Home (Cox@Home, specifically, here in Phoenix), and prior to hooking up with them, I asked about running a server (I even asked about changing the contract to allow this, paying more, etc - I actually told them I would pay the MORE to let me run a server - and they turned me down!), and after talking to a "tech", he said that as long as I wasn't running a wide-open public server, I would be fine.
I know the TOS says that you can't run servers. I am not so uptight about the contract that I wouldn't try such a thing (it ain't like you are going to go to jail or something for doing it - yet...), but I wonder what would happen if I did?
Which ports does @Home scan? Only the low numbers? High numbers? Random? What if I ran a web server on say port 45830 - what are the chances I would be caught? Especially if the only traffic is myself (from my work or elsewhere)? What if I made you log into the server before letting someone through (so only I could get in)?
I would like to set up only a few servers - a web, ftp, maybe telnet as well - for my own personal use. Since I would be the only one using them, I would even be willing to put them on funky ports, instead of the common public ones.
Anybody have ideas or comments?
Reason is the Path to God - Anon
This is an educational facility. People are there to learn. What better way to learn what "Joe average webmaster" has for open ports than to scan them. If you're learning system admin, you'll scan whoever, see what's running, question yourself why they're doing what they're doing, etc...
The internet is a public network. Things that are public get used BY the public. One poster had a comment on Texas law stating that by looking in someones car window, you have started the act of burglery. But that law does not mean that if you're looking in the windows of a city bus, that you then plan to steal that city bus.
The machine is private, the data is private, but anything connected to a switch and given internet access, is fair game in my book.
xrayspx
I like music
I disagree. I think a student trying to set up his own linux box might want to be sure his services are running on the standard ports, or might want to check to be sure he doesn't write a program to take a port that is used by some standard service.
It dependes on what port is beeing scanned. Port 80 is like "I would like some HTTP content? Can I", but a port like the one's used by Netbus and the like is like walking around a house and see if there are any windows open.
--
"Trying is the first step towards failure."
--
"Trying is the first step towards failure."
-Homer Simpson
Almost every post on here uses some kind of analogy to show why port scanning is or isn't bad. Analogies are interesting, but ultimately useless in proving your point. Deal with the facts of the issue as they are. It's just like when record company execs say "downloading copies of songs is no different than walking into a store and stealing a CD." Yes, it is different. Deal with the facts as they are. Don't cling to analogies your mind has already come to terms with.
--jbTo me, portscannign is like walking down the street and jiggling every handle on every door. Sure, you might not do anythign bad, but it does raise some suspicion. Also, could someone tell me a real use for a portscanner, except done by the admin himself?
:)
Alexander
CmdrTaco: can you please implement a spellchecker for the comments?
>we have come to wonder why so many admins get so >uptight about being scanned.
It is folklore among sys admins, that portscanning is the noisy preamble of a script kiddie attack.
Therefore, they usually install some kind of "port scanning" detection device, for early warning.
A massive portscanning of such a site, may trigger all kinds alarms, and notify the sys admin, who then has to check out what triggered the alarm.
I guess, that at that point, the sys admin transforms into a BOFH. When he discovers that the portscanning came from a uni, he turns into an even more angry and paranoid BOFH, since unis traditionally have been known as script kiddies CO-LOs; lots of unsecure unix boxes, and lots of bandwith.
There is nothing wrong with portscanning, but the present climate makes it a rude thing to do, especially if it is a massive portscan (walking up and down on every port on the entire IP segment).
I think it would be a fair "Acceptable Use Policy", to state, that (massive) portscans, without prior permission from the scanned site, is a no-no. And if someone needs to play around with portscan tools (developing Netcraft like mapping tools and such), they better inform their own sys admin first.
Of course, such rules should only apply to (l)users; sys admins and other divine creatures, knows the craft, and should be allowed such things as portscanning when having a good cause (since they know the implications of portscanning, and take the heat anyway).
It must be said though, that some sys admins seems to regard even the tiniest ping or trace, as a full scale attack on their network, or at least as a personal insult. That is a too stuck up attitude of course.
--
Regards
Peter H.S. (sys admin in spe)
When I advertise my TCP services, that is a welcome mat, or an invitation for entry. Probing my system to find openings (even if you don't enter) is invasive and counter to decency.
Ergo, I report every TCP Port Scan of my systems to the proper authorities (ISPs, etc.). When I find someone running a SATAN-type scanner (more aggressive than just TCP port scanning) against my systems I report to legal authorities. Have a nice day.
Now hiring experienced client- & server-side developers
-- @rjamestaylor on Ello
Stop it, this talk of "knob rattling" is getting me all hot 'n bothered.
I summarize some of the details below, but you can read all about it at the site his friends set up. FreePaul has details, transcripts, audio recordings, musings, and propaganda for you to enjoy.
Basically, Paul had a job in town doing admin work on some computers. He was working on those machines from his dorm room, and had to reboot them a few times (I don't know why. I do know he runs Linux on his personal box.), so each time they rebooted, the dynamically allocated IP was new. Meaning he had to find it again. He knew what range the IP would be in, so he scanned that range to find his machines. He did this, depending on who you believe, between four and a dozen times, over a day or three (again, conflicting stories). He then set up a script enabling the computer to email him with its IP when it reboots, so he didn't need to scan anymore. But someone had already complained.
Apparently, the school networking guys got a complaint from off-campus ("Hey, I'm being scanned by x.y.z.r on your campus. Do something!") and called up Paul, saying 'Don't do that anymore.' This was after Paul had set up the script, so he had no more reason to scan. School networking seemed OK with this, so it seemed everything was hunky-dory (um, that's slang for "just fine").
Then the school's Judicial Affairs department heard about it. And they started going after Paul with a vengance. Paul wasn't told about certain rights he had in the process, rights declared in California State Law. Judicial Affairs violated State law in the course of the investigation and prosecution (Notice of Hearing was a big one). It seems like Judicial Affairs was trying to make an example of him. Even if all the accusations against him are true, JA still was out of line in the details of the prosecution of the case. I happen to beleive that the charges aren't right, but even if they are, there has been a mis-carraige of what I think of as Justice.
Now, how does this affect you, and your department's struggle with your Acceptable Use Policy? Be careful. Look at the mechanisms used to prosecute students who violate policies. If you think certain problems are minor compared to others (pinging isn't as bad as running BackOrifice on your professor's computer), try to put those judgements of relative harm into the policy as recomendations for punishments. The people who are now in charge of prosecuting students may be great people, kind, generous, wanting to help. But those people may leave, and the replacements may get on a power-trip, or may think that making a few 'examples' will "keep the little buggers in line". Do your best to make that very hard.
Good luck.
Louis Wu
"Where do you want to go ...
Actually it is suspicuosly timely that this story is posted. A few weeks back I was suffering a regular and time conistent number of attempts at port scanning on my machine. The port in question was 31337 ( can any one say back orifice?). Anyway IPChains blocked this and reported the IP, time and date. NSlookup reported who the IP belonged to ( the Same ISP as I was on as it happened, oh and another Big UK ISP ). So I wrap up the Log files, break down the data give the document the relevant information and forward it to the support departments of the ISPs in question. The response was ..... well lets just say I think MS will go open source before they respond to my emails.
See I can believe cracking attempts will always occur and that ISPS should not be responsible for them. In the same way that the law is not responsible for someone breaking it. However if that person is identified with having made the Attempted break in then surely they should be punished. In this instance I was providing documentary evidence which should tie up with their own access records.
Clearly the ISPs dont maintain those records. Maybe for issues of privacy and if so how does recording the time you spend online affect your privacy really.
I would have thought though that the ISPs in question would like to have shown their ability to respond to the issues concerned and in turn acted on them... Fat Chance.
So here I am. Still online, grepping my message log for DENY and user and access and waiting for the next attempt.
I think for the benefit of society some ports should be blocked if they have become associatted with abuse. After a while we get down to the common methods of communication and with that we can better patrol our networks.
And thats why Firecrackers and kittens don't mix.
How does a port scan violate your privacy? All the scanner sees is an active IP address with ports X Y and Z open. On the Internet, theren't nothing private about that information.
There isn't anything "private" about the locked or unlocked state of your car door as with many cars it can be ascertained just by looking, but if I'm at the shopping mall and I see a guy testing car door handles, I'm going to tell mall security.
How should a potential intruder be treated anyway?
By denying them access even to services that others have a legitimate right to, like my mail, usenet and web servers. If I were as paranoid about security in practice as I am in theory, the first thing I would do if I saw a port scan would be to totally black hole every packet that came from that source, no matter what port or protocol.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Is port scanning looking, or is it turning the knob on the front door to see if it is locked? I'd get pretty uptight if I found someone standing on my front porch, if they had their hand on the door I'd be calling the cops.
In an academic environment I can think of valid reasons for legitimate port scanning on machines where the scanner had an account (you're there to learn, right?). I cannot think of a reason for someone to be port scanning a machine that they do not otherwise have access too, unless their intent is to crack the box. If someone is curious about how a machine is configured they can walk right up to most popular open ports and ask. Most protocols have ways to query the system (SMTP HELO for example). This is different than walking up and determining which ports are open. Maybe I'm trying to draw too subtle of a distinction here, so I'll try to give a concrete example. When I get spammed I check the headers and see where it came from. If it looks like someone has a machine open for relaying I'll telnet to port 25 and see if that is the case. If the machine is open I then send an email asking them to fix it. Is teleting to port 25 port scanning? Not to me. That is walking up to the front door and knocking. Scanning all ports with nmap is walking up and rattling the doors and windows.
At the very least port scanning is rude. I feel that it is basically a threat to hack.
Not to mention that research might be purely personal. I'm a mechanical engineering student, the CS department isn't going to provide me with tools and sanction to learn networking architecture, and it shouldn't have to.
I should be allowed to do personal network research. If I want to see how network tools work, and see what kinds of services can be run, I shouldn't need anyone's sanction to do so. I'm doing runtime research, why is that different from library research?
Louis Wu
"Where do you want to go ...
Everytime I get portscanned, I report it, and in one case, I received a very nice thankyou note from the site's admin, saying that the machine which did the scan had been compromised.
If you start allowing portscanns from your network, you can expect complaints from me. If it happens too many times, then I'll complain to your ISP. I don't mean to sound threatoning, but as an admin who has lots of other legitimate work that I could be doing, I hate having my time wasted by some script kiddie.
Weather you allow (or don't specifically disallow) port-scanning, many sysadmins view it as rude, and some look at it as a prelude to a cracking attempt. If it goes on, you will hear about it from some sub-set of those scanned. Is it worth your time to investigate these events? You (or your boss, or his boss) will get emails and calls. Is it worth your bosses time?
When I have reported port-scans I have gotten thanks from the sysadmins of the systems because that was the first warning that their system was compromised. Unless I've been notified of it beforehand, I look at all port scans suspiciously, and I would be very happy to hear from someone detecting a scan from my network. New exploits are being developed all the time- you can't be up-to date on everything, all the time.
If you're secure, then a portscan won't make a difference to you; the scan will be detected, the packets will be dropped, and life will go on. A *single, one pass* scan isn't abuse.
Go back ten years, and you'll hear the same discussion about wardialing. If, in the process of calling all the numbers in an exchange, I happen to hit your phone number, the worst that will happen is that you'll answer and I'll hang up. If someone called my phone company because I called them *once*, should my phone line be disconnected?
"Intent!" someone screams from the back..."You're going to h4x0r me!" Maybe, maybe not. But if your machines are secured, why are you so worried?
Today's h4x0rs are tomorrow's network engineers who have been playing with the internet their entire lives...
Karma only matters to me now and zen.
I can understand an admin being alittle annoyed by portscanning, but really nothing more. If an admin is so worried about a port scanning that he would goto the trouble of reporting it, then he probably isn't very confident in the security of his machines and maybe he should do alittle more reading. If your house got broken into because you forgot to lock your front door you know the cop is thinking "Stupid people", and thats exactly what an employer would think if you left such a gaping hole in your machines.
As far as the jiggle the door handle analogy goes. Why would someone jiggle a door handle to see if its open, unless they were planning on entering??!! If you don't have express consent to "peer in" from the owner, port scanning (or house peeping) is WRONG plain and simple.
Can anyone here honestly say that they WOULD NOT be offended by a stranger peeking into their bedroom window??? Its not much different!!
Come on people, its wrong....and you know it!
You can't really compare port scanning with looking in someone's windows. That would make port 80 analagous to a window that the homeowner is inviting people to look into. How is the looker supposed to know which windows the owner would like looked into or not?
Port scanning is more analagous to calling a repair shop and asking what services they will provide for your car.
port open="Why yes, Mr. Cronack, we do change oil."
port closed(or stealth)="Sorry, we don't do mufflers."
this is a left handed sig
-- Life is short. Forgive quickly. Kiss slowly. ~ Robert Doisneau
Well, my post was kinda OT, but no problem - I'm not a karma whore, so I don't really care.
Thanks to everyone who responded - right now I am running a Win95 box set up as a proxy/firewall server, using AnalogX proxy and ZoneAlarm for the FW (it's my GF's box, ok? I plan on doing a Linksys router/NAT combo soon anyhow). I probably wouldn't run a server on this box, due to security issues - heck, I am nervous about the proxy/FW combo I chose, but I needed something cheap, and they did the trick, plus they seemed to be pretty highly recommended, and easy to set up.
Eventually I will move the the Linksys device (or set up an imasq Linux box, once I get the skills) - then I will think further about this server thing - however, the info you guys provided has eased my mind a bit. Thank you!
Reason is the Path to God - Anon
There is policy like this at EarthMindLinkSpring (wtfe) (not going to rant about local politics here..)
..
.. causing all of your email, including their invoices(!) to bounce .. this of course means the bot that sends out invoices removes your address (it bounced, right?) and you don't get your bill ... not to mention getting kicked off every listserv you are on, etc
Anyway, Earthspring's AUP prohibits portscanning and may even prevent the use of BO (which would also prohibit SMS and VNC, et al). When they brought this up in indoctrination, I freaked..
It turns out that they selectively enforce this rule (and some others) to get spammers and kiddies, but I don't like having it there at all.
There is something to the point that they can do whatever they want on their network, but it seems awfully restrictive when all a user buys from them is an IP and a mailbox
(This is the dialup AUP, which applies to ADSL too)
<ot rantlevel=moderate>
Then again these are the same guys who (get this)
shut off your email box when you go over their 5 meg quota
</ot>
anyway,
adric at ccactus dot com (has almost finished paying off ELNK from that fiasco)
<script>alert("I never liked JavaScript, really; it just seemed a bad idea.");</script>
Here in Canada, port scanning is actually illegal - it's called "Theft of Computer Services"
This makes perfect sense to me - the person doing the scanning is forcing *my* computer, that I own, to respond to their scans by updating my IPCHAINS rules to block them forever. I don't want to waste my processer time defending my system.
Does anyone know if this si illigal in the US? If so, we should start nailing every script kiddie to the wall - that will teach them to "probe" me...
Driven by 100% sarcasm - fueled by the need to be heard.
I think that portscanning is kinda like those annoying hangup phone calls - the ones that ring and ring until you pick up and say "hello". Then they hang up.
Dang the telemarketers.
Pretty much wherever you go, ignorantia juris neminem excusat, I'm afraid. Everyone is presumed to know the law, except judges, who have the Court of Appeal to correct their mistakes. (This is a lawyer joke. And my colleagues wonder why they have no non-lawyer friends).
-- AndrewD
A Maze of Twisty Little Laws, All Different.
The big question that determines whether portscanning is good or bad is the INTENT of the person performing it.
Now, let's look at it from a sysadmin's perspective:
Someone is scoping my system to see what I have available.
They are doing this without invitation.
They are doing this without telling me.
Now, from MY point of view, this is cause for alarm. People here are saying "It's not that big a deal" - but it IS.
There are two possibilities that are being tossed about here: someone is just doing it because they feel like it, and they have no ill intent.
The other option is that it's someone scoping my network because they want to break in.
Well, since I don't really KNOW what the intent of the person doing the scanning, which one is the best to choose from?
Pretty easy answer: If someone is scanning me, they want to break in, and I'll do whatever is necessary to stop them.
We notice portscans quite often, as we have
boxes on most of our collision domains that
detect such activity.
But we do more a tad more than "notice".
The large majority of these port scans
end abruptly when our machines respond with
a series of well-known attacks, proving that
the script kiddies can dish it out, but they
can't take it.
The small number of scans that continue after
an automated response get exactly the sort of
personal service and assistance they deserve.
We do no permanent damage, but we do respond
in a manner designed to both halt the packets
and deliver a clear message.
What's WRONG with portscanning? Nothing, as
long as you portscan a network you OWN, where
such activity may have value to as an admin.
Ever.
That's our job, and we don't need any "help".
And what's wrong with our response to portscanning?
Also nothing. We noticed unauthorized use of
our expensive network resources, and halted it
in the most humane manner possible.
Science is the art of infallibility, perpetrated upon non-scientists
first off, i'd like to thank everyone for their replies. you've given us some issues to think about.
now, if i may reply to a few ideas in the thread:
re: analogies :).
i have to agree with the poster who pointed out that we can analogy ourselves to death and never really accomplish anything. the Texas story about looking into cars made for interesting reading, though
re: valid uses
port scanning for the purposes of understanding the security of your box cannot be overrated. we've found lots of problems by playing with nmap (sendmail's listening on what port? portmap is still running on that debian machine?).
but as someone else pointed out (i'm far too lazy to assign credit; my apologies), how about just for the purpose of pure learning? most of us grew up (or are still growing up) hacking on computers. if the Internet had been as widespread when i was 11 as it is now, i'm sure i would have done a good deal of exploration and learned a lot about networks by doing it. as it is, i'm still trying to learn more and more about network infrastructure and good sysadminning practices and the like. learning by example and experimentation are some of the best ways to learn. and for someone who had less guidance in system administration than i first did, it might be the only way to learn anything at all.
how about port scanning as market research? not too long ago i used nmap on the primary webserver of a webspace provider my friends were thinking of using. the nmap showed me a default Redhat box, complete with telnet, linuxconf, lpd, and NFS running (and clearly not tcp wrappered or firewalled)! in this case, maybe i could have just asked the admin what she was running, but do you think she would have told me, even if she'd known? i'd wager she would have told me she was running apache and ColdFusion and whatever else she thought i might care directly about, but wouldn't feel the need to mention that her company used telnet for authentication. as it was, i strongly recommended my friends look elsewhere for a webspace company that had some competent sysadmins. unfortunately, my friends' webmaster thinks that ssh is only useful "if you run the government of a small nation," so my advice may go unheeded. and yes, i've tried edumakating this webmaster, but he's the one trying to write the site in ColdFusion, so...
what about port scanning out of idle curiosity? what if i'm sitting in my dorm room and i want to know what kinds of boxes are plugged into the local network? nmapping the subnet tells you all kinds of neat stuff. this is not something i need to do for any reason, but i also don't really see the harm in it. i personally would inform people if i found insecure services on their boxen, but i realize this doesn't apply to everyone.
what if i happen to go to a particular website a lot, and just sort of wonder what's kicking around under the hood? nmap slashdot.org and i now have more information than i did before. (slashdot might be a bad example since they publish most of their setup already, but this is all very pedantic anyway.) i'm well aware of what is said about curiosity and felines and grisly murder, but learning is nonetheless something i very much enjoy.
the harsh reality
this debate is very interesting, and i'm glad to have had it with a larger community than just my colleagues here. it seems that the comments are about evenly split between the "always bad" and "generally innocent" camps. the problem is that as long as there are "always bad" types out there, it will be hard for us not to have to deal with people who experiment with port scanners, because a complaint means someone has to look into it and deal with it. this means someone playing around and looking at stuff could generate a large amount of work for someone to deal with, which is bad, as all but a few of us are overworked students as it is (that is, all but a few of us are students; i'd wager that for all X where X is a student, X is overworked...but i digress).
anyway, i see this as an unfortunate state of affairs. i don't like having to institute a policy i don't agree with, but, to quote Radiohead (though it is uttered ironically in "fitter happier"), "Pragmatism Not Idealism."
hopefully this reply isn't too late to be viewed by a few of the discussion's participants. again, thanks for your thoughts.
tyler
I've been portscanned numerous times on a cable modem connection - but in tracing the IP back to the ISP, I often find their AUP/TOS doesn't have a contact email for reporting such abuse.
What does everyone use to reach a responsible human being at the portscanner's ISP? Is postmaster@isp.com acceptable in a case like this?
If port scanning is illegal, then if i put a web server up on my machine, and someone accesses it without my express permission, should they be guilty of a crime? Come on, if you're OS and software provide crap security out of the box, take it up with the manufacturer. If you can't figure out how to deploy a secure server, don't run one. If you leave the door open while you go on vacation, are you really surprised when you return and fine your TV gone and some bum camping in your living room. The internet is a hostile place, in a global context.. Neither you, nor the US government can criminalise the act of requesting information from your computer any more than you can criminalise shark attacks. 'I didn't give that shark permission to bite my ass, lets drain the oceans just to be sure it doesn't happen again.' If you don't want requests being made to your IP address, unplug your machine from the internet. You're computer is constantly pinged and polled by your ISP to make sure youre still connected. Is that illegal? When you type a URL into your browser, should you be required to ensure you have the permission of the site you are trying to access first?? Give me a friggin break.
I gots ta ding a ding dang my dang a long ling long
Recently scanning became an issue at one of my clients. They're a big firm that handles financial information online. They have a number of sub-companies all with different IS groups/policies.
It turned out that they were getting hit by an extremely large number of probes by one of the local universities (and for this client to notice it's a LOT of probes.) A polite email was sent to the regular addresses requesting that the activity be halted. No response. As it continued a phone call was made - nobody at the school was willing to take the message. Ok. A letter was sent and they simply cut off the school's block of IP address from all access inbound & outbound.
Two things happened. A few days later my client got a call from the school's Financial Dept - apparently they used some of client's services and after some confused research discovered that they couldn't access them and the trouble was at the financial services co's end. As the school was using free services my client simply responded (after running it past the appropriate depts.) that the school was being blocked - and why. Apparently this caused some internal reaction at the school.
At the same time the client had some graduates of the school working for them, as well as a number of the faculty. They also discovered they couldn't access the school & vice-versa. This also caused a reaction and after some rumors and many calls to the internal support desk an email was sent out internally explaining why they were blocking access to the school. BTW all the while the probes were still getting worse and had they been getting through would have been starting to impact some services in a small way.
Apparently someone finally mentioned this to the President of the school (likely over golf.) Apparently he didn't like the fact that my client was blocking his school, nor that they had notified their employees that they were doing so nor that the school had been portrayed as unresponsive (the company did have a receipt for the certified letter at this point & no one had ever returned any message.)
Shortly there after the probes stopped abruptly. The client also got a couple of very nice letters from the school asking them to stop blocking them and implying the school would like them to let their employees know that the school wasn't a bunch of louts (not a rep. most schools want for their graduates apparently.) I also heard through the grapevine that some staff at the school got in some very hot water for neither overseeing the school's network activities nor for responding to complaints and their ensuing fallout.
So - what are the result of probing others sites? Well in this case a bad reputatio & an upset school administration. There's also been a new set of policies put in place at the company regarding folks from the schools and the access they have to the systems. Essentially they're now almost a suspect class and a revaluation is taking place of giving these folks access to proprietary information the client has. This will of course limit exposure on the clients side but also unfortunately dramatically limit what the interns, co-ops & part-timers can do (& learn about) at the company.
Finally there is still somewhat of a bad impression of the school for the whole thing. Indeed the school had been trying to get my client to buy into some net-based telecourses but my client's IS staff decided they simply didn't want to deal with the school's IS staff and kiboshed the idea (I believe it was 'bandwidth reliability concerns'.)
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
And what about the person trying keys in all those car doors? I doubt he's just checking to make sure no one else can get into them.
I used to watch a semi-major Internet site. We got tons and tons of scans against our web server. Soon I learned that at least one of the patterns seen *did* point to systems that were compromised. I likely would have never associated a scanning pattern as being related to a particular tool used on broken-into systems until I spotted an IP address from our hosting ISP scanning us. They quickly confirmed that that system I had seen was indeed compromised. I subsequently sent off a bunch of emails, some to of which went to other quite signficiant players on the Internet that you would have never guessed would have poor security.
Telling someone that their system is portscanning often is not a threat. In my case, I wanted to warn other admins that I thought their systems had problems. If I had chased every portscanner we got, I never would have had time for anything else.
hey to the Anonymous user thanks for the technical response. I did not feel like educating the particular responder regarding IPSpoofing as if they did not realise it then they might already be misusing it .. mistakenly . Still maybe a lesson in ping/pung/pang might be in order ;-)
And thats why Firecrackers and kittens don't mix.