Slashdot Mirror
What's Wrong With Port Scanning?
Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.
What's wrong with walking along a corridor trying all the doors you see?
A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard). ORBS uses limited port scans to detect and document open mail relays.
Within corporate networks, netadmins regularly scan inside IP addresses looking for security holes -- particularly of publically accessible servers. Services offered are correlated with lists of possible problems, and the software examined to apply appropriate patches.
Some research depends on Internet-wide port scans to further worthwhile projects. For example, the "fingerprinting" of public servers provide statistics of what software is being used. A mapping project sponsored by NASA generates a sample of "working" systems by using a limited port probe -- I see this all the time in my firewall logs and traced down the project to find out just what was going on. (At some point, I will update my firewall filters to pass through the well-identified IP addresses of this activity, so that their research will reflect reality a bit better.)
Unfortunately, the good works that honest researchers (both pro and amateur) do is far outstripped by the number of people who use the "burgler tools" indiscriminately, or for nafarious purposes. Mass fingerprinting identifies systems ripe for root/admin compromise, or for potential denial of service if the wish arises to do so.
Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling." Most firewall appliances and software sold today will detect and block even "stealth" scans of their assigned IP addresses. As they should.
The sad part is that people who run port scanners are considered guilty until proven innocent of trying to commit an unsocial act. AS THEY SHOULD BE. This posture makes sense, because port scanning, like UCE/UBE, uses resources that the user of the port scanning software isn't paying for, and in all too many cases isn't desired by the receiver of the scan packets.
>>I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in.
It depends. Here's an example: Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary. That's right - if you are walking through a parking lot, see something interesting on the front seat of a parked car, and stop to look at it, you can be arrested for attempted burglary. The theory is that even looking into the car is none of your business and to do so means that you have actually begun the process of committing a burglary.
So there are lots of people who think, in plenty of contexts other than just network administration, that engaging in actions that are a necessary precursor to a crime is the equivalent of beginning to commit that crime. The question, of course, is where do you draw the line.
"There should be no fair use. Quoting is just a form of piracy."
"He was reading a magazine about guns. Convict him of murder! Quick! Before he gets a chance to actually do it!"
There are even people who take this to the most ridiculous extreme:
"Of course all men are rapists. Why else would they be born with the tools to do the crime?"
Now, port scanning is in one of those grey areas. It's not bad in and of itself, but it is often a precursor to bad things. So people tend to mix it up with the acts that often follow. Don't blame them. That sort of fuzzy thinking happens all the time, as the examples above illustrate.
This is my response to the original question of "Why do people get so upset?" Frankly, I haven't a clue as to how to deal with them. They have a point. You have a point. And if you try to decide who's right (since both sides have valid positions), you wind up having to sacrifice reason and truth to make a decision.
Good luck. This is the sort of conundrum that makes life interesting.
Mike
I can do a portscan on my box, from a friend's box, to show him how much more secure my system is. perfectly legit. I can do it the other way round, from my box to his, to show how insecure it is. Both legit. And luckily pulling a gun on someone IS a crime in most of europe.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
The difference is that you can give yourself permission to scan your own box and your friend can give you permission to scan his.
Scanning without permission is being a very poor neighbor.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Most anti-cracking laws (no, I haven't done a formal comparative exercise, nor am I likely to) work on the basis that causing someone else's machine to execute any instruction without you being authorised to do it constitutes a crime.
Port scanning without asking is certainly rude, but there's no way of knowing that you're not allowed to do it - the mere fact that the system is connected to a public network is enough that you can assume it's OK to scan. Doing it after you've been asked not to is potentially a crime (check local law for details).
I guess the answer in most places, is that if you've got a legitimate reason to do it, ask first. If you have got a legitimate reason, it should be OK, no? If there's good reason for refusal and the admin you're asking gives it, everyone's happy. This is more of a good manners point than a legal one, though: local laws may or may not make unnanounced scanning Bad and Wrong, or require something over and above execution of code to make up the offence of Cracking.
When administering students' access, I guess the thing to do is make damned sure that port scanning leaves an audit trail, so that when you get Mr Angry on, you can pass on the complaint to the guilty party. Ignoring that kind of warning and scanning the same target again should certainly be contrary to a fair use policy: whether you want to go further and maintain a list of People Who Complain About Port Scans that users are required to consult before starting a scan depends on what the administrative overhead of maintaining the list will be against the overhead of dealing with repeat complaints.
The answer really depends on what you regard as good administrative practice in relation to an activity that annoys third parties. As to your potential liability, ask someone at the university's law faculty for a few pointers: I guarantee you won't hear a dull word in response (some or all of this sentence is intended to be construed as humour). There's certainly enough in what you say and in what people have been posting here to ring a few alarm bells in my mind about what you ought to be doing, if only at the good-neighbourliness level.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
To continue this analogy to ridiculous extremes, in the good old days when cops walked a beat, they would often walk down the street checking door knobs to make sure shops had remembered to lock up, and to make sure nobody had unlocked the door since the shop keepers had gone home. A white-hat port scanner could be placed in that category. Nobody would have objected to that cop doing that door knob checking. But if a stranger was walking down the street checking door knobs, you'd be damn suspicious, and rightly so. And anybody who port scans without without either asking my permission or having a web page up describing the purpose of their scanning is violating my privacy and will be treated like a potential intruder.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
>Scanning without permission is being a very poor neighbor.
I agree. But it's still a big step from being a nasty neigbour or complete bastard to being a criminal.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
There are legitmate reasons to port scan someone.
However you need to ask why any student would port scan from his own comptuer. If it is for reasearch then his department (CS most likely) should provide the machine.
For many students I would guess that if their machine is port scanning someone, that means that the machine is compromised and a remote cracker is looking for more holes.
IMHO, the last point is the one you should consider most likely.
My home ISP changed ownership last week, and I havn't looked at the new T&Cs in detail to see if this affects this one.
I think a lot of people are way too uptight about port scanning. They get cable/DSL, install Black Ice or ZoneAlarm and because they see all this activity, they think they're under seige. And I see professional admins that don't act much better. Should ISP X really care if one of their customers scanned your subnet looking for ftp servers?
Chances are, if an admin knows their machines were scanned, they're probably not going to have a problem anyway. By notifying the admin on record for a domain the scan originated from, they might be doing that other admin a favor if the scan looks very suspicious. More suspicious than pings or searches for common ports (even if those ports are often exploitable) like ftp, SMTP, POP3, NFS, etc.
I think an admin should alert that other admin when scans are looking just for common "cracker" ports like 31337. The chances that scanner is up to no good is much higher.
Now if the scanner also tries to connect to an open port like ftp or telnet, that's already more serious but I still wouldn't send an email unless the attempted connections are coming from root and the hostname doesn't look like a commercial ISP (email admin when the remote client is from research.hi-techu.edu, not 28-128-dhcp.isp.com). Again, it doesn't improve my security, but it alerts the other admin that there's likely a security problem on their network.
Of course if any activity gets to the point that it truly interferes with service or a particular host is wasting your time because of all the log records, then an admin should alert the remote domain and expect action.
Overall I think a zero tolerance policy just wastes an admin's time and doesn't really improve anyone's security.
To borrow a commonly used metaphor: Port scanning is akin to looking at all the windows of a house to see which ones don't have their curtains drawn. While this behavior is certainly rude, it is not inherently evil.
Much more suspicious are probes of specific ports for daemons known to have vulnerabilities. Most crackers/kiddies don't run full scans against hosts. They choose a handful of ports and check those to determine if there is something listening there and more importantly what version of that daemon is listening there. This is the behavior that is akin to checking to see if the windows are locked.
Port scanning of the first type shouldn't get any seasoned admin's hackles raised - every host connected and available is going to get scanned eventually.
Port scanning of the second type shouldn't get any seasoned admin's hackles raised either - as long as they've taken proper security measures (Mr. Cracker/Kiddie's scanner will simply log the host as "not vulnerable" and move on). Furthermore, since such probes will either be stealthed or blend in with normal traffic, it is unlikely that they will even be noticed.
What does raise my hackles is when a host gets scanned over and over and over and over within a very short period of time from the same source. Such behavior, while not a DOS attack, can be resource-intensive on the target and is very rude. But there again, it is not suspicious per se because it is most likely indicative of a certain degree of cluelessness on the part of the scanner.
The bottom line to me is that port scanning happens but it is nothing to worry about as long as proper and normal security precautions have been taken anyway beforehand and continue to be taken as exploits emerge.
The admins that complain to the source network about port scans are worried about the wrong things, or worse want someone else to be responsible for their own security.
As for liability, who knows. Common sense would dictate that A) The target is responsible for their own security, and B) The source is responsible for their own actions. But since when has common sense born any resemblance to the law, especially in the context of a civil suit?
Bandwith ain't free. We all know unsolicited email ain't nice, so why do we think unsolicited network packets ARE nice?
I'm glad I won't get shot for being a poor neighbour..
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard).
Actually, for a while, I got into the habit of portscanning anyone who portscanned me, just to let them know I did it. As it turned out, I got a letter from @Home telling me that if I violate their terms of service again, they'd terminate my account. Since I didn't portscan anyone who didn't already do it to me, this means one thing:
Someone had the audacity to portscan me, then complain to @Home when I returned the favor!
As it turns out, any use of portscanners, valid or not, is against the TOS.
But it's still a big step from being a nasty neigbour or complete bastard to being a criminal.
View my "nasty neighbor" comment as being reverse hyperbole. When you don't know your neighbors, even minor acts that violate your privacy reduce your security. On the Internet, everyone are neighbors to one another and most everyone are strangers to one another. University AUPs should promote good neighborliness on the net.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
This is an educational facility. People are there to learn. What better way to learn what "Joe average webmaster" has for open ports than to scan them. If you're learning system admin, you'll scan whoever, see what's running, question yourself why they're doing what they're doing, etc...
The internet is a public network. Things that are public get used BY the public. One poster had a comment on Texas law stating that by looking in someones car window, you have started the act of burglery. But that law does not mean that if you're looking in the windows of a city bus, that you then plan to steal that city bus.
The machine is private, the data is private, but anything connected to a switch and given internet access, is fair game in my book.
xrayspx
I like music
I haven't heard of anyone having problems running servers on @home. I personally run telnet, ftp, http, and ssh (its nice to have access to my home computer from work). That, and I haven't even detected port scans from @home admins to detect servers. YMMV.
However, be careful. Every server you have running is a potential security hole. You might think nobody cares about your box, or nobody will find it. I thought the same thing til my box was cracked (damn you wu-ftpd!). Keep up to date with the latest security exploits, keep your software up to date and monitor your logs.
Almost every post on here uses some kind of analogy to show why port scanning is or isn't bad. Analogies are interesting, but ultimately useless in proving your point. Deal with the facts of the issue as they are. It's just like when record company execs say "downloading copies of songs is no different than walking into a store and stealing a CD." Yes, it is different. Deal with the facts as they are. Don't cling to analogies your mind has already come to terms with.
--jbWhen I advertise my TCP services, that is a welcome mat, or an invitation for entry. Probing my system to find openings (even if you don't enter) is invasive and counter to decency.
Ergo, I report every TCP Port Scan of my systems to the proper authorities (ISPs, etc.). When I find someone running a SATAN-type scanner (more aggressive than just TCP port scanning) against my systems I report to legal authorities. Have a nice day.
Now hiring experienced client- & server-side developers
-- @rjamestaylor on Ello
How does a port scan violate your privacy? All the scanner sees is an active IP address with ports X Y and Z open. On the Internet, theren't nothing private about that information.
There isn't anything "private" about the locked or unlocked state of your car door as with many cars it can be ascertained just by looking, but if I'm at the shopping mall and I see a guy testing car door handles, I'm going to tell mall security.
How should a potential intruder be treated anyway?
By denying them access even to services that others have a legitimate right to, like my mail, usenet and web servers. If I were as paranoid about security in practice as I am in theory, the first thing I would do if I saw a port scan would be to totally black hole every packet that came from that source, no matter what port or protocol.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
I agree with you on the point that a student at the university probably has no reason to scan you. Though you're so adamant about it, I wonder if you're trying to hide something. Obscurity is not Security.
What I do not agree with is what you propose as a solution. Shutting down a user's account becuase it was used for a port scan is simply wrong. First, the owner of the account was mostlikely not the person resposible for the scan if they had any intent of cracking your computer. Second, even if the owner of the account was responsible for the scan, it might very well have been done by accident while trying to scan something else.
A policy such as you proposed, would in no way stop scanning from student accounts. Morelikely, the policy would be used as a means of revenge by crackers against particular students.
Everytime I get portscanned, I report it, and in one case, I received a very nice thankyou note from the site's admin, saying that the machine which did the scan had been compromised.
If you start allowing portscanns from your network, you can expect complaints from me. If it happens too many times, then I'll complain to your ISP. I don't mean to sound threatoning, but as an admin who has lots of other legitimate work that I could be doing, I hate having my time wasted by some script kiddie.
Weather you allow (or don't specifically disallow) port-scanning, many sysadmins view it as rude, and some look at it as a prelude to a cracking attempt. If it goes on, you will hear about it from some sub-set of those scanned. Is it worth your time to investigate these events? You (or your boss, or his boss) will get emails and calls. Is it worth your bosses time?
When I have reported port-scans I have gotten thanks from the sysadmins of the systems because that was the first warning that their system was compromised. Unless I've been notified of it beforehand, I look at all port scans suspiciously, and I would be very happy to hear from someone detecting a scan from my network. New exploits are being developed all the time- you can't be up-to date on everything, all the time.
If you're secure, then a portscan won't make a difference to you; the scan will be detected, the packets will be dropped, and life will go on. A *single, one pass* scan isn't abuse.
Go back ten years, and you'll hear the same discussion about wardialing. If, in the process of calling all the numbers in an exchange, I happen to hit your phone number, the worst that will happen is that you'll answer and I'll hang up. If someone called my phone company because I called them *once*, should my phone line be disconnected?
"Intent!" someone screams from the back..."You're going to h4x0r me!" Maybe, maybe not. But if your machines are secured, why are you so worried?
Today's h4x0rs are tomorrow's network engineers who have been playing with the internet their entire lives...
Karma only matters to me now and zen.
-- Life is short. Forgive quickly. Kiss slowly. ~ Robert Doisneau
Well, my post was kinda OT, but no problem - I'm not a karma whore, so I don't really care.
Thanks to everyone who responded - right now I am running a Win95 box set up as a proxy/firewall server, using AnalogX proxy and ZoneAlarm for the FW (it's my GF's box, ok? I plan on doing a Linksys router/NAT combo soon anyhow). I probably wouldn't run a server on this box, due to security issues - heck, I am nervous about the proxy/FW combo I chose, but I needed something cheap, and they did the trick, plus they seemed to be pretty highly recommended, and easy to set up.
Eventually I will move the the Linksys device (or set up an imasq Linux box, once I get the skills) - then I will think further about this server thing - however, the info you guys provided has eased my mind a bit. Thank you!
Reason is the Path to God - Anon
Pretty much wherever you go, ignorantia juris neminem excusat, I'm afraid. Everyone is presumed to know the law, except judges, who have the Court of Appeal to correct their mistakes. (This is a lawyer joke. And my colleagues wonder why they have no non-lawyer friends).
-- AndrewD
A Maze of Twisty Little Laws, All Different.
The big question that determines whether portscanning is good or bad is the INTENT of the person performing it.
Now, let's look at it from a sysadmin's perspective:
Someone is scoping my system to see what I have available.
They are doing this without invitation.
They are doing this without telling me.
Now, from MY point of view, this is cause for alarm. People here are saying "It's not that big a deal" - but it IS.
There are two possibilities that are being tossed about here: someone is just doing it because they feel like it, and they have no ill intent.
The other option is that it's someone scoping my network because they want to break in.
Well, since I don't really KNOW what the intent of the person doing the scanning, which one is the best to choose from?
Pretty easy answer: If someone is scanning me, they want to break in, and I'll do whatever is necessary to stop them.
We notice portscans quite often, as we have
boxes on most of our collision domains that
detect such activity.
But we do more a tad more than "notice".
The large majority of these port scans
end abruptly when our machines respond with
a series of well-known attacks, proving that
the script kiddies can dish it out, but they
can't take it.
The small number of scans that continue after
an automated response get exactly the sort of
personal service and assistance they deserve.
We do no permanent damage, but we do respond
in a manner designed to both halt the packets
and deliver a clear message.
What's WRONG with portscanning? Nothing, as
long as you portscan a network you OWN, where
such activity may have value to as an admin.
Ever.
That's our job, and we don't need any "help".
And what's wrong with our response to portscanning?
Also nothing. We noticed unauthorized use of
our expensive network resources, and halted it
in the most humane manner possible.
Science is the art of infallibility, perpetrated upon non-scientists
I've been portscanned numerous times on a cable modem connection - but in tracing the IP back to the ISP, I often find their AUP/TOS doesn't have a contact email for reporting such abuse.
What does everyone use to reach a responsible human being at the portscanner's ISP? Is postmaster@isp.com acceptable in a case like this?
Recently scanning became an issue at one of my clients. They're a big firm that handles financial information online. They have a number of sub-companies all with different IS groups/policies.
It turned out that they were getting hit by an extremely large number of probes by one of the local universities (and for this client to notice it's a LOT of probes.) A polite email was sent to the regular addresses requesting that the activity be halted. No response. As it continued a phone call was made - nobody at the school was willing to take the message. Ok. A letter was sent and they simply cut off the school's block of IP address from all access inbound & outbound.
Two things happened. A few days later my client got a call from the school's Financial Dept - apparently they used some of client's services and after some confused research discovered that they couldn't access them and the trouble was at the financial services co's end. As the school was using free services my client simply responded (after running it past the appropriate depts.) that the school was being blocked - and why. Apparently this caused some internal reaction at the school.
At the same time the client had some graduates of the school working for them, as well as a number of the faculty. They also discovered they couldn't access the school & vice-versa. This also caused a reaction and after some rumors and many calls to the internal support desk an email was sent out internally explaining why they were blocking access to the school. BTW all the while the probes were still getting worse and had they been getting through would have been starting to impact some services in a small way.
Apparently someone finally mentioned this to the President of the school (likely over golf.) Apparently he didn't like the fact that my client was blocking his school, nor that they had notified their employees that they were doing so nor that the school had been portrayed as unresponsive (the company did have a receipt for the certified letter at this point & no one had ever returned any message.)
Shortly there after the probes stopped abruptly. The client also got a couple of very nice letters from the school asking them to stop blocking them and implying the school would like them to let their employees know that the school wasn't a bunch of louts (not a rep. most schools want for their graduates apparently.) I also heard through the grapevine that some staff at the school got in some very hot water for neither overseeing the school's network activities nor for responding to complaints and their ensuing fallout.
So - what are the result of probing others sites? Well in this case a bad reputatio & an upset school administration. There's also been a new set of policies put in place at the company regarding folks from the schools and the access they have to the systems. Essentially they're now almost a suspect class and a revaluation is taking place of giving these folks access to proprietary information the client has. This will of course limit exposure on the clients side but also unfortunately dramatically limit what the interns, co-ops & part-timers can do (& learn about) at the company.
Finally there is still somewhat of a bad impression of the school for the whole thing. Indeed the school had been trying to get my client to buy into some net-based telecourses but my client's IS staff decided they simply didn't want to deal with the school's IS staff and kiboshed the idea (I believe it was 'bandwidth reliability concerns'.)
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.