Slashdot Mirror
What's Wrong With Port Scanning?
Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.
What's wrong with walking along a corridor trying all the doors you see?
A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard). ORBS uses limited port scans to detect and document open mail relays.
Within corporate networks, netadmins regularly scan inside IP addresses looking for security holes -- particularly of publically accessible servers. Services offered are correlated with lists of possible problems, and the software examined to apply appropriate patches.
Some research depends on Internet-wide port scans to further worthwhile projects. For example, the "fingerprinting" of public servers provide statistics of what software is being used. A mapping project sponsored by NASA generates a sample of "working" systems by using a limited port probe -- I see this all the time in my firewall logs and traced down the project to find out just what was going on. (At some point, I will update my firewall filters to pass through the well-identified IP addresses of this activity, so that their research will reflect reality a bit better.)
Unfortunately, the good works that honest researchers (both pro and amateur) do is far outstripped by the number of people who use the "burgler tools" indiscriminately, or for nafarious purposes. Mass fingerprinting identifies systems ripe for root/admin compromise, or for potential denial of service if the wish arises to do so.
Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling." Most firewall appliances and software sold today will detect and block even "stealth" scans of their assigned IP addresses. As they should.
The sad part is that people who run port scanners are considered guilty until proven innocent of trying to commit an unsocial act. AS THEY SHOULD BE. This posture makes sense, because port scanning, like UCE/UBE, uses resources that the user of the port scanning software isn't paying for, and in all too many cases isn't desired by the receiver of the scan packets.
The difference is that you can give yourself permission to scan your own box and your friend can give you permission to scan his.
Scanning without permission is being a very poor neighbor.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
To borrow a commonly used metaphor: Port scanning is akin to looking at all the windows of a house to see which ones don't have their curtains drawn. While this behavior is certainly rude, it is not inherently evil.
Much more suspicious are probes of specific ports for daemons known to have vulnerabilities. Most crackers/kiddies don't run full scans against hosts. They choose a handful of ports and check those to determine if there is something listening there and more importantly what version of that daemon is listening there. This is the behavior that is akin to checking to see if the windows are locked.
Port scanning of the first type shouldn't get any seasoned admin's hackles raised - every host connected and available is going to get scanned eventually.
Port scanning of the second type shouldn't get any seasoned admin's hackles raised either - as long as they've taken proper security measures (Mr. Cracker/Kiddie's scanner will simply log the host as "not vulnerable" and move on). Furthermore, since such probes will either be stealthed or blend in with normal traffic, it is unlikely that they will even be noticed.
What does raise my hackles is when a host gets scanned over and over and over and over within a very short period of time from the same source. Such behavior, while not a DOS attack, can be resource-intensive on the target and is very rude. But there again, it is not suspicious per se because it is most likely indicative of a certain degree of cluelessness on the part of the scanner.
The bottom line to me is that port scanning happens but it is nothing to worry about as long as proper and normal security precautions have been taken anyway beforehand and continue to be taken as exploits emerge.
The admins that complain to the source network about port scans are worried about the wrong things, or worse want someone else to be responsible for their own security.
As for liability, who knows. Common sense would dictate that A) The target is responsible for their own security, and B) The source is responsible for their own actions. But since when has common sense born any resemblance to the law, especially in the context of a civil suit?
Bandwith ain't free. We all know unsolicited email ain't nice, so why do we think unsolicited network packets ARE nice?