What's Wrong With Port Scanning?

Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.

Port scanning CAN be benign; but not in most cases

[satch89450]

Port scanning has its uses, but by a very limited number of people. Let's look at a few examples:

A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard). ORBS uses limited port scans to detect and document open mail relays.

Within corporate networks, netadmins regularly scan inside IP addresses looking for security holes -- particularly of publically accessible servers. Services offered are correlated with lists of possible problems, and the software examined to apply appropriate patches.

Some research depends on Internet-wide port scans to further worthwhile projects. For example, the "fingerprinting" of public servers provide statistics of what software is being used. A mapping project sponsored by NASA generates a sample of "working" systems by using a limited port probe -- I see this all the time in my firewall logs and traced down the project to find out just what was going on. (At some point, I will update my firewall filters to pass through the well-identified IP addresses of this activity, so that their research will reflect reality a bit better.)

Unfortunately, the good works that honest researchers (both pro and amateur) do is far outstripped by the number of people who use the "burgler tools" indiscriminately, or for nafarious purposes. Mass fingerprinting identifies systems ripe for root/admin compromise, or for potential denial of service if the wish arises to do so.

Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling." Most firewall appliances and software sold today will detect and block even "stealth" scans of their assigned IP addresses. As they should.

The sad part is that people who run port scanners are considered guilty until proven innocent of trying to commit an unsocial act. AS THEY SHOULD BE. This posture makes sense, because port scanning, like UCE/UBE, uses resources that the user of the port scanning software isn't paying for, and in all too many cases isn't desired by the receiver of the scan packets.