What's Wrong With Port Scanning? 96
Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.
Port Scanning (Score:3)
looking versus opening (Score:1)
But isn't port scanning akin to trying all the doors and windows on the house, to see which ones are open? Say I come by and try to open all your house's doors and windows, then find some are unlocked. So what if I never actually enter your house - simply my checking all your doors and windows would probably bother you. I know it would me. Let me put it this way: if you try that on my house, get ready to meet my Glock. Likewise with my computer.
I think the people complaining are probably doing so because there isn't any reason to port scan someone else's computers except to determine a way to break in to those computers. Please let me know if you can think of any reason such activity would be legitimate.
Port scanning CAN be benign; but not in most cases (Score:4)
A number of ISP netadmins use port scanning to detect the presence of publically-offered services--the netadmin can then perform tests of those services to ensure they don't become smurf amplifiers or security holes. @Home looks for servers that operate in defiance of their Terms of Service (perhaps too hard). ORBS uses limited port scans to detect and document open mail relays.
Within corporate networks, netadmins regularly scan inside IP addresses looking for security holes -- particularly of publically accessible servers. Services offered are correlated with lists of possible problems, and the software examined to apply appropriate patches.
Some research depends on Internet-wide port scans to further worthwhile projects. For example, the "fingerprinting" of public servers provide statistics of what software is being used. A mapping project sponsored by NASA generates a sample of "working" systems by using a limited port probe -- I see this all the time in my firewall logs and traced down the project to find out just what was going on. (At some point, I will update my firewall filters to pass through the well-identified IP addresses of this activity, so that their research will reflect reality a bit better.)
Unfortunately, the good works that honest researchers (both pro and amateur) do is far outstripped by the number of people who use the "burgler tools" indiscriminately, or for nafarious purposes. Mass fingerprinting identifies systems ripe for root/admin compromise, or for potential denial of service if the wish arises to do so.
Another commenter said that [paraphrase] "a person checking doors to see if they are locked is suspicious in and of itself": it depends on who is doing the knob-rattling, and whether I know about it beforehand. Port scanning is just that, "knob-rattling." Most firewall appliances and software sold today will detect and block even "stealth" scans of their assigned IP addresses. As they should.
The sad part is that people who run port scanners are considered guilty until proven innocent of trying to commit an unsocial act. AS THEY SHOULD BE. This posture makes sense, because port scanning, like UCE/UBE, uses resources that the user of the port scanning software isn't paying for, and in all too many cases isn't desired by the receiver of the scan packets.
I guess it depends (Score:2)
It depends. Here's an example: Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary. That's right - if you are walking through a parking lot, see something interesting on the front seat of a parked car, and stop to look at it, you can be arrested for attempted burglary. The theory is that even looking into the car is none of your business and to do so means that you have actually begun the process of committing a burglary.
So there are lots of people who think, in plenty of contexts other than just network administration, that engaging in actions that are a necessary precursor to a crime is the equivalent of beginning to commit that crime. The question, of course, is where do you draw the line.
"There should be no fair use. Quoting is just a form of piracy."
"He was reading a magazine about guns. Convict him of murder! Quick! Before he gets a chance to actually do it!"
There are even people who take this to the most ridiculous extreme:
"Of course all men are rapists. Why else would they be born with the tools to do the crime?"
Now, port scanning is in one of those grey areas. It's not bad in and of itself, but it is often a precursor to bad things. So people tend to mix it up with the acts that often follow. Don't blame them. That sort of fuzzy thinking happens all the time, as the examples above illustrate.
This is my response to the original question of "Why do people get so upset?" Frankly, I haven't a clue as to how to deal with them. They have a point. You have a point. And if you try to decide who's right (since both sides have valid positions), you wind up having to sacrifice reason and truth to make a decision.
Good luck. This is the sort of conundrum that makes life interesting.
Port scanning can nuke services (Score:2)
Mike
Re:looking versus opening (Score:2)
//rdj
Re:Port Scanning (Score:1)
*Not a Sermon, Just a Thought
*/
Re:looking versus opening (Score:1)
When one of my production servers get scanned, I reverse scan them for a fingerprint and to try and determine if they are a box that got hacked ( usually solaris with rpc running
Re:looking versus opening (Score:3)
Scanning without permission is being a very poor neighbor.
Legality? (Score:2)
Most anti-cracking laws (no, I haven't done a formal comparative exercise, nor am I likely to) work on the basis that causing someone else's machine to execute any instruction without you being authorised to do it constitutes a crime.
Port scanning without asking is certainly rude, but there's no way of knowing that you're not allowed to do it - the mere fact that the system is connected to a public network is enough that you can assume it's OK to scan. Doing it after you've been asked not to is potentially a crime (check local law for details).
I guess the answer in most places, is that if you've got a legitimate reason to do it, ask first. If you have got a legitimate reason, it should be OK, no? If there's good reason for refusal and the admin you're asking gives it, everyone's happy. This is more of a good manners point than a legal one, though: local laws may or may not make unnanounced scanning Bad and Wrong, or require something over and above execution of code to make up the offence of Cracking.
When administering students' access, I guess the thing to do is make damned sure that port scanning leaves an audit trail, so that when you get Mr Angry on, you can pass on the complaint to the guilty party. Ignoring that kind of warning and scanning the same target again should certainly be contrary to a fair use policy: whether you want to go further and maintain a list of People Who Complain About Port Scans that users are required to consult before starting a scan depends on what the administrative overhead of maintaining the list will be against the overhead of dealing with repeat complaints.
The answer really depends on what you regard as good administrative practice in relation to an activity that annoys third parties. As to your potential liability, ask someone at the university's law faculty for a few pointers: I guarantee you won't hear a dull word in response (some or all of this sentence is intended to be construed as humour). There's certainly enough in what you say and in what people have been posting here to ring a few alarm bells in my mind about what you ought to be doing, if only at the good-neighbourliness level.
Re:looking versus opening (Score:1)
There's no reason to portscan someone without their prior permission.
(And I can't believe you euros would criticize our "make my day" laws here in the US!
Re:Port scanning CAN be benign; but not in most ca (Score:2)
To continue this analogy to ridiculous extremes, in the good old days when cops walked a beat, they would often walk down the street checking door knobs to make sure shops had remembered to lock up, and to make sure nobody had unlocked the door since the shop keepers had gone home. A white-hat port scanner could be placed in that category. Nobody would have objected to that cop doing that door knob checking. But if a stranger was walking down the street checking door knobs, you'd be damn suspicious, and rightly so. And anybody who port scans without without either asking my permission or having a web page up describing the purpose of their scanning is violating my privacy and will be treated like a potential intruder.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
Re:Port scanning can nuke services (Score:1)
I haven't heard of any service damaged by a portscan before... Sounds like it was expecting only perfect communication from one trusted source. Not a good model on a network.
--
Re:looking versus opening (Score:2)
I agree. But it's still a big step from being a nasty neigbour or complete bastard to being a criminal.
//rdj
Re:looking versus opening (Score:1)
My point about the gun thing was that if you are trying the windows and doors of my house, chances are very high that you are going to then enter my house. As soon as you do that, I can legally pull my gun on you for my own protection - you are trespassing on my property.
Same goes for my computer. If you are scanning my computer (as has been pointed out: without my permission), chances are good you are attempting to locate an open "door" through which to enter my computer. Don't expect me to respond kindly.
Re: I guess it depends (Score:2)
Here in Texas, it's a state law that if you LOOK into someone's car, you can be arrested for attempted burglary.
Dude, in Texes, Bush can *fry* you for looking in someone's car.
InitZero
Wrong question: Whats right about port scanning? (Score:2)
There are legitmate reasons to port scan someone.
However you need to ask why any student would port scan from his own comptuer. If it is for reasearch then his department (CS most likely) should provide the machine.
For many students I would guess that if their machine is port scanning someone, that means that the machine is compromised and a remote cracker is looking for more holes.
IMHO, the last point is the one you should consider most likely.
A hypothetical sitiation. (Score:2)
My home ISP changed ownership last week, and I havn't looked at the new T&Cs in detail to see if this affects this one.
keep cool, send FYI to remote admins (Score:2)
Chances are, if an admin knows their machines were scanned, they're probably not going to have a problem anyway. By notifying the admin on record for a domain the scan originated from, they might be doing that other admin a favor if the scan looks very suspicious. More suspicious than pings or searches for common ports (even if those ports are often exploitable) like ftp, SMTP, POP3, NFS, etc.
I think an admin should alert that other admin when scans are looking just for common "cracker" ports like 31337. The chances that scanner is up to no good is much higher.
Now if the scanner also tries to connect to an open port like ftp or telnet, that's already more serious but I still wouldn't send an email unless the attempted connections are coming from root and the hostname doesn't look like a commercial ISP (email admin when the remote client is from research.hi-techu.edu, not 28-128-dhcp.isp.com). Again, it doesn't improve my security, but it alerts the other admin that there's likely a security problem on their network.
Of course if any activity gets to the point that it truly interferes with service or a particular host is wasting your time because of all the log records, then an admin should alert the remote domain and expect action.
Overall I think a zero tolerance policy just wastes an admin's time and doesn't really improve anyone's security.
Re:Port scanning CAN be benign; but not in most ca (Score:1)
Sure port scanning is suspicious behaviour and the scanner may very well try to break into your computer. So what? You keep your machine secure by configuring it and installing software to make it so, not by crying wolf every time a "stranger's" packet comes knocking at your door.
How should a potential intruder be treated anyway? How would you treat other potential criminals?
Rude and suspicious, but nothing to worry about. (Score:3)
To borrow a commonly used metaphor: Port scanning is akin to looking at all the windows of a house to see which ones don't have their curtains drawn. While this behavior is certainly rude, it is not inherently evil.
Much more suspicious are probes of specific ports for daemons known to have vulnerabilities. Most crackers/kiddies don't run full scans against hosts. They choose a handful of ports and check those to determine if there is something listening there and more importantly what version of that daemon is listening there. This is the behavior that is akin to checking to see if the windows are locked.
Port scanning of the first type shouldn't get any seasoned admin's hackles raised - every host connected and available is going to get scanned eventually.
Port scanning of the second type shouldn't get any seasoned admin's hackles raised either - as long as they've taken proper security measures (Mr. Cracker/Kiddie's scanner will simply log the host as "not vulnerable" and move on). Furthermore, since such probes will either be stealthed or blend in with normal traffic, it is unlikely that they will even be noticed.
What does raise my hackles is when a host gets scanned over and over and over and over within a very short period of time from the same source. Such behavior, while not a DOS attack, can be resource-intensive on the target and is very rude. But there again, it is not suspicious per se because it is most likely indicative of a certain degree of cluelessness on the part of the scanner.
The bottom line to me is that port scanning happens but it is nothing to worry about as long as proper and normal security precautions have been taken anyway beforehand and continue to be taken as exploits emerge.
The admins that complain to the source network about port scans are worried about the wrong things, or worse want someone else to be responsible for their own security.
As for liability, who knows. Common sense would dictate that A) The target is responsible for their own security, and B) The source is responsible for their own actions. But since when has common sense born any resemblance to the law, especially in the context of a civil suit?
Re:Port Scanning (Score:1)
But going above the "public" low port numbers or testing for bugs is "rattling doorknobs" and you'd better have reason to be checking if a door is unlocked. If I don't have a link pointing to cgibin/test.pl then you have no reason to be looking for it.
Re:keep cool, send FYI to remote admins (Score:1)
Maybe they should have shut down the sysadmin instead.
Re:Wrong question: Whats right about port scanning (Score:1)
It's silly to expect a department to provide a machine for any old project a student might do for a class or independent research project. Lab machines may not be configured to allow students to run the programs they want to run to do the scan unless port scanning was a task all students in a class were expected to use. Even if they have the equipment, the student may want to (or need to) run the scan during hours the lab is not open and may not have the ability to run it remotely. What if the student wants to use a software package for a research project and the department doesn't have a machine that it can be run on?
Let's not forget some folks pay for bandwith (Score:3)
Re:looking versus opening (Score:2)
//rdj
Re:Let's not forget some folks pay for bandwith (Score:1)
The actual kilobyte size of a spammed message isn't the problem, it's the time one is forced to spend getting rid of it. Collectively spam is wasteful of bandwidth but on an individual basis the bandwidth waste is far less significant than the time waste. If you get so much spam that you can actually associate a bandwidth dollar amount to them, well, that's a lot of spam! I would consider arranging with an ISP or uplink some kind of filtering at their end so it doesn't cost more bandwidth. Of course such service will cost something but if it's less than what the bandwidth costs, it's a good idea.
Re:Port scanning CAN be benign; but not in most ca (Score:2)
Actually, for a while, I got into the habit of portscanning anyone who portscanned me, just to let them know I did it. As it turned out, I got a letter from @Home telling me that if I violate their terms of service again, they'd terminate my account. Since I didn't portscan anyone who didn't already do it to me, this means one thing:
Someone had the audacity to portscan me, then complain to @Home when I returned the favor!
As it turns out, any use of portscanners, valid or not, is against the TOS.
not just a problem with open source software (Score:1)
Not too impressive...
Re:looking versus opening (Score:2)
View my "nasty neighbor" comment as being reverse hyperbole. When you don't know your neighbors, even minor acts that violate your privacy reduce your security. On the Internet, everyone are neighbors to one another and most everyone are strangers to one another. University AUPs should promote good neighborliness on the net.
Plain and simple (Score:1)
If I want to be portscanned in the name of security, I'll go to dslreports.com and have them run a scan on my network. So, you and your script kiddies are relieved of that noble duty. Now, what's left? Nothing.
I'm not saying "throw the haxors in jail". But your policy should be no off-campus portscans (without written permission from staff). None. Do it, and your account is turned off until you have a meeting with (appropriate staff/dean). Whether you let them portscan on-campus computers is your choice.
Nobody at your university has any business portscanning my network.
Port Scanning and @Home (Score:1)
I know the TOS says that you can't run servers. I am not so uptight about the contract that I wouldn't try such a thing (it ain't like you are going to go to jail or something for doing it - yet...), but I wonder what would happen if I did?
Which ports does @Home scan? Only the low numbers? High numbers? Random? What if I ran a web server on say port 45830 - what are the chances I would be caught? Especially if the only traffic is myself (from my work or elsewhere)? What if I made you log into the server before letting someone through (so only I could get in)?
I would like to set up only a few servers - a web, ftp, maybe telnet as well - for my own personal use. Since I would be the only one using them, I would even be willing to put them on funky ports, instead of the common public ones.
Anybody have ideas or comments?
Re:Port Scanning and @Home (Score:1)
A friend of mine and I were talking about peer-to-peer apps (ala Gnutella or ICQ) and he said he was shocked to find out that ICQ listens on all sorts of ports, including 80 if it's available, for messages.
Apparently, the ICQ engineers wanted to try solving the "behind a firewall" problem of receiving inbound packets and choose commonly opened ports, incl. 80. So, I think it'd be tough to monitor on a home network like @Home because so many people use ICQ.
The obvious reason (Score:2)
The internet is a public network. Things that are public get used BY the public. One poster had a comment on Texas law stating that by looking in someones car window, you have started the act of burglery. But that law does not mean that if you're looking in the windows of a city bus, that you then plan to steal that city bus.
The machine is private, the data is private, but anything connected to a switch and given internet access, is fair game in my book.
xrayspx
Re:Port Scanning (Score:1)
Re:Port Scanning (Score:1)
There is a difference between checking if someones door is wide open and wiggling the doorknob to see if it is unlocked.
Port scanning is more like the former, you look and see if someones door is open or closed. The door might be open because, someone wants you to come in, for instance port 80 at 64.28.67.48 (slashdot.org)
wiggling the doorknob would be equivalent to checking to see if the sysadmin used 'god' as their password for 'root' or worse simply doesn't have a password.
At least, that is how I see it.
Re:The obvious reason (Score:1)
If someone really needs to run portscans to "learn", they'll have no problem asking (and getting) permission. The AUP should say "no portscans without permission".
As far as legality, yes portscans are legal and should be. Fair game, indeed. Just because they are legal, though, doesn't mean they are acceptable (as in acceptable use policy). Spamming people is legal. The university should also frown upon that in their AUP.
Re:Wrong question: Whats right about port scanning (Score:1)
Re:Plain and simple (Score:1)
Re:Plain and simple (Score:1)
Re:Port Scanning and @Home (Score:1)
Re: What's Wrong With Port Scanning? (Score:1)
--
"Trying is the first step towards failure."
Re:Port Scanning and @Home (Score:2)
However, be careful. Every server you have running is a potential security hole. You might think nobody cares about your box, or nobody will find it. I thought the same thing til my box was cracked (damn you wu-ftpd!). Keep up to date with the latest security exploits, keep your software up to date and monitor your logs.
Ahhhh! Enough with the analogies! (Score:2)
Almost every post on here uses some kind of analogy to show why port scanning is or isn't bad. Analogies are interesting, but ultimately useless in proving your point. Deal with the facts of the issue as they are. It's just like when record company execs say "downloading copies of songs is no different than walking into a store and stealing a CD." Yes, it is different. Deal with the facts as they are. Don't cling to analogies your mind has already come to terms with.
--jbPortscanning metaphore (Score:1)
Alexander
CmdrTaco: can you please implement a spellchecker for the comments?
Of Portscanning, rudeness and BOFH's (Score:1)
It is folklore among sys admins, that portscanning is the noisy preamble of a script kiddie attack.
Therefore, they usually install some kind of "port scanning" detection device, for early warning.
A massive portscanning of such a site, may trigger all kinds alarms, and notify the sys admin, who then has to check out what triggered the alarm.
I guess, that at that point, the sys admin transforms into a BOFH. When he discovers that the portscanning came from a uni, he turns into an even more angry and paranoid BOFH, since unis traditionally have been known as script kiddies CO-LOs; lots of unsecure unix boxes, and lots of bandwith.
There is nothing wrong with portscanning, but the present climate makes it a rude thing to do, especially if it is a massive portscan (walking up and down on every port on the entire IP segment).
I think it would be a fair "Acceptable Use Policy", to state, that (massive) portscans, without prior permission from the scanned site, is a no-no. And if someone needs to play around with portscan tools (developing Netcraft like mapping tools and such), they better inform their own sys admin first.
Of course, such rules should only apply to (l)users; sys admins and other divine creatures, knows the craft, and should be allowed such things as portscanning when having a good cause (since they know the implications of portscanning, and take the heat anyway).
It must be said though, that some sys admins seems to regard even the tiniest ping or trace, as a full scale attack on their network, or at least as a personal insult. That is a too stuck up attitude of course.
--
Regards
Peter H.S. (sys admin in spe)
Looking in NOT OK. (Score:2)
When I advertise my TCP services, that is a welcome mat, or an invitation for entry. Probing my system to find openings (even if you don't enter) is invasive and counter to decency.
Ergo, I report every TCP Port Scan of my systems to the proper authorities (ISPs, etc.). When I find someone running a SATAN-type scanner (more aggressive than just TCP port scanning) against my systems I report to legal authorities. Have a nice day.
Now hiring experienced client- & server-side developers
Re: Port Scanning (Score:1)
> machine to figure out what port certain
> services are supposed to run on.
Which was done with permission of the 'admin'.
That's like getting in a security firm to check your doors and windows. You are allowing them to check the security of the place. People doing this without authorisation are liable to be arrested...
Re:Port scanning CAN be benign; but not in most ca (Score:1)
Use Policy abuse at Cal Poly (Score:1)
I summarize some of the details below, but you can read all about it at the site his friends set up. FreePaul [freepaul.org] has details, transcripts, audio recordings, musings, and propaganda for you to enjoy.
Basically, Paul had a job in town doing admin work on some computers. He was working on those machines from his dorm room, and had to reboot them a few times (I don't know why. I do know he runs Linux on his personal box.), so each time they rebooted, the dynamically allocated IP was new. Meaning he had to find it again. He knew what range the IP would be in, so he scanned that range to find his machines. He did this, depending on who you believe, between four and a dozen times, over a day or three (again, conflicting stories). He then set up a script enabling the computer to email him with its IP when it reboots, so he didn't need to scan anymore. But someone had already complained.
Apparently, the school networking guys got a complaint from off-campus ("Hey, I'm being scanned by x.y.z.r on your campus. Do something!") and called up Paul, saying 'Don't do that anymore.' This was after Paul had set up the script, so he had no more reason to scan. School networking seemed OK with this, so it seemed everything was hunky-dory (um, that's slang for "just fine").
Then the school's Judicial Affairs department heard about it. And they started going after Paul with a vengance. Paul wasn't told about certain rights he had in the process, rights declared in California State Law. Judicial Affairs violated State law in the course of the investigation and prosecution (Notice of Hearing was a big one). It seems like Judicial Affairs was trying to make an example of him. Even if all the accusations against him are true, JA still was out of line in the details of the prosecution of the case. I happen to beleive that the charges aren't right, but even if they are, there has been a mis-carraige of what I think of as Justice.
Now, how does this affect you, and your department's struggle with your Acceptable Use Policy? Be careful. Look at the mechanisms used to prosecute students who violate policies. If you think certain problems are minor compared to others (pinging isn't as bad as running BackOrifice on your professor's computer), try to put those judgements of relative harm into the policy as recomendations for punishments. The people who are now in charge of prosecuting students may be great people, kind, generous, wanting to help. But those people may leave, and the replacements may get on a power-trip, or may think that making a few 'examples' will "keep the little buggers in line". Do your best to make that very hard.
Good luck.
Louis Wu
"Where do you want to go ...
It happens to me (Score:1)
See I can believe cracking attempts will always occur and that ISPS should not be responsible for them. In the same way that the law is not responsible for someone breaking it. However if that person is identified with having made the Attempted break in then surely they should be punished. In this instance I was providing documentary evidence which should tie up with their own access records.
Clearly the ISPs dont maintain those records. Maybe for issues of privacy and if so how does recording the time you spend online affect your privacy really.
I would have thought though that the ISPs in question would like to have shown their ability to respond to the issues concerned and in turn acted on them... Fat Chance.
So here I am. Still online, grepping my message log for DENY and user and access and waiting for the next attempt.
I think for the benefit of society some ports should be blocked if they have become associatted with abuse. After a while we get down to the common methods of communication and with that we can better patrol our networks.
Re:Looking in NOT OK. (Score:1)
Sure, why not, it's your time to waste. Get your jollies how you like 'em. I wish the folks local to me would do it by email instead of newsgroups (or that a newsgroup be set up *just* for that) but it's no big deal.
That's definitely someone looking cause trouble (unless they go the IP wrong). I'd still go to your ISP and offenders ISP first. The offender deserves to get their wrists slapped. You get law enforcement involved straight off, you're either going to start annoying them (because it's gonna happen more than once) or if an investigation actually gets anywhere, the process is going to get your time tied up. Again, it's your time.
Re:Port scanning CAN be benign; but not in most ca (Score:2)
There isn't anything "private" about the locked or unlocked state of your car door as with many cars it can be ascertained just by looking, but if I'm at the shopping mall and I see a guy testing car door handles, I'm going to tell mall security.
How should a potential intruder be treated anyway?
By denying them access even to services that others have a legitimate right to, like my mail, usenet and web servers. If I were as paranoid about security in practice as I am in theory, the first thing I would do if I saw a port scan would be to totally black hole every packet that came from that source, no matter what port or protocol.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
Re:Plain and simple (Score:2)
I agree with you on the point that a student at the university probably has no reason to scan you. Though you're so adamant about it, I wonder if you're trying to hide something. Obscurity is not Security.
What I do not agree with is what you propose as a solution. Shutting down a user's account becuase it was used for a port scan is simply wrong. First, the owner of the account was mostlikely not the person resposible for the scan if they had any intent of cracking your computer. Second, even if the owner of the account was responsible for the scan, it might very well have been done by accident while trying to scan something else.
A policy such as you proposed, would in no way stop scanning from student accounts. Morelikely, the policy would be used as a means of revenge by crackers against particular students.
Is the door locked? (Score:1)
Is port scanning looking, or is it turning the knob on the front door to see if it is locked? I'd get pretty uptight if I found someone standing on my front porch, if they had their hand on the door I'd be calling the cops.
In an academic environment I can think of valid reasons for legitimate port scanning on machines where the scanner had an account (you're there to learn, right?). I cannot think of a reason for someone to be port scanning a machine that they do not otherwise have access too, unless their intent is to crack the box. If someone is curious about how a machine is configured they can walk right up to most popular open ports and ask. Most protocols have ways to query the system (SMTP HELO for example). This is different than walking up and determining which ports are open. Maybe I'm trying to draw too subtle of a distinction here, so I'll try to give a concrete example. When I get spammed I check the headers and see where it came from. If it looks like someone has a machine open for relaying I'll telnet to port 25 and see if that is the case. If the machine is open I then send an email asking them to fix it. Is teleting to port 25 port scanning? Not to me. That is walking up to the front door and knocking. Scanning all ports with nmap is walking up and rattling the doors and windows.
At the very least port scanning is rude. I feel that it is basically a threat to hack.
Re:Wrong question: Whats right about port scanning (Score:1)
Not to mention that research might be purely personal. I'm a mechanical engineering student, the CS department isn't going to provide me with tools and sanction to learn networking architecture, and it shouldn't have to.
I should be allowed to do personal network research. If I want to see how network tools work, and see what kinds of services can be run, I shouldn't need anyone's sanction to do so. I'm doing runtime research, why is that different from library research?
Louis Wu
"Where do you want to go ...
Re:Port Scanning and @Home (Score:1)
I've known several people who run servers on @home and none of them have ever got into any trouble. The bottom line is, it is against the TOS. You "could" theoretically lose your access. But I highly doubt it will ever happen. For me, I'm content running my servers on high numbered ports and redirecting them to the standard ports on the inside of my lan. Considering I'm the only one who uses my servers, it shouldn't matter if I have to connect to some odd, high numbered port. I'm very doubtful that @home would scan all 65,000 ports on thier 24/8 subnet.
I've heard rare cases of @home services (Media one I believe) redirecting inbount port 80 traffic to one of thier own web servers, preventing you from running on port 80. That would be the _smart_ way to do it if you ask me. Then again, I don't think thier too smart.
Bottom line is unless they get a complaint or your using an unreasonable amount of bandwidth, they have no reason to kick you off. Your paying you monthly bill and they probably don't want to spend the man hours enforcing some stupid TOS.
LiNT
Re:It happens to me (Score:1)
check out logcheck [psionic.com].
When I get portscanned... (Score:2)
Everytime I get portscanned, I report it, and in one case, I received a very nice thankyou note from the site's admin, saying that the machine which did the scan had been compromised.
If you start allowing portscanns from your network, you can expect complaints from me. If it happens too many times, then I'll complain to your ISP. I don't mean to sound threatoning, but as an admin who has lots of other legitimate work that I could be doing, I hate having my time wasted by some script kiddie.
Re:Let's not forget some folks pay for bandwith (Score:1)
By that rationale, conserving water is a waste of time. Personally, I could only save a few hundred gallons each year if I'm careful.
That water savings mean only a couple bucks savings each year. Takes more time to conserve water than it's worth... so why bother?
-sid
Is it worth *your* time? (Score:2)
When I have reported port-scans I have gotten thanks from the sysadmins of the systems because that was the first warning that their system was compromised. Unless I've been notified of it beforehand, I look at all port scans suspiciously, and I would be very happy to hear from someone detecting a scan from my network. New exploits are being developed all the time- you can't be up-to date on everything, all the time.
ramblings... (Score:2)
Go back ten years, and you'll hear the same discussion about wardialing. If, in the process of calling all the numbers in an exchange, I happen to hit your phone number, the worst that will happen is that you'll answer and I'll hang up. If someone called my phone company because I called them *once*, should my phone line be disconnected?
"Intent!" someone screams from the back..."You're going to h4x0r me!" Maybe, maybe not. But if your machines are secured, why are you so worried?
Today's h4x0rs are tomorrow's network engineers who have been playing with the internet their entire lives...
Re:I guess it depends (Score:1)
>>I seriously doubt that...States can pass whatever laws they want. Thank goodness the Supreme court can discard ridiculous laws (if indeed Texas has such a law).
That's a good observation and a reasonable extrapolation from common sense. Allow me to pontificate a bit and, hopefully, illustrate.
We had a flap in the newspapers here recently about a district attorney (in Brazoria county) who refused to prosecute some questionable cases. She caught hell from people who said "But you MUST prosecute! It's the law!"
One of the most telling commentaries on the whole fiasco was a statement from a local organization, The Public Official Oversight Forum, that read, in part: "Her critics do not understand that 85 percent of the 2000 or so laws passed by our Legislature every session do not pass constitutional muster. No officer of this state has any kind of ridiculous 'duty' to enforce an unconstitiutional law." (For the whole story, check the last few issues at www.houstonpress.com.)
If something like this can make the mainstream press, please trust me when I say that we have such a law. It was even highlighted a few years ago when a "trap" car (I forget what they put in the front seat to make it so interesting to passers-by) was set up at a local beach and used by officers to establish probable cause for detaining people.
One last note - Last time I checked (and I admit to being totally out of touch with state politics for many years), here in Texas we have a part-time legislature that meets for 140 days every 2 years. It's always been a political cliche that the people would be better served if they met for 2 days every 140 years...
Security (Score:1)
Re:looking versus opening (Score:1)
Whats Wrong!!!??? (Score:1)
As far as the jiggle the door handle analogy goes. Why would someone jiggle a door handle to see if its open, unless they were planning on entering??!! If you don't have express consent to "peer in" from the owner, port scanning (or house peeping) is WRONG plain and simple.
Can anyone here honestly say that they WOULD NOT be offended by a stranger peeking into their bedroom window??? Its not much different!!
Come on people, its wrong....and you know it!
One more analogy (Score:1)
Port scanning is more analagous to calling a repair shop and asking what services they will provide for your car.
port open="Why yes, Mr. Cronack, we do change oil."
port closed(or stealth)="Sorry, we don't do mufflers."
Re:One more analogy (Score:1)
I think port scanning is more like going into an Autoshop and nosing around to see what equipment they have there, and then making a best guess as to what services they offer instead of asking. Asking gives the owner the OPTION of telling you what he thinks you should know.
What if you walk into the shop and open the chief mechanics toolbox, to see whats in it?? You think he would mind?? My dad is a mechanic, he doesnt even like ME to look in his toolbox. Is he hiding something...no. Its his property and if he wants me in it, he will tell me its OK. Regards
Another pesky analogy. (Score:2)
OT - Thanks to everyone! (Score:2)
Thanks to everyone who responded - right now I am running a Win95 box set up as a proxy/firewall server, using AnalogX proxy and ZoneAlarm for the FW (it's my GF's box, ok? I plan on doing a Linksys router/NAT combo soon anyhow). I probably wouldn't run a server on this box, due to security issues - heck, I am nervous about the proxy/FW combo I chose, but I needed something cheap, and they did the trick, plus they seemed to be pretty highly recommended, and easy to set up.
Eventually I will move the the Linksys device (or set up an imasq Linux box, once I get the skills) - then I will think further about this server thing - however, the info you guys provided has eased my mind a bit. Thank you!
Re:looking versus opening (Score:1)
Re:Let's not forget some folks pay for bandwith (Score:2)
- Someone stops me on the street, and says "Excuse me, do you know what the time is?"
They are wasting my time.They are wasting my resources.
- Someone scans my ports.
They are wasting my bandwidth.They are wasting my resources.
Should I be able to sue you for asking me what the time is?
Your point is entirely correct, but I think putting up with things that are inconvenient to us is part of living in a liberal democracy.
Re:It happens to me (Score:1)
A non-hypothetical situation. (Score:1)
Anyway, Earthspring's AUP prohibits portscanning and may even prevent the use of BO (which would also prohibit SMS and VNC, et al). When they brought this up in indoctrination, I freaked..
It turns out that they selectively enforce this rule (and some others) to get spammers and kiddies, but I don't like having it there at all.
There is something to the point that they can do whatever they want on their network, but it seems awfully restrictive when all a user buys from them is an IP and a mailbox
(This is the dialup AUP, which applies to ADSL too)
<ot rantlevel=moderate>
Then again these are the same guys who (get this)
shut off your email box when you go over their 5 meg quota
</ot>
anyway,
adric at ccactus dot com (has almost finished paying off ELNK from that fiasco)
In Canada.... (Score:1)
This makes perfect sense to me - the person doing the scanning is forcing *my* computer, that I own, to respond to their scans by updating my IPCHAINS rules to block them forever. I don't want to waste my processer time defending my system.
Does anyone know if this si illigal in the US? If so, we should start nailing every script kiddie to the wall - that will teach them to "probe" me...
Hangup phone calls (Score:1)
I think that portscanning is kinda like those annoying hangup phone calls - the ones that ring and ring until you pick up and say "hello". Then they hang up.
Dang the telemarketers.
Re:Ignorance != Innocence (Score:2)
Pretty much wherever you go, ignorantia juris neminem excusat, I'm afraid. Everyone is presumed to know the law, except judges, who have the Court of Appeal to correct their mistakes. (This is a lawyer joke. And my colleagues wonder why they have no non-lawyer friends).
Re:Looking in NOT OK. (Score:1)
And I've been party to a police investigation and cracker "takedown" once already. Rewarding and satisfying.
Time?
Now hiring experienced client- & server-side developers
INTENT (Score:2)
Now, let's look at it from a sysadmin's perspective:
Someone is scoping my system to see what I have available.
They are doing this without invitation.
They are doing this without telling me.
Now, from MY point of view, this is cause for alarm. People here are saying "It's not that big a deal" - but it IS.
There are two possibilities that are being tossed about here: someone is just doing it because they feel like it, and they have no ill intent.
The other option is that it's someone scoping my network because they want to break in.
Well, since I don't really KNOW what the intent of the person doing the scanning, which one is the best to choose from?
Pretty easy answer: If someone is scanning me, they want to break in, and I'll do whatever is necessary to stop them.
What should one do when portscanned? (Score:2)
We notice portscans quite often, as we have
boxes on most of our collision domains that
detect such activity.
But we do more a tad more than "notice".
The large majority of these port scans
end abruptly when our machines respond with
a series of well-known attacks, proving that
the script kiddies can dish it out, but they
can't take it.
The small number of scans that continue after
an automated response get exactly the sort of
personal service and assistance they deserve.
We do no permanent damage, but we do respond
in a manner designed to both halt the packets
and deliver a clear message.
What's WRONG with portscanning? Nothing, as
long as you portscan a network you OWN, where
such activity may have value to as an admin.
Ever.
That's our job, and we don't need any "help".
And what's wrong with our response to portscanning?
Also nothing. We noticed unauthorized use of
our expensive network resources, and halted it
in the most humane manner possible.
Re:looking versus opening (Score:1)
Why port scans are a Good Thing:
If I'm going to do business/trust someone, I need to check the security of their boxen.
I always run port scans on any "unknown" net company I'm dealing with. I once ran a port scan on a web hosting service a friend of mine was using, and it was wide open. He got a better provider, and my paranoia was further cultivated.
I figure one of two things can happen from port-scanning someone who doesn't expect it:
Yeah, right.
So I have to ask, if someone is a competant sys-admin, why be afraid of a portscan?
Texas, Curiosity, and The Cruel, Cruel World (Score:1)
first off, i'd like to thank everyone for their replies. you've given us some issues to think about.
now, if i may reply to a few ideas in the thread:
re: analogies :).
i have to agree with the poster who pointed out that we can analogy ourselves to death and never really accomplish anything. the Texas story about looking into cars made for interesting reading, though
re: valid uses
port scanning for the purposes of understanding the security of your box cannot be overrated. we've found lots of problems by playing with nmap (sendmail's listening on what port? portmap is still running on that debian machine?).
but as someone else pointed out (i'm far too lazy to assign credit; my apologies), how about just for the purpose of pure learning? most of us grew up (or are still growing up) hacking on computers. if the Internet had been as widespread when i was 11 as it is now, i'm sure i would have done a good deal of exploration and learned a lot about networks by doing it. as it is, i'm still trying to learn more and more about network infrastructure and good sysadminning practices and the like. learning by example and experimentation are some of the best ways to learn. and for someone who had less guidance in system administration than i first did, it might be the only way to learn anything at all.
how about port scanning as market research? not too long ago i used nmap on the primary webserver of a webspace provider my friends were thinking of using. the nmap showed me a default Redhat box, complete with telnet, linuxconf, lpd, and NFS running (and clearly not tcp wrappered or firewalled)! in this case, maybe i could have just asked the admin what she was running, but do you think she would have told me, even if she'd known? i'd wager she would have told me she was running apache and ColdFusion and whatever else she thought i might care directly about, but wouldn't feel the need to mention that her company used telnet for authentication. as it was, i strongly recommended my friends look elsewhere for a webspace company that had some competent sysadmins. unfortunately, my friends' webmaster thinks that ssh is only useful "if you run the government of a small nation," so my advice may go unheeded. and yes, i've tried edumakating this webmaster, but he's the one trying to write the site in ColdFusion, so...
what about port scanning out of idle curiosity? what if i'm sitting in my dorm room and i want to know what kinds of boxes are plugged into the local network? nmapping the subnet tells you all kinds of neat stuff. this is not something i need to do for any reason, but i also don't really see the harm in it. i personally would inform people if i found insecure services on their boxen, but i realize this doesn't apply to everyone.
what if i happen to go to a particular website a lot, and just sort of wonder what's kicking around under the hood? nmap slashdot.org and i now have more information than i did before. (slashdot might be a bad example since they publish most of their setup already, but this is all very pedantic anyway.) i'm well aware of what is said about curiosity and felines and grisly murder, but learning is nonetheless something i very much enjoy.
the harsh reality
this debate is very interesting, and i'm glad to have had it with a larger community than just my colleagues here. it seems that the comments are about evenly split between the "always bad" and "generally innocent" camps. the problem is that as long as there are "always bad" types out there, it will be hard for us not to have to deal with people who experiment with port scanners, because a complaint means someone has to look into it and deal with it. this means someone playing around and looking at stuff could generate a large amount of work for someone to deal with, which is bad, as all but a few of us are overworked students as it is (that is, all but a few of us are students; i'd wager that for all X where X is a student, X is overworked...but i digress).
anyway, i see this as an unfortunate state of affairs. i don't like having to institute a policy i don't agree with, but, to quote Radiohead (though it is uttered ironically in "fitter happier"), "Pragmatism Not Idealism."
hopefully this reply isn't too late to be viewed by a few of the discussion's participants. again, thanks for your thoughts.
tyler
So you want to report a portscan - WHO to contact? (Score:2)
I've been portscanned numerous times on a cable modem connection - but in tracing the IP back to the ISP, I often find their AUP/TOS doesn't have a contact email for reporting such abuse.
What does everyone use to reach a responsible human being at the portscanner's ISP? Is postmaster@isp.com acceptable in a case like this?
Port Scanning is NECESSARY!! (Score:1)
Re:looking versus opening (Score:1)
Get Locked Out (Score:2)
Recently scanning became an issue at one of my clients. They're a big firm that handles financial information online. They have a number of sub-companies all with different IS groups/policies.
It turned out that they were getting hit by an extremely large number of probes by one of the local universities (and for this client to notice it's a LOT of probes.) A polite email was sent to the regular addresses requesting that the activity be halted. No response. As it continued a phone call was made - nobody at the school was willing to take the message. Ok. A letter was sent and they simply cut off the school's block of IP address from all access inbound & outbound.
Two things happened. A few days later my client got a call from the school's Financial Dept - apparently they used some of client's services and after some confused research discovered that they couldn't access them and the trouble was at the financial services co's end. As the school was using free services my client simply responded (after running it past the appropriate depts.) that the school was being blocked - and why. Apparently this caused some internal reaction at the school.
At the same time the client had some graduates of the school working for them, as well as a number of the faculty. They also discovered they couldn't access the school & vice-versa. This also caused a reaction and after some rumors and many calls to the internal support desk an email was sent out internally explaining why they were blocking access to the school. BTW all the while the probes were still getting worse and had they been getting through would have been starting to impact some services in a small way.
Apparently someone finally mentioned this to the President of the school (likely over golf.) Apparently he didn't like the fact that my client was blocking his school, nor that they had notified their employees that they were doing so nor that the school had been portrayed as unresponsive (the company did have a receipt for the certified letter at this point & no one had ever returned any message.)
Shortly there after the probes stopped abruptly. The client also got a couple of very nice letters from the school asking them to stop blocking them and implying the school would like them to let their employees know that the school wasn't a bunch of louts (not a rep. most schools want for their graduates apparently.) I also heard through the grapevine that some staff at the school got in some very hot water for neither overseeing the school's network activities nor for responding to complaints and their ensuing fallout.
So - what are the result of probing others sites? Well in this case a bad reputatio & an upset school administration. There's also been a new set of policies put in place at the company regarding folks from the schools and the access they have to the systems. Essentially they're now almost a suspect class and a revaluation is taking place of giving these folks access to proprietary information the client has. This will of course limit exposure on the clients side but also unfortunately dramatically limit what the interns, co-ops & part-timers can do (& learn about) at the company.
Finally there is still somewhat of a bad impression of the school for the whole thing. Indeed the school had been trying to get my client to buy into some net-based telecourses but my client's IS staff decided they simply didn't want to deal with the school's IS staff and kiboshed the idea (I believe it was 'bandwidth reliability concerns'.)
Re:Port scanning CAN be benign; but not in most ca (Score:1)
And what about the person trying keys in all those car doors? I doubt he's just checking to make sure no one else can get into them.
Re:Whats Wrong!!!??? (Score:1)
Re:What should one do when portscanned? (Score:1)
That you are most likely shooting down compromised systems? Contacting the admin would be more appropriate if you want the attacks to stop, instead of just throwning dirt around.
Besides, an automated retaliations doesn't sound as satisfying as doing it manually. ;-)
Re:I guess it depends (Score:1)
Offtopic: What a bad choice, acronym wise...
If something like this can make the mainstream press, please trust me when I say that we have such a law. It was even highlighted a few years ago when a "trap" car (I forget what they put in the front seat to make it so interesting to passers-by) was set up at a local beach and used by officers to establish probable cause for detaining people.
Glad to see entrapment is still legal in some places. Not.
Re:looking versus opening (Score:1)
Portscanning often signals a compromised system (Score:1)
I used to watch a semi-major Internet site. We got tons and tons of scans against our web server. Soon I learned that at least one of the patterns seen *did* point to systems that were compromised. I likely would have never associated a scanning pattern as being related to a particular tool used on broken-into systems until I spotted an IP address from our hosting ISP scanning us. They quickly confirmed that that system I had seen was indeed compromised. I subsequently sent off a bunch of emails, some to of which went to other quite signficiant players on the Internet that you would have never guessed would have poor security.
Telling someone that their system is portscanning often is not a threat. In my case, I wanted to warn other admins that I thought their systems had problems. If I had chased every portscanner we got, I never would have had time for anything else.
Re:IP Spoofing (Score:1)
Re:Whats Wrong!!!??? (Score:1)
Re:INTENT (Score:1)
Re:looking versus opening (Score:1)