On 1 Mar 2003, Michael Lamoureux wrote:
If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you?
andy> This is different. Metaphors applying networking concepts to andy> real world scenarios are tenuous at best.
andy> In this case, your door being unlocked cannot cause me andy> harm. However, an "unlocked proxy" can.
Heh, so I guess you could make it his gun and the safety. Does that change your answer? ;-)
No, because a gun is private property and is not laying around for the public to examine. If I saw a gun sitting on the street, I would take it to the police. Even though that might be stealing, I'm still doing the right thing. Any more metaphors for me to debunk? Here's another weak metaphor for you: Probing ports is like knocking on a door. It's not inherently a nuisance. Knocking repeatedly without regard to the people inside is abuse. Likewise, knocking on a door, noticing that nobody is home, trying the knob, seeing that it's unlocked, and entering...that's clearly abuse also. But should we outlaw knocking on doors because some people do it to annoy people and some people do it to see if they can break in? But of course, that's not even the same, for various reasons. So, let's stop using metaphors to debate this. As Jack Nicholson said in "As Good as it Gets", "People who speak in metaphors should shampoo my crotch."
andy> Legit probes are an attempt to mitigate network abuse, not andy> increase it. If there was a sanctioned body who was trusted to andy> scan for such things, maybe this wouldn't be an issue. But andy> there's not, so it's a vigilante effort.
What's a legit probe? One where the owner gave you permission in advance to run the scan? I can't think of another definition of that phrase.
A legit probe is simply a probe with good intentions. And no, you have no way of knowing. But you also don't have to accept his traffic. So don't try to make this a LEGAL issue, keep it civil.
andy> You don't have to. This is why I never understood why people andy> care so much about probing. If you do a good job with your andy> network, probing will have zero affect on you. All the person andy> probing can do (regardless of their intent) is say "Gee, I guess andy> there aren't any vulnerabilities with this network."
This is a completely naive statement. There are 0 networks that I'm willing to believe have 0 vulnerabilities on them. There may be 0 that you know about, but that doesn't mean there aren't more vulnerabilities which aren't public knowledge lurking in sendmail or bind or ssh or ssl or apache or any number of other services you have running.
My statement is as naive as yours is ridiculous. You're telling me your IDS systems tell you when there is a new vulnerabilitiy, before you see it on bugtraq? I don't think so. You can see people scanning your network on port 80, but does that tell you apache has a vulnerability? People are probing on port 25....are they looking to exploit an unknown bug...or just looking to relay spam? Maybe they're just trying to make sure you don't have any open relays on your network? Who knows. You don't. So watching your IDS logs won't tell you jack, because people who are trying to hack you WILL NOT SCAN FROM WHERE THEY HACK. You're not going to get any advance knowlegde of an exploit, and you're not even going to know where the actual hack is coming from. So, since I'm so naive, please explain to me what you can do differently than I can, simply by following a few fundemental rules. Rule 1: All windows boxes behind a well implemented firewall. Rule 2: Run only required services on unix servers, with a packet filter (ipfw and friends) to easily drop http or smtp traffic quickly and easily. Rule 3: Keep current with all bugfixes. Rule 4: Filter packets network-wide, when needed. (snmp, slammer, etc) So, keeping such a detailed eye on the stray packets that enter your network, what will you know about an attack that I wouldn't? You realize that scanning happens after exploits get published, not before. Scanning as a precursor to attack is done by unskilled mass-hackers. People who write exploits don't scan, and if they do, they WILL NOT hack from where they scan. So that reactive filter rule based on the portscan doesn't help you. So, in your hypothetical, when some popular daemon develops a vulnerability (like with openssh and apache within the last year), what are YOU going to do about it before the workarounds and patches are available? Nothing. And that's why I don't bother worrying about it. My network is as secure as it can be, which IS NOT the same as "My network is invulnerable". Don't put words into my mouth simply so you can call them naive. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access