Scanning the Internet for Vulnerabilities
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities. In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022. Regards, rfg P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
IMHO not good. -J On Sun, Jun 19, 2022 at 5:14 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
I know that in Israel the cyber dept of the government scans IL IP space then notifies ISP's to notify their clients. This helps where you have clueless people that don't know they have devices that can easily be compromised. On Sun, Jun 19, 2022 at 6:13 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
In message <CAM3TTh30V-ibKhSYpCAENuJO_WwS=udtn6T1O+Cv-nh6JbZdVA@mail.gmail.com> Dovid Bender <dovid@telecurve.com wrote:
I know that in Israel the cyber dept of the government scans IL IP space then notifies ISP's to notify their clients. This helps where you have clueless people that don't know they have devices that can easily be compromised.
That's most interesting and I certainly did not know that. Do you have confidence that such scanning is limited to Israeli IP addresses? Are there any private firms that you are aware of in Israel that engage in such scanning also?
In message <CAM3TTh30V-ibKhSYpCAENuJO_WwS= udtn6T1O+Cv-nh6JbZdVA@mail.gmail.com> Dovid Bender <dovid@telecurve.com wrote:
I know that in Israel the cyber dept of the government scans IL IP space then notifies ISP's to notify their clients. This helps where you have clueless people that don't know they have devices that can easily be compromised.
That's most interesting and I certainly did not know that.
Do you have confidence that such scanning is limited to Israeli IP addresses?
Not at all. I think it's obvious that every nation state "pokes around"
On Sun, Jun 19, 2022 at 8:01 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote: the internet.
Are there any private firms that you are aware of in Israel that engage in such scanning also?
I don't know who is doing it. I just know that IL Cert contacted our parent company which has an ISP in Israel when things were "hot".
On Sun, 19 Jun 2022 08:06:59 -0400 Dovid Bender <dovid@telecurve.com> wrote:
I don't know who is doing it. I just know that IL Cert contacted our parent company which has an ISP in Israel when things were "hot".
Some national government infrastructure protection organizations will relay notifications to local provider networks (e.g., abuse@) based on reputable third party surveyors (aka network scanner operators). I think it is safe to assume this is generally done as a public service, but perhaps with some mandates to measure and minimize risk within a country's borders. Most providers will usually convey the notification is fairly strong language, usually demanding some sort of response and if applicable, remediation. The reports can contain false positives (e.g., when scanners cannot differentiate between vulnerable systems and honeypots). It isn't always clear based on the relayed reports who is running the scans, but in my experience Shadowserver is the most widely used and cited. There are of course lots of others running scans. Commercially, Greynoise tracks many of them. A research-based tracker is also available here: <https://gitlab.com/mcollins_at_isi/acknowledged_scanners> John
Also Germany and Estonia, they scan DE and EE IPs and send emails to ISPs every day. From: NANOG <nanog-bounces+david=xtom.com@nanog.org> On Behalf Of Dovid Bender Sent: Sunday, June 19, 2022 19:51 To: Ronald F. Guilmette <rfg@tristatelogic.com> Cc: NANOG <nanog@nanog.org> Subject: Re: Scanning the Internet for Vulnerabilities I know that in Israel the cyber dept of the government scans IL IP space then notifies ISP's to notify their clients. This helps where you have clueless people that don't know they have devices that can easily be compromised. On Sun, Jun 19, 2022 at 6:13 AM Ronald F. Guilmette <rfg@tristatelogic.com<mailto:rfg@tristatelogic.com>> wrote: I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities. In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022. Regards, rfg P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
Also Germany and Estonia, they scan DE and EE IPs and send emails to ISPs every day.
being in EE space, never receiving such a notice, and lacking the hubris to think that all our systems are squeaky clean, i have my doubts. i suspect that we will be seeing folk who dress well scanning for vulns more and more as this poorly tended mess rolls on. randy
See shadowserver.net On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
Correction... shadowserver.org They scan the entire ipv4 internet daily for select potential vulnerabilities. On Sun, Jun 19, 2022, 11:43 AM Forrest Christian (List Account) < lists@packetflux.com> wrote:
See shadowserver.net
On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
greetings. it should be mentioned that shadowserver also notifies those who register as the owners of that address space. it’s very useful. (it would be more useful if they calculated diffs and notified about changes/additions.) my thinking about this sort of thing, in general, is: - it depends on who’s doing it and why, and what they do with the information (so what keeps you from doing it for the benefit of your less clueful downstream customers?) - absolutely nothing prevents bad guys from doing it, so discouraging it fits in the category of “politeness rules only observed by nice people”. - it’s polite enough for me for the good guys to identify themselves so you (the target) can worry less when you notice the activity. (btw, this reasoning applies also about crawls of content from the wayback machine.)
On Jun 19, 2022, at 10:45 AM, Forrest Christian (List Account) <lists@packetflux.com> wrote:
Correction... shadowserver.org <http://shadowserver.org/>
They scan the entire ipv4 internet daily for select potential vulnerabilities.
On Sun, Jun 19, 2022, 11:43 AM Forrest Christian (List Account) <lists@packetflux.com <mailto:lists@packetflux.com>> wrote: See shadowserver.net <http://shadowserver.net/> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette <rfg@tristatelogic.com <mailto:rfg@tristatelogic.com>> wrote: I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
btw, if you want to do this yourself, you might consider using something like https://github.com/opsdisk/scantron
On Jun 19, 2022, at 11:17 AM, Mark Seiden <mis@seiden.com> wrote:
greetings.
it should be mentioned that shadowserver also notifies those who register as the owners of that address space. it’s very useful. (it would be more useful if they calculated diffs and notified about changes/additions.)
my thinking about this sort of thing, in general, is:
- it depends on who’s doing it and why, and what they do with the information (so what keeps you from doing it for the benefit of your less clueful downstream customers?)
- absolutely nothing prevents bad guys from doing it, so discouraging it fits in the category of “politeness rules only observed by nice people”.
- it’s polite enough for me for the good guys to identify themselves so you (the target) can worry less when you notice the activity.
(btw, this reasoning applies also about crawls of content from the wayback machine.)
On Jun 19, 2022, at 10:45 AM, Forrest Christian (List Account) <lists@packetflux.com <mailto:lists@packetflux.com>> wrote:
Correction... shadowserver.org <http://shadowserver.org/>
They scan the entire ipv4 internet daily for select potential vulnerabilities.
On Sun, Jun 19, 2022, 11:43 AM Forrest Christian (List Account) <lists@packetflux.com <mailto:lists@packetflux.com>> wrote: See shadowserver.net <http://shadowserver.net/> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette <rfg@tristatelogic.com <mailto:rfg@tristatelogic.com>> wrote: I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough to share the data with researchers: https://www.rapid7.com/research/project-sonar/ On Sun, Jun 19, 2022 at 10:24 PM Mark Seiden <mis@seiden.com> wrote:
btw, if you want to do this yourself, you might consider using something like
-- Amreesh Phokeer
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night. -mel beckman On Jun 19, 2022, at 6:14 PM, J. Hellenthal via NANOG <nanog@nanog.org> wrote: Had to send these guys a cease and desist a few years back as they became so noisy it was causing to much of a disconnect between information we were trying to compare. Personally I don't care who you are. Probably not hiring your services (free or not), stay off my edge. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. On Jun 19, 2022, at 13:56, Amreesh Phokeer <amreesh.phokeer@gmail.com> wrote: Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough to share the data with researchers: https://www.rapid7.com/research/project-sonar/ On Sun, Jun 19, 2022 at 10:24 PM Mark Seiden <mis@seiden.com<mailto:mis@seiden.com>> wrote: btw, if you want to do this yourself, you might consider using something like https://github.com/opsdisk/scantron -- Amreesh Phokeer
On 2022-06-20, at 04:18, Mel Beckman <mel@beckman.org> wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up. (Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.) Grüße, Carsten
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing. - Matt
Matt Palmer wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night. If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
Yall seem to be saying the same thing. So long as it blends into the general IPv4 background radiation, all good. Joe
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem." I suppose when I'm home it might give me a warning if I hear it. There must be a metaphor in there somewhere. I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.) I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in. I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar. There must be a metaphor in there somewhere. On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Barry - There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet… If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise and warrant charging under breaking and entering statues.) Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows. If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care. “Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… Enjoy your Internet! /John Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons.
On 22 Jun 2022, at 12:04 AM, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On June 22, 2022 at 10:35 jcurran@istaff.org (John Curran) wrote:
Barry -
There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet…
If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise
One can find a lot of articles and court decisions which amount to no, the police have no such obligation despite people's strong belief that they do: https://mises.org/power-market/police-have-no-duty-protect-you-federal-court... https://en.wikipedia.org/wiki/Town_of_Castle_Rock_v._Gonzales (not even if you have a restraining order against the person) etc. They do have an obligation to protect someone when they are in their custody but that's about it. The recent behavior of the Uvalde police standing around while children were being shot may not have been their proudest moment but they violated nothing by doing so. https://www.thenation.com/article/society/uvalde-police-supreme-court/ So let's try to extrapolate that to the internet and LEOs...good luck!
and warrant charging under breaking and entering statues.)
Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows.
If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care.
“Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best…
Enjoy your Internet! /John
Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons.
On 22 Jun 2022, at 12:04 AM, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http:// www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Barry - I did not say “obligation” - enforcement of laws is always modulated by local factors (just look at the formal decision not to prosecute “minor” crimes in some cities) - but rather said that police will pursue in many jurisdictions. This is particularly true in cases where the perpetrator is still on the premises to be taken into custody. Yes, there are indeed places in the physical world where legal recourse against a perpetrator is becoming less likely (just as it is on the Internet); this is particularly disappointing given that legal recourse is recognized as a basic human right. Thanks, /John Disclaimers: my views alone. Use/reuse/delete as desired. Contents may be hot; use caution when handling.
On Jun 22, 2022, at 5:45 PM, bzs@theworld.com wrote:
On June 22, 2022 at 10:35 jcurran@istaff.org (John Curran) wrote: Barry -
There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet…
If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise
One can find a lot of articles and court decisions which amount to no, the police have no such obligation despite people's strong belief that they do:
https://mises.org/power-market/police-have-no-duty-protect-you-federal-court...
https://en.wikipedia.org/wiki/Town_of_Castle_Rock_v._Gonzales
(not even if you have a restraining order against the person)
etc.
They do have an obligation to protect someone when they are in their custody but that's about it.
The recent behavior of the Uvalde police standing around while children were being shot may not have been their proudest moment but they violated nothing by doing so.
https://www.thenation.com/article/society/uvalde-police-supreme-court/
So let's try to extrapolate that to the internet and LEOs...good luck!
and warrant charging under breaking and entering statues.)
Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows.
If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care.
“Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best…
Enjoy your Internet! /John
Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons.
On 22 Jun 2022, at 12:04 AM, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http:// www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Hi, John: 1) "... i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… ": Perhaps it is time for us to consider the "Back to the Future" strategy, i.e., the Internet should practice static IP address like all traditional communication system did? Regards, Abe (2022-07-23 22:27 EDT) On 2022-06-22 10:35, John Curran wrote:
Barry -
There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet…
If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise and warrant charging under breaking and entering statues.)
Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows.
If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care.
“Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best…
Enjoy your Internet! /John
Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons.
On 22 Jun 2022, at 12:04 AM, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com <http://www.TheWorld.com> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Abe - Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the requirements and various related issues.) Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.) Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother, that’s just the way it is…” With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound. Thanks, /John Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit.
On 23 Jul 2022, at 10:28 PM, Abraham Y. Chen <aychen@avinta.com> wrote:
Hi, John:
1) "... i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… ":
Perhaps it is time for us to consider the "Back to the Future" strategy, i.e., the Internet should practice static IP address like all traditional communication system did?
Regards,
Abe (2022-07-23 22:27 EDT)
On 2022-06-22 10:35, John Curran wrote:
Barry -
There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet…
If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise and warrant charging under breaking and entering statues.)
Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows.
If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care.
“Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best…
Enjoy your Internet! /John
Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons.
On 22 Jun 2022, at 12:04 AM, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com <mailto:bzs@TheWorld.com> | http://www.TheWorld.com <http://www.theworld.com/> <http://www.TheWorld.com <http://www.theworld.com/>> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus <https://www.avast.com/antivirus>
Hi, John: 1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless. B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system". C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning. So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public. 2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations. Regards, Abe (2022-07-24 10:19 EDT) On 2022-07-24 07:27, John Curran wrote:
Abe -
Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the requirements and various related issues.)
Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother, that’s just the way it is…”
With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
Thanks, /John
Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit.
On 23 Jul 2022, at 10:28 PM, Abraham Y. Chen <aychen@avinta.com> wrote:
Hi, John:
1) "... i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… ":
Perhaps it is time for us to consider the "Back to the Future" strategy, i.e., the Internet should practice static IP address like all traditional communication system did?
Regards,
Abe (2022-07-23 22:27 EDT)
On 2022-06-22 10:35, John Curran wrote:
Barry -
There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet…
If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise and warrant charging under breaking and entering statues.)
Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows.
If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care.
“Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best…
Enjoy your Internet! /John
Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons.
On 22 Jun 2022, at 12:04 AM, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- -Barry Shein
Software Tool & Die |bzs@TheWorld.com|http://www.TheWorld.com <http://www.theworld.com/><http://www.TheWorld.com <http://www.theworld.com/>> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen <aychen@avinta.com> wrote:
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless.
Abe - That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier), rather it just requires having appropriately functioning logging apparatus.
B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system".
Yes, it is quite obvious that a degree of care is necessary.
C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning.
As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks for the would be perpetrators, and presently there’s almost nearly no risk involved.
So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public.
Indeed.
2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations.
That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering] that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer in number, but then again, the number of connected devices was also several orders of magnitude smaller.) Thanks, /John Disclaimer: my views alone – use caution - contents may be hot!
...
On 2022-07-24 07:27, John Curran wrote:
Abe -
Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the requirements and various related issues.)
Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother, that’s just the way it is…”
With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
Thanks, /John
Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit.
Hi, John: 0) Thanks for sharing your thoughts. The IoT identification (IP address) versus privacy is a rather convoluted topic. It can quickly get distracted and diluted if we look at it by piecemeal. Allow me to go through an overview to convey my logic. 1) It is true that a dynamic IoT identification is harder to track down than a static one, thus providing some sense of privacy or security, theoretically. This went well with the need for dynamic practice due to the limited IPv4 address pool. So, this idea sank deep into most people's mind as inherent for the Internet. 2) It turned out that there were many ways (as you eluded to) to track down an IoT even with a dynamic address. There was a classical research paper that outlined various techniques to do so: https://www.ccsl.carleton.ca/paper-archive/muir-computingsurveys-09.pdf To save your time, I extracted part of its conclusions as below: "6 Concluding Remarks ... while some commercial organizations have claimed that they can do it with 99% accuracy. … It’s meant for the 99 percent of the general public who are just at home surfing. … We note that even if accurate IP geolocation is possible for 99% of IP addresses, if the remaining 1% is fixed and predictable by an adversary, and such that the adversary can place themselves within this subspace, then they can evade geolocation 100% of the time. …" We do not need to check its validity quantitatively, today, because technology has advanced a lot. However, it is probably still pretty accurate qualitatively, judging by how successful "targeted marketing" is, while how hard various perpetrators may be identified, not to mention physically locating one. 3) As long as the general public embrace the Internet technologists' promise of privacy by dynamic addressing, however, the LE (Law Enforcement) agencies have the excuse for exercising mass surveillance that scoops up everything possible from the Internet for offline analysis. Big businesses have been doing the same under the same cover. So, most people end up without privacy anyway. (Remember the news that German Chancellor's phone call was somehow picked up by the NSA of US? For anyone with a little imagination, it was a clear hint for the tip of an iceberg.). 4) Static communication terminal (IoT) identification practice will remove a significant number of entities (the 99%) from LE's monitor operation, enabling them to focus on the 1% as well as requiring them to submit justification for court order before doing so. The last part has disappeared under the Internet environment. See URL below for an example. The static IP address practice will simplify the whole game. That is, the LEs can do their job easier, while the general public will get the legally protected privacy back. https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrori... Regards, Abe (2022-07-27 23:28 EDT) On 2022-07-24 13:57, John Curran wrote:
On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen<aychen@avinta.com> wrote:
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless. Abe -
That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier), rather it just requires having appropriately functioning logging apparatus.
B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system".
Yes, it is quite obvious that a degree of care is necessary.
C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning.
As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks for the would be perpetrators, and presently there’s almost nearly no risk involved.
So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public.
Indeed.
2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations. That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering] that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer in number, but then again, the number of connected devices was also several orders of magnitude smaller.)
Thanks, /John
Disclaimer: my views alone – use caution - contents may be hot!
...
On 2022-07-24 07:27, John Curran wrote:
Abe -
Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the requirements and various related issues.)
Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother, that’s just the way it is…”
With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
Thanks, /John
Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit.
-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
On 7/24/22 07:20, Abraham Y. Chen wrote:
Hi, John:
1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless.
The same is true for statically assigned addresses, unless you're proposing that ISPs be forced to preemptively divulge all customer data to law enforcement and keep that data updated in real time. At least in the US, this would almost certainly be ruled an unconstitutional search. It also fails to address the CGNAT scenarios often required to provide IPv4 Internet access at all.
B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system".
"System" isn't implied. It would be the AS and assigned CIDR block from the RIR.
C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning.
The party in charge (ISP) is the programmer of the game that also holds the records of where the mole has been historically. With the proper warrant, law enforcement can get those records. It matters not whether the IP is static, dynamic, or part of a CGNAT pool.
So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to.
Overall, this environment is favored by most users of the Internet that don't want law enforcement to be handed yet another virtual wiretap by their ISP. It's also required in many cases to provide IPv4 Internet access at all, as there aren't enough static addresses to go around.
No wonder the outcome has always been disappointing for the general public.
I disagree that the general public is disappointed. No one I know wants yet more agencies tracking them on the Internet, particularly agencies employing people with guns and the ability to throw them in jail. -- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
Hi, While it's possible to have a discussion on the topic, I think that the only safe bet is that, when connected to the Internet, you'll definitely be subject to scanning. I doubt there's much you want to do at a SOC about it unless it's a recurring situation involving a somewhat big traffic load -- in which case, you'd probably handle it as you'd do with a DoS attack. Scans of one sort of another happen way to often to bother (or to afford to bother, if you wish) -- for instance, just a few days ago I was setting up an imap server, and happened to find the service being scanned by censys in terms of hours. For regular mass scans, you can normally block them proactively, via a number of feeds (abuseipdb, dshield, and others), if you find them as a nuissance or don't want to show up in the scanner's results. As for targetted scans, the only safe bet is that you *will* be targetted. So... keep the windows and doors locked. And, better, check if they actually are locked regularly. Thanks, Fernando On 22/6/22 01:04, bzs@theworld.com wrote:
When I lock the doors etc to my home I'll often mutter "ya know, if someone is rattling my door knob I already have a big problem."
I suppose when I'm home it might give me a warning if I hear it.
There must be a metaphor in there somewhere.
I do recall as a teen noticing that one of the closed store's on the main drag's door was unlocked late one night walking home (this was in NYC.)
I saw a cop and told him and he scolded me angrily for rattling door knobs, I could be arrested for that! But verified it, looked around inside with his flashlight, and called it in.
I forget how I noticed but I wasn't in the habit of rattling stores' door knobs, I think the door was just a bit ajar.
There must be a metaphor in there somewhere.
On June 21, 2022 at 10:01 mpalmer@hezmatt.org (Matt Palmer) wrote:
On Mon, Jun 20, 2022 at 02:18:30AM +0000, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
If there were a few hundred people with nefarious intent trying to open your doors and windows every night, someone doing the same thing with altruistic intent might not be such a bad thing.
- Matt
-- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
In message <C22B2D7B-5783-4BAB-8D28-EA20B78119D7@seiden.com>, Mark Seiden <mis@seiden.com> wrote:
btw, if you want to do this yourself, you might consider using something like
Thank you, but as I noted in the post beginning this thread, I personally have no interest in performing this type of activity at the present time. I am rather more interested in what others are already doing, and the parameters of, and the current level of social acceptance thereof. Regards, rfg
In message <CB7990CD-5284-4A9C-BB98-4D55B21B50FF@seiden.com>, Mark Seiden <mis@seiden.com> wrote:
it should be mentioned that shadowserver also notifies those who register as the owners of that address space.
Yes. That is quite a public spirited endeavor in the best traditions of the Internet.
my thinking about this sort of thing, in general, is:
- it depends on who's doing it and why, and what they do with the information
Yes. And my question was deliberately open-ended with regards to those two points, specifically. Shadowserver is an example of a public-interest enterprise. And unless I'm mistaken, we can easily know who they are and what they do with the information they collect. There are however counter-examples... enterprises that are not quite so forthright, either in their willingness to be identified or in the disposition of their results data.
- it's polite enough for me for the good guys to identify themselves so you (the target) can worry less when you notice the activity.
I agree. But that that raises the question: How would (or should) a "benign" scanning enterprise publicly identify itself in a manner so as to mitigate undue alarm? Regards, rfg
shadow server (to the best of my knowledge) only scans sites that have invited them to do so. Owen
On Jun 19, 2022, at 10:43 , Forrest Christian (List Account) <lists@packetflux.com> wrote:
See shadowserver.net <http://shadowserver.net/> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette <rfg@tristatelogic.com <mailto:rfg@tristatelogic.com>> wrote: I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
On Sun, 19 Jun 2022, Ronald F. Guilmette wrote:
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
This has not changed. -Dan
I would still consider an uninvited scan of my network antisocial. Other operators are, of course, free to make their own choices. Owen
On Jun 19, 2022, at 03:13 , Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
Regards, rfg
P.S. Just to be clear, I personally have neither any desire nor any intent to undertake such activity myself, nor am I in communiacation with any party or parties that have such an intent or desire. I cannot however say that I am unaware of any parties that may currently be involved in such activities.
Hi, Ronald, On 19/6/22 07:13, Ronald F. Guilmette wrote:
I would like to solicit the opinions of network operators on the practice of scanning all of, or large chunks of the internet for known vulnerabilities.
Note: What's most usually done out there is scanning for ports, rather than for vulnerabilities. That said, as noted by others, ports scans are kind of part of the echo system. A vast number of them can be blocked proactively by e.g., feeding block-lists (e.g. abuseipdb's) dynamically into your firewalls' rulesets.
In earlier times, this was generally viewed as being distinctly anti-social behavior, but perhaps attitudes have changed relative to earlier eras. I would thus like to know how people feel about it now, in 2022.
At the end of the day, the folks you should most likely be concerned about are the folks that won't even care about whether this is unsocial behavior. For low-volume traffic, you can probably filter it out as discussed above, and, other than the possible noise, the scans shouldn't cause harm anyway (and if e.g. an IPv6 host scan is causing you neighbor cache exhaustion problems... that's an issue you need to deal with, anyway). What's left probably falls into the DoS-like category... but is normally more targetted than sent to random networks/whole Internet. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1bee@si6networks.com>, Fernando Gont <fgont@si6networks.com> wrote:
Note: What's most usually done out there is scanning for ports, rather than for vulnerabilities.
Yes, and at least some of the responses in this thread have not, I think, noted this rather important distinction. For my part I intended to ask specifically about attitudes towards scanning for actual vulnerabilities, e.g. those that have been assigned CVE numbers. Depending on who is doing it, and why, my personal feeling is that even here in 2022 this should still be viewed as being exceptionally anti-social, and worthy of calling out publicly, but I must allow for the possibility that my personal views on this may be antiquated and out of step with current prevailing norms and attitudes. Regards, rfg
Hi, Ronald, On 21/6/22 03:53, Ronald F. Guilmette wrote:
In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1bee@si6networks.com>, Fernando Gont <fgont@si6networks.com> wrote:
Note: What's most usually done out there is scanning for ports, rather than for vulnerabilities.
Yes, and at least some of the responses in this thread have not, I think, noted this rather important distinction.
Agreed.
For my part I intended to ask specifically about attitudes towards scanning for actual vulnerabilities, e.g. those that have been assigned CVE numbers.
Please note that in most of these cases, "vulnerability scanning" is, for the most part, simply banner-grabbing, with some off-line comparison against CVE database -- with banner-grabbing being at times simply the result of completing the TCP three-way handshake (i.e., something that would happen anyway, unless doing non-connect() scans). IOW, you probably cannot even tell if you're being subject to a port-scan or a "vulnerability scan" of this type. Then there are other cases where the scans are way more intrusive, such as e.g. scanning for SQL injection in web applications, or., e.g., simply scanning the vulnerability by trying to exploit it. I'd probably be concerned about these sorts of "scans", but not about port-scans/banner-grabbing.
Depending on who is doing it, and why, my personal feeling is that even here in 2022 this should still be viewed as being exceptionally anti-social, and worthy of calling out publicly, but I must allow for the possibility that my personal views on this may be antiquated and out of step with current prevailing norms and attitudes.
Aside from what I've noted above, and without really taking a stance on whether what you not might or might not make sense, I'd probably argue that, the folks that one should probably e most concerned about would probably run the scans from VMs they probably paid with cryptocurrency. The attacks would probably be non-trivial to attribute, and if you manage to get their provider to take their VMs off-line, they would probably simply by a new one. -- not that I like it, but... "it is what it is". Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
In message <4e6319ba-d332-f25e-d128-1b8abc724039@si6networks.com>, Fernando Gont <fgont@si6networks.com> wrote:
Depending on who is doing it, and why, my personal feeling is that even here in 2022 this should still be viewed as being exceptionally anti-social, and worthy of calling out publicly, but I must allow for the possibility that my personal views on this may be antiquated and out of step with current prevailing norms and attitudes.
Aside from what I've noted above, and without really taking a stance on whether what you not might or might not make sense, I'd probably argue that, the folks that one should probably e most concerned about would probably run the scans from VMs they probably paid with cryptocurrency. The attacks would probably be non-trivial to attribute...
Yes, to all of the above. But there are always exceptions. :-) Regards, rfg
participants (21)
-
Abraham Y. Chen
-
Amreesh Phokeer
-
bzs@theworld.com
-
Carsten Bormann
-
David Guo
-
Dovid Bender
-
Fernando Gont
-
Forrest Christian (List Account)
-
goemon@sasami.anime.net
-
J. Hellenthal
-
Jay Hennigan
-
Joe Maimon
-
John Curran
-
John Kristoff
-
Jorge Amodio
-
Mark Seiden
-
Matt Palmer
-
Mel Beckman
-
Owen DeLong
-
Randy Bush
-
Ronald F. Guilmette