Re: "portscans" (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 05:25:27PM -0400, woods@weird.com said:
[ On Saturday, May 18, 2002 at 13:48:27 (-0700), Scott Francis wrote: ]
Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
However a "portscan" is not an attack.
Precursor to an attack, certainly.
B.S. A plain old port or IP scan is nothing more than an information gathering excercise. Unless you're the one running it you almost certainly have no clue whatsoever why it was started. (Unless you can prove somehow that the scan pattern and/or packets matches a signature that's proven to be _unique_ to some known attack tool.)
And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Sat, 18 May 2002, Scott Francis wrote:
And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks).
I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination. <sarcasm> And why, pray tell, would some stranger be carrying a concealed gun if they were not planning on shooting someone? </sarcasm>
Hello, Saturday, May 18, 2002, 7:17:43 PM, you wrote: RD> On Sat, 18 May 2002, Scott Francis wrote:
And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks).
RD> I often like to know if a particular web server is running Unix or RD> Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 Last-Modified: Sat, 18 May 2002 06:05:35 GMT ETag: "68807-9ff5-3ce5ef2f" Accept-Ranges: bytes Content-Length: 40949 Connection: close Content-Type: text/html Connection closed by foreign host. (make sure you hit [Enter] twice after the "HEAD / HTTP/1.0"). Gets you all of the information you need, and you don't have to do a portscan. I have a perl script that automates the task if you would like it, let me know. allan -- allan allan@allan.org http://www.allan.org
AL> Date: Sat, 18 May 2002 21:50:34 -0400 AL> From: Allan Liska AL> [allan@ns1 phpdig]$ telnet www.istop.com 80 AL> Trying 216.187.106.194... AL> Connected to dci.doncaster.on.ca (216.187.106.194). AL> Escape character is '^]'. AL> HEAD / HTTP/1.0 Or lynx http://www.istop.com/ and press the '=' key for similar info. Or echo the HEAD request to a program that opens a TCP socket. Or go to www.netcraft.com. Of course, firewalls munching on TCP/IP can screw up IP stack fingerprinting, causing nmap et al. to report "IIS on <favorite *ix flavor>" when it really means "IIS on ??? behind firewall running <favorite *ix flavor>". I wonder how many people enjoy recompiling their *ix httpd to report itself as IIS? Watch for requests matching certain IDS strings... what was that again about mad fast honeypots? ;-) -- Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
RD> I often like to know if a particular web server is running Unix or RD> Winblows. A port scanner is a useful tool in making that determination.
[allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0
HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8
Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... -Ralph
On Sun, 19 May 2002, Ralph Doncaster wrote:
RD> I often like to know if a particular web server is running Unix or RD> Winblows. A port scanner is a useful tool in making that determination.
[allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0
HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8
Sure, it works on some servers, but try it on yahoo.com, cnn.com, ...
dunno, but might have something to do with Akamaization... James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Hello Ralph, Sunday, May 19, 2002, 10:50:23 AM, you wrote:
RD> I often like to know if a particular web server is running Unix or RD> Winblows. A port scanner is a useful tool in making that determination.
[allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0
HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8
RD> Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... As I think Eddy already mentioned, you can try Netcraft. Of course in the cases of Yahoo and CNN you have an Akamai factor...though CNN does return some useful information: telnet www.cnn.com 80 Trying 207.25.71.20... Connected to www1.cnn.com (207.25.71.20). Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Server: Netscape-Enterprise/4.1 Date: Sun, 19 May 2002 14:58:55 GMT Last-modified: Sun, 19 May 2002 14:58:55 GMT Expires: Sun, 19 May 2002 14:59:55 GMT Cache-control: private,max-age=60 Content-type: text/html Connection: close And, you can also try the direct approach: e-mail the webmaster and ask :). I guess the point I am trying to make is that there are ways of finding out this information without having to resort to portscans. The example of bank is a very good one. With all of the security risks involved in managing a web server, and the associated database, it seems very important to ask the bank for an explanation of the steps they have taken to secure their website, and their customer database. If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile. allan -- allan allan@allan.org http://www.allan.org
If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile.
I think that's pretty stupid. If I had my network admin investigate every portscan, my staff costs would go up 10x and I'd quickly go bankrupt. Instead we keep our servers very secure, and spend the time and effort only when there is evidence of a break in.
Hello Ralph, Sunday, May 19, 2002, 11:22:08 AM, you wrote:
If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile.
RD> I think that's pretty stupid. If I had my network admin investigate every RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD> Instead we keep our servers very secure, and spend the time and effort RD> only when there is evidence of a break in. I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference. allan -- allan allan@allan.org http://www.allan.org
RD> I think that's pretty stupid. If I had my network admin investigate every RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD> Instead we keep our servers very secure, and spend the time and effort RD> only when there is evidence of a break in.
I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference.
So you assume it's hostile and do what? Automatically block the source IP? If you do that then you open up a bigger DOS hole. Then if someone sends a bunch of SYN scans with the source address spoofed as your upstream transit providers' BGP peering IP, poof! you're gone.
Hello Ralph, Sunday, May 19, 2002, 12:13:35 PM, you wrote:
RD> I think that's pretty stupid. If I had my network admin investigate every RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD> Instead we keep our servers very secure, and spend the time and effort RD> only when there is evidence of a break in.
I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference.
RD> So you assume it's hostile and do what? Automatically block the source RD> IP? If you do that then you open up a bigger DOS hole. Then if someone RD> sends a bunch of SYN scans with the source address spoofed as your RD> upstream transit providers' BGP peering IP, poof! you're gone. You do the same thing you do with any attack: Log the information and take appropriate action. If you are constantly getting scanned from one netblock, you should be aware of that, the only way to be aware of it is to keep a record of all port scans. A portscan may be innocent, though I agree with those who have said previously that most posrtscans are not innocent, in which case it gets filed away into a database and forgotten. However, if the same network is continuously portscanning your network that network should be stopped. This whole process can be automated, so that it does not involve manual intervention...but don't you think a good network administrator should know what is happening to their network? And, since there is no way to distinguish an innocent portscan from one that is a precursor to an attack, wouldn't it make sense to keep track of all portscans? allan -- allan allan@allan.org http://www.allan.org
[ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ]
Subject: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
However, if the same network is continuously portscanning your network that network should be stopped.
Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own. How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!). Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth. "You will be scanned. Resistance is futile!" I.e. get over it! ;-) (Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of "stealth scans" are often still attempted.) -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans? Cheers, Benjamin P. Grubin, CISSP, GIAC
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Greg A. Woods Sent: Sunday, May 19, 2002 4:48 PM To: North America Network Operators Group Mailing List Subject: Re: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ]
Subject: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
However, if the same network is continuously portscanning your network that network should be stopped.
Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own.
How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!).
Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth.
"You will be scanned. Resistance is futile!" I.e. get over it! ;-)
(Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of "stealth scans" are often still attempted.)
--
Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ]
Subject: RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect.
The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans?
Well, there is still the issue of discovering the intent of a scan, regardless of how many landmines have to be triggered before a blackhole listing is put in place. Such technology is very dangerous if automated. Anyone with sufficient intelligence to find enough of the landmine systems could probably also figure out how to trigger them in such a way as to DoS any random host or network at will (assuming enough networks to matter used the listing service in real time). Unless there's also a sure-fire automated way of quickly revoking such a black list entry, as well as a free white-listing service, the consequences are far too dire to earn my support. On the other hand SMTP open relay blackholes are easy to prove and usually easy enough to fix and get de-listed from. Even the Spamcop realtime DNS list "bl.spamcop.net" is pretty hard to trick, and of course it's not really widely enough used that getting listed there is all that disruptive (apparently, since listed sites keep sending spam with no apparent degradation in their throughput). -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Sun, 19 May 2002, Dan Hollis wrote:
On Sun, 19 May 2002, Greg A. Woods wrote:
Such technology is very dangerous if automated.
And if its not?
Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears. What is it that turns a technocracy into idolaters? --Mitch NetSide
On Sun, 19 May 2002, Mitch Halmu wrote:
Such technology is very dangerous if automated. And if its not? Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for
On Sun, 19 May 2002, Greg A. Woods wrote: themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears. What is it that turns a technocracy into idolaters?
Just to put mitch's rant into perspective for unfamiliar nanog readers: http://work-rss.mail-abuse.org/cgi-bin/nph-rss?query=205.159.140.2 netside has been a long time lunatic opponent of RBLs -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Sun, 19 May 2002, Dan Hollis wrote:
netside has been a long time lunatic opponent of RBLs
First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide
On Sun, 19 May 2002, Dan Hollis wrote:
netside has been a long time lunatic opponent of RBLs
First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me.
Me, I will give them a nice color map to your house. Shiksaa was kind enough to point out a picture of you. I know that I really shouldn't do this, but..... http://63.117.95.227/kooks/mitch.html Mike - opinions are definitely just mine and mine alone.
On Sun, May 19, 2002 at 11:32:20PM -0400, mitch@netside.net said:
On Sun, 19 May 2002, Dan Hollis wrote:
netside has been a long time lunatic opponent of RBLs
First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew.
That's close enough to Godwin for me. Next discussion, please.
Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me.
(Rev. Martin Niemoller, 1945)
--Mitch NetSide
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
In the referenced message, Mitch Halmu said:
On Sun, 19 May 2002, Dan Hollis wrote:
netside has been a long time lunatic opponent of RBLs
First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me.
(Rev. Martin Niemoller, 1945)
--Mitch NetSide
Just think, there are still the spammers who you let use your open relay. They can still speak up for you. You say is too hard to close your relay, while vast numbers of providers have done so, without issue. Every closed relay is one less that a spammer has available to abuse and mask their identity. "Once there was a great storm that washed thousands of starfish up onshore. As an old man walked the beach he saw a young boy picking up stranded starfish and quickly returning them to the sea. The man approached the boy and said, "What are you doing? The sun is rapidly rising. What difference does it make? They're all going to die anyway." As the boy rose from picking up another starfish he said, "What difference does it make? It will make a difference to this one."Then he turned and set the starfish free." -- Adapted from "The Star Thrower" by Loren Eiseley
In the immortal words of Mitch Halmu (mitch@netside.net):
(Rev. Martin Niemoller, 1945)
Congratulations, Mitch, you have done what many of us would have considered impossible: you have surpassed your own previous high-water mark for tasteless, self-involved bullshit. (Which, for the short-of-memory, was when you used the 9/11 attacks as justification for demanding that MAPS be turned off.) My dead relatives have nothing to do with your desire to run an open relay with no consequences. Kindly go fuck yourself. -n p.s. cc'ed to nanog-request: please consider this to be yet another request to have Mitch removed from this list. p.p.s. I believe this counts as a Godwin invocation. Thread closed. ------------------------------------------------------<memory@blank.org> The life of a sysadmin is always intense. <http://blank.org/memory/>----------------------------------------------
On Sun, May 19, 2002 at 10:02:26PM -0400, mitch@netside.net said: [snip]
Such technology is very dangerous if automated.
And if its not?
Quis custodiet ipsos custodes?
Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears.
No. You attack or spam some other network, and said network's operator can take action as appropriate to that network. Such action may include that network refusing to accept future traffic from the offending network until the problem is resolved. I don't see how this rates as 'ruling over the masses' - it becomes, as it always has been, individual network operators deciding how best to run their networks, as they see fit. My decisions apply to my network, and nobody else's. Or are you saying that network operators should not be trusted to run their networks as they see fit? Who then makes the rules?
What is it that turns a technocracy into idolaters?
What is it that turns the decision of an individual network operator into a rant about political ideology? -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
[ On Sunday, May 19, 2002 at 16:30:48 (-0700), Dan Hollis wrote: ]
Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Greg A. Woods wrote:
Such technology is very dangerous if automated.
And if its not?
If it's not an automated system then it's only as dangerous as the person(s) controlling it, plus whatever propensity they have for making unintended errors that would not be made by a properly tested automatic system.... -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
[ On Sunday, May 19, 2002 at 11:22:08 (-0400), Ralph Doncaster wrote: ]
Subject: Re: Re[4]: "portscans" (was Re: Arbor Networks DoS defense product)
I think that's pretty stupid. If I had my network admin investigate every portscan, my staff costs would go up 10x and I'd quickly go bankrupt.
Indeed -- and we can only hope. I know a few companies who actually do that, and sometimes their policies about how they do it are so broken they refuse to acknowledge the difference between the likes of a squid cache server just doing its job and a compromised Windoze box scanning for web servers. :-) -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Sat, May 18, 2002 at 07:17:43PM -0400, ralph@istop.com said: [snip]
network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks).
I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination.
a full-blown portscan is not required here. A simple telnet to port 80 will do the job.
<sarcasm> And why, pray tell, would some stranger be carrying a concealed gun if they were not planning on shooting someone? </sarcasm>
Show me how to defend myself from attack by portscanning the networks of random strangers, and I will concede the point. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination.
a full-blown portscan is not required here. A simple telnet to port 80 will do the job.
A simple telnet to port 80 will sometimes do the job, but often not. And even your statement "a full-blown portscan is not required" concedes that a portscan will work in making this determination.
[ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ]
Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks).
I scan networks and hosts very regularly for legitimate diagnostic purposes as well as occasionally for curiosity's sake. I've never attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. BTW, please be one heck of a lot more careful with your replies. My original reply to you was not copied to the list and I did not give you permission to post a response quoting my words back to the list. -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Sat, May 18, 2002 at 11:05:34PM -0400, woods@weird.com said:
[ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ]
Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks).
I scan networks and hosts very regularly for legitimate diagnostic purposes as well as occasionally for curiosity's sake. I've never
Legitimate diagnostic purposes would mean that you would not fall into the category of "unknown and unaffiliated". Curiosity's sake, well ... depends on whose network it is.
attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view.
Agreed there. Defense is important. It might be good to note that I'm not giving a blanket condemnation of all portscans at all times; but as a GENERAL RULE, portscans from strangers, especially methodical ones that map out a network, are a precursor to some more unsavory activity.
BTW, please be one heck of a lot more careful with your replies. My original reply to you was not copied to the list and I did not give you permission to post a response quoting my words back to the list.
Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
[ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ]
Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last.
Apology accepted, but I strongly recommend you learn to use some more reliable mail reader software -- something that doesn't accidentally invent reply addresses! There was no hint that my message to you was in any way associated with the NANOG list -- it was delivered directly to you and CC'd only to the person you were responding to. Some outside influence had to have associated it with having been a reply to a list posting and connected your desire to reply with inclusion of the list submission address. According to your reply's headers you're using Mutt-1.3.25i, and according to the Mutt manual 'g' is the group-reply command. I don't find any hint in the description of that command to indicate that it will magically associate a given message with a list, especially one that was not received from the list. Even the 'list-reply' command should not be able to associate a private reply with the list address. If Mutt really does magically associate private replies with list addresses by some mysterious mechanism then it's even more broken than I suspected..... -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
On Sat, May 18, 2002 at 11:46:21PM -0400, woods@weird.com said:
[ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ]
Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last.
Apology accepted, but I strongly recommend you learn to use some more reliable mail reader software -- something that doesn't accidentally invent reply addresses! There was no hint that my message to you was in any way associated with the NANOG list -- it was delivered directly to you and CC'd only to the person you were responding to. Some outside influence had to have associated it with having been a reply to a list posting and connected your desire to reply with inclusion of the list submission address. According to your reply's headers you're using Mutt-1.3.25i, and according to the Mutt manual 'g' is the group-reply command. I don't find any hint in the description of that command to indicate that it will magically associate a given message with a list, especially one that was not received from the list. Even the 'list-reply' command should not be able to associate a private reply with the list address. If Mutt really does magically associate private replies with list addresses by some mysterious mechanism then it's even more broken than I suspected.....
It doesn't. I cc'd the list because I thought the message to be germaine to the public thread, and no mention was made of the message being private. That was a misstep on my part, for which I apologize, and that was what I meant by "a little too quick on the 'g'". I will in the future assume all replies not cc'd to the list to be private, or else get permission before cc'ing the list on a reply. Mea culpa. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Sat, 18 May 2002, Scott Francis wrote:
On Sat, May 18, 2002 at 11:05:34PM -0400, woods@weird.com said:
attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. Agreed there. Defense is important. It might be good to note that I'm not giving a blanket condemnation of all portscans at all times; but as a GENERAL RULE, portscans from strangers, especially methodical ones that map out a network, are a precursor to some more unsavory activity.
And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it. There are three aims of the landmine project: 1) early warning 2) defensive response 3) deterrence I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Sun, May 19, 2002 at 12:12:01AM -0700, goemon@anime.net said: [snip]
And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it.
There are three aims of the landmine project:
1) early warning 2) defensive response 3) deterrence
I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far.
This is what I have been (unsuccessfully) attempting to state. I apparently need more practice in being coherent. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
participants (12)
-
Allan Liska -
Benjamin P. Grubin -
Dan Hollis -
E.B. Dreger -
Mike Lewinski -
Mitch Halmu -
Nathan J. Mehl -
Ralph Doncaster -
Scott Francis -
Stephen Griffin -
up@3.am -
woods@weird.com