Re: Scanning the Internet for Vulnerabilities
Carsten, No, it’s more like 50,000 furnace guys who show up several times a day to rattle doorknobs, attempt to push slim Jim’s into window latches, hack your garage door opener, sneak into your back garden, and fly drones around your home to see what valuables you might have. Yes, some of them are altruistic, but some are self-righteous officious boobs, and the vast majority are career criminals that will rob your house, drain your retirement account, and kill your family with a spoofed SWAT raid. -mel beckman
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?". To my mind, it seems rather idiotic and self-defeating to have the plumbing congested with packets intended to measure congestion :-( Michael On 6/20/22 09:46, Mel Beckman wrote:
The intent behind vulnerability scans is good, however the majority of DOS attacks that my networks encounter these days are from cybersecurity organizations conducting cybersecurity research. Funding requests for DOS mitigation solutions to protect my networks from cybersecurity researchers are not taken seriously. - Matt On Jun 20, 2022, at 12:55 PM, Randy Bush <randy@psg.com<mailto:randy@psg.com>> wrote: **Warning: This email originated external to the NMSU email system. Do not click on links or open attachments unless you are sure the content is safe. I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?". how strange, considering you are replying to a thread doing so. fwiw, i appreciate vuln scanners. i do not have the hubris or tools to think i run a flawless network or servers. randy
On 6/20/22 12:24 PM, Matthew Craig wrote:
Yeah. The unwritten rule of this is "if you're going to do it, do it gently enough that the person receiving it doesn't notice". If the load average on my server goes up by 20 because you've opened 20 simultaneous HTTP connections and you're sending nonstop requests on all of them for thousands of random filenames that don't exist (but which each cause a PHP script to run), I'm not going to appreciate it. Same if you send tens of thousands of TCP SYNs a second so you can quickly scan all possible ports of hundreds of IP addresses. If I don't even notice it, though, I'm unlikely to be bothered to object to it. -- Robert L Mathews
On Jun 20, 2022, at 10:02 AM, Michael Butler via NANOG <nanog@nanog.org> wrote:
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?".
Quite the opposite, I once had to endure significant frustration in contacting the organization running a system that kept emailing my abuse contacts about a historical computer I maintained, advising me that my “Insecure CISCO Router” was still accepting “dangerous" telnet connections despite the host’s banner including the text “This system is not a router; The availability of telnet access to this system is intentional.” If you are engaging in mass scanning and are not going to listen to the targets of your scanning please at least pay attention to your results.
It seems to me there's vulnerability testing and there's vulnerability testing and just lumping them all together motivates disparate opinions. For example it's one thing to perhaps see if home routers login/passwords are admin/admin or similar, or if systems seem to be vuln to easily exploitable bugs and reporting such problems to someone in charge versus, say, hammering at some network to see when/if DDoS mitigation kicks in. For example I've gotten email in the past that some of my servers were running ntp in a way which makes them vuln to being used for DDoS amplification and, I believe, fixed that. I didn't mind. Anyhow, you all probably get my point without further hypotheticals or examples. Scanning for known vulns and reporting can be ok, testing to destruction? Not so much. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
participants (9)
-
bzs@theworld.com -
Daniel Seagraves -
J. Hellenthal -
Matthew Craig -
Mel Beckman -
Michael Butler -
nanog08@mulligan.org -
Randy Bush -
Robert L Mathews