Re: Scanning the Internet for Vulnerabilities
Carsten, No, it’s more like 50,000 furnace guys who show up several times a day to rattle doorknobs, attempt to push slim Jim’s into window latches, hack your garage door opener, sneak into your back garden, and fly drones around your home to see what valuables you might have. Yes, some of them are altruistic, but some are self-righteous officious boobs, and the vast majority are career criminals that will rob your house, drain your retirement account, and kill your family with a spoofed SWAT raid. -mel beckman
On Jun 20, 2022, at 4:20 AM, Carsten Bormann <cabo@tzi.org> wrote: On 2022-06-20, at 04:18, Mel Beckman <mel@beckman.org> wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up.
(Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.)
Grüße, Carsten
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?". To my mind, it seems rather idiotic and self-defeating to have the plumbing congested with packets intended to measure congestion :-( Michael On 6/20/22 09:46, Mel Beckman wrote:
Carsten,
No, it’s more like 50,000 furnace guys who show up several times a day to rattle doorknobs, attempt to push slim Jim’s into window latches, hack your garage door opener, sneak into your back garden, and fly drones around your home to see what valuables you might have. Yes, some of them are altruistic, but some are self-righteous officious boobs, and the vast majority are career criminals that will rob your house, drain your retirement account, and kill your family with a spoofed SWAT raid.
-mel beckman
On Jun 20, 2022, at 4:20 AM, Carsten Bormann <cabo@tzi.org> wrote: On 2022-06-20, at 04:18, Mel Beckman <mel@beckman.org> wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up.
(Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.)
Grüße, Carsten
On Mon, Jun 20, 2022 at 11:02:25AM -0400, Michael Butler via NANOG wrote:
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?".
To my mind, it seems rather idiotic and self-defeating to have the plumbing congested with packets intended to measure congestion :-(
Michael
Well put!
On 6/20/22 09:46, Mel Beckman wrote:
Carsten,
No, it’s more like 50,000 furnace guys who show up several times a day to rattle doorknobs, attempt to push slim Jim’s into window latches, hack your garage door opener, sneak into your back garden, and fly drones around your home to see what valuables you might have. Yes, some of them are altruistic, but some are self-righteous officious boobs, and the vast majority are career criminals that will rob your house, drain your retirement account, and kill your family with a spoofed SWAT raid.
-mel beckman
On Jun 20, 2022, at 4:20 AM, Carsten Bormann <cabo@tzi.org> wrote: On 2022-06-20, at 04:18, Mel Beckman <mel@beckman.org> wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up.
(Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.)
Grüße, Carsten
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?".
how strange, considering you are replying to a thread doing so. fwiw, i appreciate vuln scanners. i do not have the hubris or tools to think i run a flawless network or servers. randy
The intent behind vulnerability scans is good, however the majority of DOS attacks that my networks encounter these days are from cybersecurity organizations conducting cybersecurity research. Funding requests for DOS mitigation solutions to protect my networks from cybersecurity researchers are not taken seriously. - Matt On Jun 20, 2022, at 12:55 PM, Randy Bush <randy@psg.com<mailto:randy@psg.com>> wrote: **Warning: This email originated external to the NMSU email system. Do not click on links or open attachments unless you are sure the content is safe. I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?". how strange, considering you are replying to a thread doing so. fwiw, i appreciate vuln scanners. i do not have the hubris or tools to think i run a flawless network or servers. randy
On 6/20/22 12:24 PM, Matthew Craig wrote:
The intent behind vulnerability scans is good, however the majority of DOS attacks that my networks encounter these days are from cybersecurity organizations conducting cybersecurity research.
Yeah. The unwritten rule of this is "if you're going to do it, do it gently enough that the person receiving it doesn't notice". If the load average on my server goes up by 20 because you've opened 20 simultaneous HTTP connections and you're sending nonstop requests on all of them for thousands of random filenames that don't exist (but which each cause a PHP script to run), I'm not going to appreciate it. Same if you send tens of thousands of TCP SYNs a second so you can quickly scan all possible ports of hundreds of IP addresses. If I don't even notice it, though, I'm unlikely to be bothered to object to it. -- Robert L Mathews
Randy, Great idea! And bill the taxpayers! -mel via cell
On Jun 20, 2022, at 11:55 AM, Randy Bush <randy@psg.com> wrote:
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?".
how strange, considering you are replying to a thread doing so.
fwiw, i appreciate vuln scanners. i do not have the hubris or tools to think i run a flawless network or servers.
randy
On Jun 20, 2022, at 10:02 AM, Michael Butler via NANOG <nanog@nanog.org> wrote:
I treat these folk with the same respect they afford me. Not once in 30 years of having a connected network (v4 or v6) has any entity asked "is it OK if we .. ?".
Quite the opposite, I once had to endure significant frustration in contacting the organization running a system that kept emailing my abuse contacts about a historical computer I maintained, advising me that my “Insecure CISCO Router” was still accepting “dangerous" telnet connections despite the host’s banner including the text “This system is not a router; The availability of telnet access to this system is intentional.” If you are engaging in mass scanning and are not going to listen to the targets of your scanning please at least pay attention to your results.
Hey - I have a neat new idea... Let's test the structure of levees by flooding the rivers and seeing what levees don't survive. Geoff On 6/20/22 07:46, Mel Beckman wrote:
Carsten,
No, it’s more like 50,000 furnace guys who show up several times a day to rattle doorknobs, attempt to push slim Jim’s into window latches, hack your garage door opener, sneak into your back garden, and fly drones around your home to see what valuables you might have. Yes, some of them are altruistic, but some are self-righteous officious boobs, and the vast majority are career criminals that will rob your house, drain your retirement account, and kill your family with a spoofed SWAT raid.
-mel beckman
On Jun 20, 2022, at 4:20 AM, Carsten Bormann <cabo@tzi.org> wrote: On 2022-06-20, at 04:18, Mel Beckman <mel@beckman.org> wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night. Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up.
(Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.)
Grüße, Carsten
It seems to me there's vulnerability testing and there's vulnerability testing and just lumping them all together motivates disparate opinions. For example it's one thing to perhaps see if home routers login/passwords are admin/admin or similar, or if systems seem to be vuln to easily exploitable bugs and reporting such problems to someone in charge versus, say, hammering at some network to see when/if DDoS mitigation kicks in. For example I've gotten email in the past that some of my servers were running ntp in a way which makes them vuln to being used for DDoS amplification and, I believe, fixed that. I didn't mind. Anyhow, you all probably get my point without further hypotheticals or examples. Scanning for known vulns and reporting can be ok, testing to destruction? Not so much. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
For example I've gotten email in the past that some of my servers were running ntp in a way which makes them vuln to being used for DDoS amplification and, I believe, fixed that. I didn't mind.
that was a really well done campaign. i thanked them profusely. randy
participants (9)
-
bzs@theworld.com
-
Daniel Seagraves
-
J. Hellenthal
-
Matthew Craig
-
Mel Beckman
-
Michael Butler
-
nanog08@mulligan.org
-
Randy Bush
-
Robert L Mathews