Re: anti-spam vs network abuse
"andy" == Andy Dills <andy@xecu.net> writes: andy> On Fri, 28 Feb 2003, Charlie Clemmer wrote:
At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
Why is probing networks wrong?
Depends on why you're doing the probing.
andy> If so, why outlaw the act of probing? Why not outlaw "probing andy> for the purposes of..."? What's the offset into the probe packets to the "intent of the this probe" field? And would you trust it if there were one anyway?
If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you?
andy> This is different. Metaphors applying networking concepts to andy> real world scenarios are tenuous at best. andy> In this case, your door being unlocked cannot cause me andy> harm. However, an "unlocked proxy" can. Heh, so I guess you could make it his gun and the safety. Does that change your answer? ;-) andy> Legit probes are an attempt to mitigate network abuse, not andy> increase it. If there was a sanctioned body who was trusted to andy> scan for such things, maybe this wouldn't be an issue. But andy> there's not, so it's a vigilante effort. What's a legit probe? One where the owner gave you permission in advance to run the scan? I can't think of another definition of that phrase. andy> You don't have to. This is why I never understood why people andy> care so much about probing. If you do a good job with your andy> network, probing will have zero affect on you. All the person andy> probing can do (regardless of their intent) is say "Gee, I guess andy> there aren't any vulnerabilities with this network." This is a completely naive statement. There are 0 networks that I'm willing to believe have 0 vulnerabilities on them. There may be 0 that you know about, but that doesn't mean there aren't more vulnerabilities which aren't public knowledge lurking in sendmail or bind or ssh or ssl or apache or any number of other services you have running. IMHO, Michael
On 1 Mar 2003, Michael Lamoureux wrote:
andy> If so, why outlaw the act of probing? Why not outlaw "probing andy> for the purposes of..."?
What's the offset into the probe packets to the "intent of the this probe" field? And would you trust it if there were one anyway?
People speed, drive drunk, and run over pedestrians. Should we outlaw cars? Maybe just in California? :)
What's a legit probe? One where the owner gave you permission in advance to run the scan? I can't think of another definition of that phrase.
When you walk into the secure part of an airport or some schools in rough neighborhoods, you're scanned for metallic objects. When you exchange traffic with certain networks, they may also want to check you out to see what risk may be associated with accepting your data in the future. If your system is an open relay/proxy, then there's elevated risk that at some point (if not already), the data coming from your system will be SPAM. Some networks will choose not to accept your data or to tag it in order to prevent their customers from having to accept unwanted data.
This is a completely naive statement. There are 0 networks that I'm willing to believe have 0 vulnerabilities on them. There may be 0 that you know about, but that doesn't mean there aren't more vulnerabilities which aren't public knowledge lurking in sendmail or bind or ssh or ssl or apache or any number of other services you have running.
So if nobody probes your network, it's more secure? ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 01:41 PM 3/1/2003 -0500, Michael Lamoureux wrote:
andy> In this case, your door being unlocked cannot cause me andy> harm. However, an "unlocked proxy" can.
Heh, so I guess you could make it his gun and the safety. Does that change your answer? ;-)
Heh ... I wasn't going to go there, but that's what I meant by being prepared for my response. :) -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPmEK3qvEtUU05riwEQJ0CQCgsGRx8acSws4V4nQ6wJuodBtewukAoPOd fYTiwDfn9DEn7yUGIW5esq4/ =m4Xq -----END PGP SIGNATURE-----
On 1 Mar 2003, Michael Lamoureux wrote:
If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you?
andy> This is different. Metaphors applying networking concepts to andy> real world scenarios are tenuous at best.
andy> In this case, your door being unlocked cannot cause me andy> harm. However, an "unlocked proxy" can.
Heh, so I guess you could make it his gun and the safety. Does that change your answer? ;-)
No, because a gun is private property and is not laying around for the public to examine. If I saw a gun sitting on the street, I would take it to the police. Even though that might be stealing, I'm still doing the right thing. Any more metaphors for me to debunk? Here's another weak metaphor for you: Probing ports is like knocking on a door. It's not inherently a nuisance. Knocking repeatedly without regard to the people inside is abuse. Likewise, knocking on a door, noticing that nobody is home, trying the knob, seeing that it's unlocked, and entering...that's clearly abuse also. But should we outlaw knocking on doors because some people do it to annoy people and some people do it to see if they can break in? But of course, that's not even the same, for various reasons. So, let's stop using metaphors to debate this. As Jack Nicholson said in "As Good as it Gets", "People who speak in metaphors should shampoo my crotch."
andy> Legit probes are an attempt to mitigate network abuse, not andy> increase it. If there was a sanctioned body who was trusted to andy> scan for such things, maybe this wouldn't be an issue. But andy> there's not, so it's a vigilante effort.
What's a legit probe? One where the owner gave you permission in advance to run the scan? I can't think of another definition of that phrase.
A legit probe is simply a probe with good intentions. And no, you have no way of knowing. But you also don't have to accept his traffic. So don't try to make this a LEGAL issue, keep it civil.
andy> You don't have to. This is why I never understood why people andy> care so much about probing. If you do a good job with your andy> network, probing will have zero affect on you. All the person andy> probing can do (regardless of their intent) is say "Gee, I guess andy> there aren't any vulnerabilities with this network."
This is a completely naive statement. There are 0 networks that I'm willing to believe have 0 vulnerabilities on them. There may be 0 that you know about, but that doesn't mean there aren't more vulnerabilities which aren't public knowledge lurking in sendmail or bind or ssh or ssl or apache or any number of other services you have running.
My statement is as naive as yours is ridiculous. You're telling me your IDS systems tell you when there is a new vulnerabilitiy, before you see it on bugtraq? I don't think so. You can see people scanning your network on port 80, but does that tell you apache has a vulnerability? People are probing on port 25....are they looking to exploit an unknown bug...or just looking to relay spam? Maybe they're just trying to make sure you don't have any open relays on your network? Who knows. You don't. So watching your IDS logs won't tell you jack, because people who are trying to hack you WILL NOT SCAN FROM WHERE THEY HACK. You're not going to get any advance knowlegde of an exploit, and you're not even going to know where the actual hack is coming from. So, since I'm so naive, please explain to me what you can do differently than I can, simply by following a few fundemental rules. Rule 1: All windows boxes behind a well implemented firewall. Rule 2: Run only required services on unix servers, with a packet filter (ipfw and friends) to easily drop http or smtp traffic quickly and easily. Rule 3: Keep current with all bugfixes. Rule 4: Filter packets network-wide, when needed. (snmp, slammer, etc) So, keeping such a detailed eye on the stray packets that enter your network, what will you know about an attack that I wouldn't? You realize that scanning happens after exploits get published, not before. Scanning as a precursor to attack is done by unskilled mass-hackers. People who write exploits don't scan, and if they do, they WILL NOT hack from where they scan. So that reactive filter rule based on the portscan doesn't help you. So, in your hypothetical, when some popular daemon develops a vulnerability (like with openssh and apache within the last year), what are YOU going to do about it before the workarounds and patches are available? Nothing. And that's why I don't bother worrying about it. My network is as secure as it can be, which IS NOT the same as "My network is invulnerable". Don't put words into my mouth simply so you can call them naive. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Honestly people, to summarize all this... Legislation is not the correct "knee jerk" response to technical challenges... Lawyers and Politicians just -think- it is.... Perhaps related to perceiving themselves as important to the problem, eh ? And, that also happens to create a situation where they get paid to be involved, eh ? Science really doesn't care about what is politically correct, or who you are, all it really cares about is mathematics, and reality. Only politicians think it bends to their whim... (See the attempt to "legislate" the value of PI) The reality is, if we outlaw probing, we will be arresting thousands of innocents, as 80% (if not more, this stat is made up, but based upon real world observation ) of the probes in the internet are caused by trojans and worms.... So, Grandma Kettle, sitting out in her cornfield, on GTE DSL is going to go to jail, because her grandson downloaded a "neat" program he saw on the internet.... or, clicked on the attachment that arrived in the e-mail whose subject was the beginning of a cute little joke about snow white, and some dwarves.... By that standard we would be arresting the Microsoft database administrators, for participating in the most recent SQL based worm. (Once penetrated, the MS servers probed other servers to self-propogate, just like other compromised servers..) The sheer volume of "false probe positives" could busy out -any- size agency created to enforce such a law. Legislating something rarely makes the situation better, when it comes to science.....I sugges the answer is found in ACL's, and the technical arena, not the political...... And, also, I suggest PI should remain 3.14(etc.), no matter what the politicians say. Michael Lamoureux wrote:
"andy" == Andy Dills <andy@xecu.net> writes:
andy> On Fri, 28 Feb 2003, Charlie Clemmer wrote:
At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
Why is probing networks wrong?
Depends on why you're doing the probing.
andy> If so, why outlaw the act of probing? Why not outlaw "probing andy> for the purposes of..."?
What's the offset into the probe packets to the "intent of the this probe" field? And would you trust it if there were one anyway?
If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you?
andy> This is different. Metaphors applying networking concepts to andy> real world scenarios are tenuous at best.
andy> In this case, your door being unlocked cannot cause me andy> harm. However, an "unlocked proxy" can.
Heh, so I guess you could make it his gun and the safety. Does that change your answer? ;-)
andy> Legit probes are an attempt to mitigate network abuse, not andy> increase it. If there was a sanctioned body who was trusted to andy> scan for such things, maybe this wouldn't be an issue. But andy> there's not, so it's a vigilante effort.
What's a legit probe? One where the owner gave you permission in advance to run the scan? I can't think of another definition of that phrase.
andy> You don't have to. This is why I never understood why people andy> care so much about probing. If you do a good job with your andy> network, probing will have zero affect on you. All the person andy> probing can do (regardless of their intent) is say "Gee, I guess andy> there aren't any vulnerabilities with this network."
This is a completely naive statement. There are 0 networks that I'm willing to believe have 0 vulnerabilities on them. There may be 0 that you know about, but that doesn't mean there aren't more vulnerabilities which aren't public knowledge lurking in sendmail or bind or ssh or ssl or apache or any number of other services you have running.
IMHO, Michael
participants (5)
-
Andy Dills -
Charlie Clemmer -
jlewis@lewis.org -
Michael Lamoureux -
Richard Irving