Re: how to deal with port scan and brute force attack from AS 8075 ?
I must have missed that… my bad.
On Mar 31, 2016, at 2:01 AM, Dan Hollis <goemon@sasami.anime.net> wrote:
It's right there in his email:
"We have sent email to abuse@microsoft.com, but no answer."
-Dan
On Thu, 31 Mar 2016, Todd Crane wrote:
Oh and,
I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
Marcel
Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
-Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date
Date_first_seen Duration Proto _IP_Addr:Port Dst_IP_Addr:Port Flags Packets 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 -> x.x.231:22 ...... 1 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 -> x.x.231:22 ...... 1 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 -> x.x..14:22 ...... 1 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 -> x.x..14:22 ...... 1 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 -> x.x.125:22 ...... 1 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 -> x.x.125:22 ...... 1 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 -> x.x..80:22 ...... 1 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 -> x.x..80:22 ...... 1 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 -> x.x.193:22 ...... 1 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 -> x.x.193:22 ...... 1 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 -> x.x.173:22 ...... 1 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 -> x.x.173:22 ...... 1 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 -> x.x..88:22 ...... 1 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 -> x.x..88:22 ...... 1 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 -> x.x..45:22 ...... 1 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 -> x.x..75:22 ...... 1 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 -> x.x..75:22 ...... 1 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 -> x.x..31:22 ...... 1 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 -> x.x..31:22 ...... 1 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 -> x.x.157:22 ...... 1 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 -> x.x.157:22 ...... 1 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 -> x.x..24:22 ...... 1 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 -> x.x..24:22 ...... 1 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 -> x.x.243:22 ...... 1 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 -> x.x.243:22 ...... 1 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 -> x.x..81:22 ...... 1 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 -> x.x..81:22 ...... 1 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 -> x.x..39:22 ...... 1 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 -> x.x..39:22 ...... 1 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 -> x.x.120:22 ...... 1 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 -> x.x.120:22 ...... 1 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 -> x.x.237:22 ...... 1 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 -> x.x.237:22 ...... 1 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 -> x.x.133:22 ...... 1 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 -> x.x.133:22 ...... 1 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 -> x.x.9.3:22 ...... 1 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 -> x.x.9.3:22 ...... 1 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 -> x.x.211:22 ...... 1 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 -> x.x.211:22 ...... 1 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 -> x.x.166:22 ...... 1 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 -> x.x.166:22 ...... 1 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 -> x.x.137:22 ...... 1 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 -> x.x.137:22 ...... 1 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 -> x.x.246:22 ...... 1 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 -> x.x.246:22 ...... 1 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 -> x.x..62:22 ...... 1 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 -> x.x..62:22 ...... 1 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 -> x.x..51:22 ...... 1 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 -> x.x..51:22 ...... 1 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 -> x.x.186:22 ...... 1 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 -> x.x.186:22 ...... 1 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 -> x.x.171:22 ...... 1 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 -> x.x.171:22 ...... 1 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 -> x.x.181:22 ...... 1 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 -> x.x.181:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.163:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.176:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.206:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.158:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.185:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.251:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.255:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.141:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.136:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.235:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.242:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.240:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.100:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.244:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.217:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x..72:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.221:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.5.4:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.150:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.145:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.119:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..52:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..75:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.127:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..22:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..77:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.246:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.137:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..85:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..35:22 ...... 1
I would ignore the portscans since there is nothing wrong with portscanning the Internet. Install fail2ban {don't forgot to whitelist your management static IPs}. You may want to increase the default bantime and findtime {how far back to search logs}. On 31 Mar 2016 11:06, "Todd Crane" <todd.crane@n5tech.com> wrote:
I must have missed that… my bad.
On Mar 31, 2016, at 2:01 AM, Dan Hollis <goemon@sasami.anime.net> wrote:
It's right there in his email:
"We have sent email to abuse@microsoft.com, but no answer."
-Dan
On Thu, 31 Mar 2016, Todd Crane wrote:
Oh and,
I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
Marcel
Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
-Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG < nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date
Date_first_seen Duration Proto _IP_Addr:Port Dst_IP_Addr:Port Flags Packets 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 -> x.x.231:22 ...... 1 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 -> x.x.231:22 ...... 1 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 -> x.x..14:22 ...... 1 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 -> x.x..14:22 ...... 1 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 -> x.x.125:22 ...... 1 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 -> x.x.125:22 ...... 1 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 -> x.x..80:22 ...... 1 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 -> x.x..80:22 ...... 1 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 -> x.x.193:22 ...... 1 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 -> x.x.193:22 ...... 1 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 -> x.x.173:22 ...... 1 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 -> x.x.173:22 ...... 1 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 -> x.x..88:22 ...... 1 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 -> x.x..88:22 ...... 1 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 -> x.x..45:22 ...... 1 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 -> x.x..75:22 ...... 1 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 -> x.x..75:22 ...... 1 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 -> x.x..31:22 ...... 1 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 -> x.x..31:22 ...... 1 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 -> x.x.157:22 ...... 1 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 -> x.x.157:22 ...... 1 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 -> x.x..24:22 ...... 1 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 -> x.x..24:22 ...... 1 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 -> x.x.243:22 ...... 1 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 -> x.x.243:22 ...... 1 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 -> x.x..81:22 ...... 1 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 -> x.x..81:22 ...... 1 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 -> x.x..39:22 ...... 1 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 -> x.x..39:22 ...... 1 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 -> x.x.120:22 ...... 1 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 -> x.x.120:22 ...... 1 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 -> x.x.237:22 ...... 1 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 -> x.x.237:22 ...... 1 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 -> x.x.133:22 ...... 1 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 -> x.x.133:22 ...... 1 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 -> x.x.9.3:22 ...... 1 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 -> x.x.9.3:22 ...... 1 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 -> x.x.211:22 ...... 1 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 -> x.x.211:22 ...... 1 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 -> x.x.166:22 ...... 1 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 -> x.x.166:22 ...... 1 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 -> x.x.137:22 ...... 1 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 -> x.x.137:22 ...... 1 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 -> x.x.246:22 ...... 1 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 -> x.x.246:22 ...... 1 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 -> x.x..62:22 ...... 1 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 -> x.x..62:22 ...... 1 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 -> x.x..51:22 ...... 1 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 -> x.x..51:22 ...... 1 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 -> x.x.186:22 ...... 1 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 -> x.x.186:22 ...... 1 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 -> x.x.171:22 ...... 1 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 -> x.x.171:22 ...... 1 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 -> x.x.181:22 ...... 1 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 -> x.x.181:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.163:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.176:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.206:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.158:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.185:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.251:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.255:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.141:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.136:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.235:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.242:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.240:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.100:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.244:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.217:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x..72:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.221:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.5.4:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.150:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.145:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.119:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..52:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..75:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.127:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..22:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..77:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.246:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.137:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..85:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..35:22 ...... 1
On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie <baconzombie@gmail.com> wrote:
I would ignore the portscans since there is nothing wrong with portscanning the Internet.
You might want to check with your lawyer on that. If you _intentionally_ port-scan a computer located in Virginia without the owner's permission (and do nothing else, just port-scan it) it's a class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine for each computer you scan. By comparison, shoplifting is a class 1 misdemeanor while possession of a schedule V narcotic is another class 3. A key word here is "intentionally." Poking at it by mistake (e.g. you thought it was a different computer which you had the authority to scan) is not a crime. Nor, most likely, is less aggressive behavior which would not ordinarily be part of gaining unauthorized access, such as pinging or tracerouting. Not that I've ever heard of someone being fined but you're definitely in to "something wrong" territory. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Apr 7, 2016, at 07:41 , William Herrin <bill@herrin.us> wrote:
On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie <baconzombie@gmail.com> wrote:
I would ignore the portscans since there is nothing wrong with portscanning the Internet.
You might want to check with your lawyer on that. If you _intentionally_ port-scan a computer located in Virginia without the owner's permission (and do nothing else, just port-scan it) it's a class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine for each computer you scan. By comparison, shoplifting is a class 1 misdemeanor while possession of a schedule V narcotic is another class 3.
I think you’re on shaky ground here. 18.2-152.3 reads: Any person who uses a computer or computer network, without authority and: 1. Obtains property or services by false pretenses; 2. Embezzles or commits larceny; or 3. Converts the property of another; is guilty of the crime of computer fraud. If the value of the property or services obtained is $200 or more, the crime of computer fraud shall be punishable as a Class 5 felony. Where the value of the property or services obtained is less than $200, the crime of computer fraud shall be punishable as a Class 1 misdemeanor. The requirements here are to meet at least one of the 3 tests listed. I think it’s rather hard to claim that a portscan by itself “obtained property or services by false pretenses”. I think it’s even harder to claim that it constitutes “embezzling” or “larceny”. I also think you’d have a tough time arguing that eliciting a response packet to one or more packets actually constitutes conversion of property. So I don’t see how you’d make much of a case for a port-scan being a violation of 18.2-152.1 et. seq. I think the argument, rather easily, could be made that a port-scan is the internet equivalent of a door-knock. By itself, it doesn’t constitute unlawful entry. Now, a persistent door-knock might constitute some form of harassment and frequent or continuous port-scans could be argued to be a form of denial of service (which would constitute conversion), but the odd port-scan is unlikely to meet the tests under the law you cited.
A key word here is "intentionally." Poking at it by mistake (e.g. you thought it was a different computer which you had the authority to scan) is not a crime. Nor, most likely, is less aggressive behavior which would not ordinarily be part of gaining unauthorized access, such as pinging or tracerouting.
I could be wrong, IANAL, but I’d be surprised if a mere portscan would actually be treated as a violation for the reasons cited above.
Not that I've ever heard of someone being fined but you're definitely in to "something wrong" territory.
I don’t think you’ve made your case for “definite” so far. I agree you might be at risk from an overzealous prosecutor and an activist judge that hates hackers for some reason, but short of that, I think you’re unlikely to run afoul of this statute just on a port scan. Owen
On Apr 11, 2016, at 2:18 PM, Owen DeLong <owen@delong.com> wrote:
I could be wrong, IANAL, but I’d be surprised if a mere portscan would actually be treated as a violation for the reasons cited above.
Not that I've ever heard of someone being fined but you're definitely in to "something wrong" territory.
I don’t think you’ve made your case for “definite” so far. I agree you might be at risk from an overzealous prosecutor and an activist judge that hates hackers for some reason, but short of that, I think you’re unlikely to run afoul of this statute just on a port scan.
my experience in talking to the DoJ in the US is this is not going to illicit any sort of a response. I will say that the number of people who “set up a tool” to watch for activity then claim things like a DNS packet or backscatter from DDoS represent a log-on attempt generates the most amusing email to read. - Jared
On Mon, Apr 11, 2016 at 2:18 PM, Owen DeLong <owen@delong.com> wrote:
On Apr 7, 2016, at 07:41 , William Herrin <bill@herrin.us> wrote: On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie <baconzombie@gmail.com> wrote:
I would ignore the portscans since there is nothing wrong with portscanning the Internet.
You might want to check with your lawyer on that. If you _intentionally_ port-scan a computer located in Virginia without the owner's permission (and do nothing else, just port-scan it) it's a class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine for each computer you scan. By comparison, shoplifting is a class 1 misdemeanor while possession of a schedule V narcotic is another class 3.
I think you’re on shaky ground here.
18.2-152.3 reads:
That's computer fraud. You want § 18.2-152.4, computer trespass. -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Apr 11, 2016, at 12:12 , William Herrin <bill@herrin.us> wrote:
On Mon, Apr 11, 2016 at 2:18 PM, Owen DeLong <owen@delong.com> wrote:
On Apr 7, 2016, at 07:41 , William Herrin <bill@herrin.us> wrote: On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie <baconzombie@gmail.com> wrote:
I would ignore the portscans since there is nothing wrong with portscanning the Internet.
You might want to check with your lawyer on that. If you _intentionally_ port-scan a computer located in Virginia without the owner's permission (and do nothing else, just port-scan it) it's a class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine for each computer you scan. By comparison, shoplifting is a class 1 misdemeanor while possession of a schedule V narcotic is another class 3.
I think you’re on shaky ground here.
18.2-152.3 reads:
That's computer fraud. You want § 18.2-152.4, computer trespass.
I worked forward (et. seq.) from where you started… However… 18.2-152.4 <http://law.justia.com/codes/virginia/2006/toc1802000/18.2-152.4.html>. Computer trespass; penalty. A. It shall be unlawful for any person, with malicious intent, to: 1. Temporarily or permanently remove, halt, or otherwise disable any computerdata, computer programs or computer software from a computer or computernetwork; 2. Cause a computer to malfunction, regardless of how long the malfunctionpersists; 3. Alter, disable, or erase any computer data, computer programs or computersoftware; 4. Effect the creation or alteration of a financial instrument or of anelectronic transfer of funds; 5. Use a computer or computer network to cause physical injury to theproperty of another; or 6. Use a computer or computer network to make or cause to be made anunauthorized copy, in any form, including, but not limited to, any printed orelectronic form of computer data, computer programs or computer softwareresiding in, communicated by, or produced by a computer or computer network. 7. [Repealed.] B. Any person who violates this section shall be guilty of computer trespass,which offense shall be punishable as a Class 1 misdemeanor. If there isdamage to the property of another valued at $1,000 or more caused by suchperson's act in violation of this section, the offense shall be punishable asa Class 6 felony. C. Nothing in this section shall be construed to interfere with or prohibitterms or conditions in a contract or license related to computers, computerdata, computer networks, computer operations, computer programs, computerservices, or computer software or to create any liability by reason of termsor conditions adopted by, or technical measures implemented by, aVirginia-based electronic mail service provider to prevent the transmissionof unsolicited electronic mail in violation of this article. Nothing in thissection shall be construed to prohibit the monitoring of computer usage of,the otherwise lawful copying of data of, or the denial of computer orInternet access to a minor by a parent or legal guardian of the minor. Doesn’t really seem to fit the bill, either. First, I think you have a hard time proving “malicious intent” from just a port scan without other activity. However, even if you do, it’s hard to imagine how a port scan would meet any of the 6 tests stated. Care to try again? Owen
participants (5)
-
Bacon Zombie
-
Jared Mauch
-
Owen DeLong
-
Todd Crane
-
William Herrin