>But there is virtually no
> valid reason a scan should be performed on most sites.
So if you were the operator of a backbone network (let's say
at&t), and you saw multiple sequential ports being accessed on a core
router, you would try to identify where it was coming from and notify
some agency? I run nmap frequently on our providers routed networks
to see what is up and what is not when traceroute and similiar tools are
not sufficient. I run it in database mode and do regexp's on the output
file. It proves to be fairly accurate. Should they send the feds?
> The motivation is
> usually looking for a way in.
I disagree. Say I'm going to choose another isp. By running network
discovery tools (such as nmap, scotty, or visio enterprise), I could map the
topology of the network, and the appearance would "suggest an attack."
Bottom line is that there are much more complex breakin methodologies
that do provide significant evidence of attack. Portscan detection is far
too
broad of an attack to rely on any data.Our firewall is almost constantly
detecting portscans from various networks, but then again, it's not using
a very efficient way to determine what an attack is and what is not.
> As such, it should be responded to by the
> administrator. Scanning may not be against the law, but it's also not
> against the law for an administrator to call the ISP in question, and
apply
> heat to get the account cancelled.
And if it's not a dialup account? I highly doubt said ISP would cancel
a dedicated circuit account that houses a class C or larger based on
someone's portscan compaint. Once again, it's a waste of time unless you are
pattern
matching the attacks, and even then there needs to be multiple attacks with
either the same profile, or coming from the same site.
Matt
>
> -----Original Message-----
> From: Derek Martin <[EMAIL PROTECTED]>
> To: Dave Gillett <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Date: Thursday, July 22, 1999 9:09 PM
> Subject: Re: trial & charges
>
>
> >On Thu, 22 Jul 1999, Dave Gillett wrote:
> >
> >> On 21 Jul 99, at 18:04, Matthew G . Harrigan wrote:
> >>
> >> > Last I checked, utilizing things such as port scanners, tcp
> fingerprinting
> >> > tools, and the like are not illegal, because there is no way to
> >> > disseminate legitimate system administration techniques (you'll
notice
> that
> >> > enterprise network management packages which do network discovery
> utilize
> >> > all of the above.) from actual penetration attempts, unless the
> activity
> >> > yields someone actually gaining user level access to a said networked
> >> > device. I would find it hard to believe that someone could be
> prosecuted
> >> > based on something like an nmap scan.
> >>
> >> This is like saying that car theft can't be illegal because it would
> >> prevent anyone from ever driving! [Clue: It becomes criminal when you
> don't
> >> have the owner's permission....]
> >
> >Did you obtain the permission to send mail to this mailing list from the
> >owner of the machine and network that it resides on? NO? YOU MUST BE
> >BREAKING THE LAW by sending your mail then... by your definition.
> >
> >Internet servers are, by nature, somewhat public. This is the problem.
> >How do you define what's permissible and what isn't? The physical act of
> >connecting to an e-mail server is THE EXACT SAME as doing a port scan.
> >Except that you did it to a whole bunch of different ports. It's like
> >ringing the doorbell at the front door of someone's house, then going
> >around to the side door and ringing that one too.
> >
> >
> >Derek D. Martin | UNIX System Administrator
> >[EMAIL PROTECTED] | [EMAIL PROTECTED]
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
