On Mon, 26 Jul 1999, Derek Martin wrote:
> > > Agreed. As I said, I have no problem busting people that actually DO
> > > something. I see no problem with using evidence of a port scan as
> > > establishing a pattern, once and ACTUAL BREAK-IN has occured, but it is
> > > not in-and-of-itself harmful or dangerous to network security.
> >
> > Portscanning *can* be harmful to the network equipment, vigorous
> > portscanning *can* make network-based equipment unavailable to legitimate
> > users, and poorly-written stacks in such equipment can die when handed
> > fragmented packets typically used for "stealth scanning."
>
> Again, this problem is your VENDOR's fault. Properly written TCP/IP
> stacks will not have this problem. Complain to your vendor. A port scan
> doesn't do anything that a legitimate user doesn't do (except that it
> does it to a bunch of ports instead of just one), so your hardware is
> BROKEN.
Yes, a port scan *does* do something legitimate users don't do. FOr
instance, a stealth scan uses fragmented packets - irregardless of the
fact that you may have architected your network to use packet sizes that
don't cause fragments. Also, most scans don't reset pending connections,
something legitimate users won't do without network problems. Lastly,
port scans attept connections to ports that legitimate users *don't* use.
If you're using NAT, that takes resources. If you're keeping state, that
takes resources. If it's TCP it takes resources. If those resources
aren't being used by a legitimate user, then it's illigitimate use.
> > Having dropped a provider's core infrastructure during a friendly audit
> > with full knowledge and permission with a fragged scan, I can totally
> > refute the "not in-and-of-itself harmful or dangerous."
> >
> > The scanner doesn't _know_ the scan won't do harm - and likely doesn't
> > care in most cases.
>
> A scan WON'T do harm to non-faulty hardware, so the scanner shouldn't need
> to be concerned. The vendor is at fault.
If the scanner doesn't have permission to scan, then they *should* be
concerned. Faulty hardware is no excuse for bad or criminal behaviour
period.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
