Home page logo

basics logo Security Basics mailing list archives

Re: FW: Legal? Road Runner proactive scanning.[Scanned]
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 16 Mar 2004 23:17:48 +0100

On 2004-03-15 Bryan S. Sampsel wrote:

Ansgar -59cobalt- Wiechers said:

I have to respectfully disagree. Portscans *may* very well be
utilized by an attacker to identify what is running on a system, so
they *may* indicate a forthcoming attack. OTOH finding out what
services some box provides IMHO is a legitmate means for any
potential user.

No regular, authorized user should be scanning.  That user will be
provided the information as necessary.  Sorry.

Your are going to explain how you are going to do that, e.g. for
publically available services on ports that are not well-known, aren't
you? And even if so, what's it hurt if someone goes finding out for
himself? I still don't get your point.

If you don't intend to provide a service then why do you make it
available? If you run a service with known vulnerabilities then why
don't you fix/change it? If you intend to provide a service and
there are no known vulns then why do you consider portscans a
problem? Do you really believe security thru obscurity is going to

Nothing about obscurity ever played into my explanation.

How else should I call hiding the services you provide by prohibiting
portscans (or trying to)?

As to vulnerable services...find me one that hasn't had a
vulnerability show up.  And find me one that, even when the patches
are kept up to date, has not occasionally been exploited before
patches became available.

Portscans are comparable to somebody checking all my windows and doors
to see if they're unlocked.

So? Lock them already, if you don't want them to be open.

I have mail box out front for communication and a phone.  People can
call me.  But them attempting to find other ways into my house is
tresspassing.  And such activity can indicate an attempt to break in
is forthcoming.

This analogy was born without legs. A portscan is a means of finding out
what services you are providing to the public. Nothing more. Nothing

To sum up: a portscan may or may not indicate a forthcoming attack,
but it is *not* an attack in itself.

The point is debatable.


I consider it enough of an indicator that I take it seriously.
Sometimes, it isn't even a person doing the attack, but an infected
machine.  More than one virus performs portscans.

Sure. But still the portscan is not the attack. I already said that it
might indicate a forthcoming attack, so there's nothing wrong with
taking it seriously, but I wouldn't be too worried about it.

Ansgar Wiechers

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]