Home page logo

basics logo Security Basics mailing list archives

Re: Yet another thread on the legality of port scanning
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 18 Mar 2004 11:33:58 -0500

Charley Hamilton wrote:

The normal means of communicating on the internet is via IP

On that basis, electron transport is the standard method of
information transfer on the internet.  If I connect a power cord
to your router's ethernet jack, is that okay?  Obviously not.

These anologies don't work together. The normal means of connecting an ethernet card to a network is not via a power cord. The normal means of connecting to a server *IS* sending IP packets to that server and recieving them back. Which port(s) the packets are sent to is irrelivent. Whether the content is an attack or not depends on the content of the packets. Just because some (very poorly designed) hardware/software can't survive a port scan, doesn't mean that port scans are attacks nor does it mean that they represent anomolous traffic.

There are legitimate reasons for running a port scan on a computer in a limited fashion, such as service discovery.

Authorized users are told they are authorized users.


Perhaps I'm not aware of it, but is there an "authorized user/service" database on the internet? I must have missed that.

  The "reasonable man"
hypothesis applies to connecting to a system to which authorization is
in doubt.

The reasonable man hypothesis also dictates that a person would only reasonably leave a system exposed with a service running and without warnings if it weren't meant to be viewed. If the content says "classified" or "you're not supposed to be here", or if the person knows they shouldn't be there - that's one thing.

Would a reasonable man conclude that http://www.cnn.com is an acceptable connection in the absence of explicit permission? I would say yes, he would. Would a reasonable man conclude that ftp://www.cnn.com
is an acceptable connection in the absence of explicit permission?
I would argue no, he would not.

I would argue that you're wrong. Anonymous FTP is a very frequent occurrance on the internet and it's not unreasonable to expect that CNN might have an anonymous FTP site for content. What, exactly, makes you think that it's an unreasonable service to use?

What's the difference?  HTTP is
generally accepted to be a public connection, in the sense that it
is intended as a shared resource, to be accessible to all.  FTP is
not generally accepted as such, regardless of what electronic storefront
happens to be offering the service.

I don't know what universe you're in, but FTP is a public connection if it's configured that way. HTTP is also a public connection if it's configured to be. Both are also private connections if they're configured to be. The key here is in configuration, not in the service.

So, all these times I've been downloading things off of ftp://mirrors.kernel.org, I've been being unreasonable? That's the first time I've ever heard anyone argue anything of the sort.

The act of plugging a device into a public [ () 1] IP address
is your way of giving people permission to send packets to

I disagree strongly on this.  I have a public street address.
It is appropriate for a caller to knock on my door/ring my
doorbell, because that is the "reasonable man" thing to do.
It is not acceptable for the caller to come around the side
of my house just because he sees my side door open.
What makes an IP address any different from a physical address
in terms of the "reasonable man" hypothesis?  That is the typical
legal test to which such arguments must be put.

Because an IP address isn't a physical door and the internet isn't your street. Everyone's talking about this as if the rules are the same, but they aren't. Frankly, this argument is getting completely absurd.

Anyone on the internet can send an IP packet to anyone else.
That's kind of the whole point.

I disagree. The whole point of the internet is to permit
effective communication of ideas, not random unsolicited
contact between individuals.  If I solicit contact by offering
"reasonable man" permission for contact, then it is part of
effective communication.  If I do not, it is annoyance potentially
rising to criminal action.

The whole point of the internet is whatever you can do with the networking technology within an ethical framework. Internet traffic need not be solicited. However, some would say that you solicit the reciept of non-disruptive generic TCP/IP traffic just by putting your computer on the internet.

*blink blink*  I can't argue with the last sentence, but
just what constitutes a "private" service by your definition?

I, personally, would identify a private service as being one that you want no one or limited numbers of people to access.

Something that is accessible only to someone from an internal
net?  Are you arguing that any service offered over the
internet is tacit approval for *everyone* to use that service?
Or is it only tascit approval if the service is not properly

I think his point was that if you don't want people to be able to see the service (we're not even talking about logging in and using. Port scans don't log in and use services, they just detect them) then don't put the service up for the net to see. It's that simple. :)

Assuming that my interpretation of your writing is correct,
you would support unsolicited bulk email.  After all, you have
an email address and your mail server (or the firewall through
which it passes) has a public IP address, right?  After all, I
got your email and I'm not on your private netweork.

Actually, I'm not the original poster, but I'd have to say that unsolicited e-mail is just fine. I don't have a problem with people just sending me e-mail. What I have a problem with is people hacking into systems and converting them into SPAM relays.

Unsolicited e-mail isn't the problem, system abuse is -- that's what makes filters fail and causes havoc.

Same source, definition of access:

2 a : permission, liberty, or ability to enter, approach,
communicate with, or pass to and from b : freedom or ability to
obtain or make use of c : a way or means of access d : the act or
an instance of accessing

It is clear from 2a and 2b that the intent of "access" is
"permitted access", not simply the physical limitation of

I don't think anyone's arguing that it's OK for someone to access a system without permission or liberty. The question is does being on the internet open you up to generalized detection and discovery traffic? I'd say yeah, it does. I'm not advocating that people just port scan everyone, and I do believe that most port scans are precursors to attack...

But, by the same token, my looking at someone funny COULD be a precursor to attack -- so, should we then consider people looking at others in a funny way an attack?

I just happen to think that this whole argument is getting ridiculous. Are port scans questionable? Sure. Are there legitimate reasons to do them? Sure. Are they often precursors to attacks? Often, yes. Do the packets sent by them constitute legitimate IP traffic? Yes, unless they're malformed, which is a different issue entirely. Are they going away anytime soon? No.

There, problem solved.  :)


Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]