Home page logo

basics logo Security Basics mailing list archives

Re: Yet another thread on the legality of port scanning
From: Derek Schaible <dschaible () cssiinc com>
Date: 18 Mar 2004 12:33:15 -0500

On Thu, 2004-03-18 at 11:33, Barry Fitzgerald wrote:
Charley Hamilton wrote:

The normal means of communicating on the internet is via IP

On that basis, electron transport is the standard method of
information transfer on the internet.  If I connect a power cord
to your router's ethernet jack, is that okay?  Obviously not.

These anologies don't work together.  The normal means of connecting an 
ethernet card to a network is not via a power cord.  The normal means of 
connecting to a server *IS* sending IP packets to that server and 
recieving them back.  Which port(s) the packets are sent to is 
irrelivent.  Whether the content is an attack or not depends on the 
content of the packets.  Just because some (very poorly designed) 
hardware/software can't survive a port scan, doesn't mean that port 
scans are attacks nor does it mean that they represent anomolous traffic.

------- snip - we get the point -------------------------------------

Perhaps its time we look at this in an entirely different way seeing as
how we are getting nowhere fast in this old debate.

If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am
generating no discernible traffic, causing virtually no cpu load, in
essence no damage or resources are wasted and the only thing learned is
what services this host is intending to serve. Period. Whether I can
access those services is totally up to the maintainer of the server.

However, if I decided to do some packet crafting via nmap's uber tools,
mixing invalid, unnatural flags in such a manner as to attempt bypassing
a firewall or fool filtered ports, we are in a whole new realm that has
nothing at all to do with general portscans. This sort of behavior is
detectable, preventable and prosecutable.

If I decide to try to cause your httpd deamon to crash and give me a
rootshell, again, this sort of behavior is detectable, preventable and

If I try to flood your host with abnormally LARGE ICMP packets endlessly
from multiple hosts in an attempt to eat all of your bandwidth, this
sort of behavior is detectable, preventable and prosecutable.

A normal, default, friendly ICMP sweep or TCP connect is doing none of
these. It has no effect whatsoever on the strength of your APPLICATION

Does this help?

Derek Schaible <dschaible () cssiinc com>
CSSI, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]