mailing list archives
Re: Yet another thread on the legality of port scanning
From: Derek Schaible <dschaible () cssiinc com>
Date: 18 Mar 2004 12:33:15 -0500
On Thu, 2004-03-18 at 11:33, Barry Fitzgerald wrote:
Charley Hamilton wrote:
The normal means of communicating on the internet is via IP
On that basis, electron transport is the standard method of
information transfer on the internet. If I connect a power cord
to your router's ethernet jack, is that okay? Obviously not.
These anologies don't work together. The normal means of connecting an
ethernet card to a network is not via a power cord. The normal means of
connecting to a server *IS* sending IP packets to that server and
recieving them back. Which port(s) the packets are sent to is
irrelivent. Whether the content is an attack or not depends on the
content of the packets. Just because some (very poorly designed)
hardware/software can't survive a port scan, doesn't mean that port
scans are attacks nor does it mean that they represent anomolous traffic.
------- snip - we get the point -------------------------------------
Perhaps its time we look at this in an entirely different way seeing as
how we are getting nowhere fast in this old debate.
If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am
generating no discernible traffic, causing virtually no cpu load, in
essence no damage or resources are wasted and the only thing learned is
what services this host is intending to serve. Period. Whether I can
access those services is totally up to the maintainer of the server.
However, if I decided to do some packet crafting via nmap's uber tools,
mixing invalid, unnatural flags in such a manner as to attempt bypassing
a firewall or fool filtered ports, we are in a whole new realm that has
nothing at all to do with general portscans. This sort of behavior is
detectable, preventable and prosecutable.
If I decide to try to cause your httpd deamon to crash and give me a
rootshell, again, this sort of behavior is detectable, preventable and
If I try to flood your host with abnormally LARGE ICMP packets endlessly
from multiple hosts in an attempt to eat all of your bandwidth, this
sort of behavior is detectable, preventable and prosecutable.
A normal, default, friendly ICMP sweep or TCP connect is doing none of
these. It has no effect whatsoever on the strength of your APPLICATION
Does this help?
Derek Schaible <dschaible () cssiinc com>
Description: This is a digitally signed message part