On Fri, 28 Feb 2003, Charlie Clemmer wrote:
At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
Why is probing networks wrong?
Depends on why you're doing the probing.
If so, why outlaw the act of probing? Why not outlaw "probing for the
If you're randomly walk up to my house and check to see if the door is
unlocked, you better be ready for a reaction. Same thing with unsolicited
probes, in my opinion. Can I randomly walk up to your car to see if it's
unlocked without getting a reaction out of you?
This is different. Metaphors applying networking concepts to real world
scenarios are tenuous at best.
In this case, your door being unlocked cannot cause me harm. However, an
"unlocked proxy" can. Legit probes are an attempt to mitigate network
abuse, not increase it. If there was a sanctioned body who was trusted to
scan for such things, maybe this wouldn't be an issue. But there's not, so
it's a vigilante effort.
Where this thread got started, the scenario was around if I connect to your
SMTP server to attempt to relay mail, is it then right to probe me for open
relays and so forth. In that case, I can see the reasoning, as I initiated
the connection, so you're checking to see if I'm sane or not. The line gets
drawn though as to how much probing is reasonable ... can you probe my
system for ALL open ports/exploits just because I tried to send mail
through you, or can you probe all machines that fit in my address range
(and how do you determine my address range?) ... that's where the larger
debate comes in.
Actually, I think the debate starts with Paul telling Jon that Jon isn't
passively scanning connection hosts, he's actively trawling for open
proxies, that Paul has the logs to prove it, and that since Paul is in
California, Jon has broken the law.
Paul has only indicated his point of view objectively; he hasn't yet
indicated he wants to do something about it (or that he personally feels
that he should do something about it).
I have servers hosted at shared colo facilities. If you were to scan the
entire netblock for my colo provider because a different customer at the
same facility tried to send mail through you, how am I to determine your
cause, or determine that it was not a scan for a vulnerability?
You don't have to. This is why I never understood why people care so much
about probing. If you do a good job with your network, probing will have
zero affect on you. All the person probing can do (regardless of their
intent) is say "Gee, I guess there aren't any vulnerabilities with this
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
Dialup * Webhosting * E-Commerce * High-Speed Access