On Wed, 26 Apr 2000, Thomas Biege wrote:
Hi,
PS: I ask me, if it is legal to do portscans on any sites ?
it's at least legal in germany. but the admins of the scanned site may get angry about you...
I'm sure laws vary in different places, but it's probably not illegal in most places unless someone actually breaks in. However, it's probably against almost any ISP's Acceptable Use Policy for one of their clients to be portscanning other machines and networks. We've had good success having disciplinary action (i.e. account disabling) taken against
I really dislike this policy. If I don't like somebody on IRC I just have to do a SYN scan w/ the ip src address of the guy I didn't like to disable his account. I think port scanning is an annoying thing of the new internet we have to live with...
portscanning offenders by reporting the incidents to their upstream providers. The problem is that it happens so frequently on the sites I administer that it takes too much time to track down and report each case. It seems that it's an unfortunate part of life on the Internet these days; the best thing is to make sure all your systems are fully patched and as hardened as possible so nobody can take it further than probing for weaknesses.
yepp.
Reading Thomas' email I realize I mis-spoke. I would have to say that it's probably an overreaction to report a mere _portscan_ with no further evidence of malicious attack, and I wouldn't do that either (aside from the impossibility of following up on each and every one). However, if there is evidence of breakin attempts that accompany the portscan (things like webserver logs that show exploit attempts and so forth), as there often are, I think that's sufficient grounds to pursue the matter with an originating ISP. There's the issue of source IP spoofing that is a tough one to address, but that's kind of beside the point in my opinion; if your site's being attacked and that's the information you have available then that's what you use to try and solve the problem. In real life I've only ever pursued the matter when I see repeated actual breakin attempts from the same place over the course of days. Another reason to not get too excited about simple portscans is that an increasing number of GUI applications (read: Windows 9x, etc.) will have portscanning functionality built into them with the typical informative message attached to it. "Find out more about your network... sure, why not? Click." In other words, they're not really malicious, just uninformed that clicking the "find out about your network" button may be construed as hostile by the other members of the network. John Ritchie