RE: Legal? Road Runner proactive scanning.

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

Don't lose any customers...the packet filter I have drops any further scan
packets, but continues to allow regular traffic to flow.

However, if you don't think there's any legal issues with portscanning,
try scanning the government sites.  See how long it takes to get some
attention brought on you.  ;)

Besides, commonality of an occurance does not minimize it.  Script kiddies
are common, exploiting whatever the exploit-of-the-week is...

If you want protection, use the RBL engines out there...some of them even
allow you to scan your own system for relay capabilities and exploits.

I have no truck with my ISP scanning me, provided it's made clear up
front.  I do have problems with somebody I am not contractually linked to
doing so.

IMO,

bryan

======================================
Bryan S. Sampsel
LibertyActivist.org
======================================

Mark Medici said:
> > From: Bryan S. Sampsel [mailto:bsampsel () libertyactivist org]
> > Sent: Friday, March 12, 2004 11:23 AM
> >
> > If you're the customer.  However, if you're not the customer, they
> have no
> > legal right to scan your resources.
>
> That's a different matter, but still it's not illegal, at least not
> under any law that I have seen.  But IANAL or a cop, YMMV and all that
> stuff.  While I might not like someone scanning my ports, there is
> nothing particularly bad about it, unless it is done in such a way as to
> constitute a denial-of-service attack or harassment.
>
> Now, how the person scanning uses that information may be illegal
> (attempting an exploit) or negligent (unauthorized disclosure to third
> parties).
>
> Port scanning is such a common and innocuous occurrence that there's no
> reason for it to even be a part of your normal IDS alerts or reports.
> Just block it and log it and ignore it unless/until there's an
> escalation, then go back to the raw logs for evidence.  Of course, if
> the port scans make it through to your DMZ or internal network, then I'd
> want to see alerts from the IDS's in those zones.
>
> As for testing all connecting SMTP servers for the presence of open
> relay/proxy, I think this is a matter of self preservation and a feature
> I'd personally like to see my MTA provide.  It's hard to argue against
> something that makes good common sense.
>
> If it makes you feel better or more secure to firewall-off every IP that
> scans your ports or checks for open relays, then go ahead and do it.
> But expect to keep busy, and potentially loose communications from bona
> fide customers in the process.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------