Penetration Testing mailing list archives

Providers blocking portscans - bad news for pentest?

From: Petr.Kazil () eap nl
Date: Mon, 4 Jul 2005 23:13:12 +0200

<rant warning> Recently I had a worrying experience with my Internet 
provider that might be interesting for some of us.

I had been doing LEGAL portscans from home, only to find my Internet 
access blocked a few hours later.

I had done this many times before and had called and mailed their 
helpdesk, and it was never a problem. Their attitude was: "As long as 
nobody files a complaint against your scan, we will tolerate it." I read 
their "terms of use" and legal portscans / vulnerability scans were not 
prohibited. Their helpdesk still acknowledges that legal scans are not 
prohibited. (And IIRC a Dutch law court even decided that portscans are 
not illegal AT ALL, since they don't penetrate the system perimeter.)

However they have recently installed a system that wil automatically block 
anyone doing a portscan. They mention a system of "aggregated firewalls" 
that behaves like a "bot". There is nothing that can be done against it. 
Asking for a temporary permission is useless and the provider does not 
provide any service without this filter anymore (other than expensive 
colocation). They say that with the explosion of trojans and worms they 
had to take these measures.

Since this was the most "nerdy" and "tech friendly" provider in the 
Netherlands, many of my security colleagues had been doing their scans 
through them. Now they are being blocked too, and they are quite unhappy 
with the development. Even some companies that used ADSL accounts for 
doing security scans against their own infrastructure have been blocked.

Although intellectually I should welcome this development (security gets 
better for most of us) emotionally I'm quite upset (where's the free 
Internet  that I grew up with). <rant off>

There is another consequence of this development. If providers start 
blocking suspect TCP/IP traffic then we will have to do our portscans from 
an IP-address near to the Internet entry point of our customers. But 
usually my customers don't have a free patch from where I could scan their 
external firewall interface. Most often they use an ADSL connection 
themselves to do their external portscans.

And what if providers start filtering TCP/IP traffic. Then portscans will 
become very unreliable.

Maybe this is "old news" for most of you, but since I haven't seen a 
discussion about this, I thought I should mention it.

Current thread:

Re: Remote Desktop/Term. Serv information leakage, (continued)
- Re: Remote Desktop/Term. Serv information leakage Kyle Maxwell (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Terry Vernon (Jul 01)
  - Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Paul Fields (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Thor (Hammer of God) (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Andre Protas (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Ha, Jason (Jul 02)
- Re: Remote Desktop/Term. Serv Information leakage kuffya (Jul 02)
  - RE: Remote Desktop/Term. Serv Information leakage Paul Fields (Jul 05)
- RE: Remote Desktop/Term. Serv information leakage Salvador.Manaois (Jul 04)
  - Providers blocking portscans - bad news for pentest? Petr . Kazil (Jul 04)
    - RE: Providers blocking portscans - bad news for pentest? Erin Carroll (Jul 04)
    - RE: Providers blocking portscans - bad news for pentest? Alexander Klimov (Jul 05)
    - Re: Providers blocking portscans - bad news for pentest? RCS (Jul 05)
    - Re: Providers blocking portscans - bad news for pentest? Chris Brenton (Jul 04)
    - Re: Providers blocking portscans - bad news for pentest? Robert BARABAS (Jul 05)
    - Re: Providers blocking portscans - bad news for pentest? Maarten Hartsuijker (Jul 06)
    - Message not available
    - Re: Providers blocking portscans - bad news for pentest? Christoph Puppe (Jul 07)