Re: FW: Legal? Road Runner proactive scanning.[Scanned]

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-03-15 Bryan S. Sampsel wrote:
> Ansgar -59cobalt- Wiechers said:
>
> > I have to respectfully disagree. Portscans *may* very well be
> > utilized by an attacker to identify what is running on a system, so
> > they *may* indicate a forthcoming attack. OTOH finding out what
> > services some box provides IMHO is a legitmate means for any
> > potential user.
>
> No regular, authorized user should be scanning.  That user will be
> provided the information as necessary.  Sorry.

Your are going to explain how you are going to do that, e.g. for
publically available services on ports that are not well-known, aren't
you? And even if so, what's it hurt if someone goes finding out for
himself? I still don't get your point.

> > If you don't intend to provide a service then why do you make it
> > available? If you run a service with known vulnerabilities then why
> > don't you fix/change it? If you intend to provide a service and
> > there are no known vulns then why do you consider portscans a
> > problem? Do you really believe security thru obscurity is going to
> > work?
>
> Nothing about obscurity ever played into my explanation.

How else should I call hiding the services you provide by prohibiting
portscans (or trying to)?

> As to vulnerable services...find me one that hasn't had a
> vulnerability show up.  And find me one that, even when the patches
> are kept up to date, has not occasionally been exploited before
> patches became available.
>
> Portscans are comparable to somebody checking all my windows and doors
> to see if they're unlocked.

So? Lock them already, if you don't want them to be open.

> I have mail box out front for communication and a phone.  People can
> call me.  But them attempting to find other ways into my house is
> tresspassing.  And such activity can indicate an attempt to break in
> is forthcoming.

This analogy was born without legs. A portscan is a means of finding out
what services you are providing to the public. Nothing more. Nothing
less.

> > To sum up: a portscan may or may not indicate a forthcoming attack,
> > but it is *not* an attack in itself.
>
> The point is debatable.

Obviously.

> I consider it enough of an indicator that I take it seriously.
> Sometimes, it isn't even a person doing the attack, but an infected
> machine.  More than one virus performs portscans.

Sure. But still the portscan is not the attack. I already said that it
might indicate a forthcoming attack, so there's nothing wrong with
taking it seriously, but I wouldn't be too worried about it.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------