RE: FW: Legal? Road Runner proactive scanning.[Scanned]

["David Gillett" <gillettdavid () fhda edu>]

  I'll agree that the hotel analogy is flawed, because the effort
required by the hotel operator to answer such questions is
proportionally much larger than the effort required of a host and
associated network equipment to process a bunch of niladic 
connection requests.
  But this is a "fundamental" flaw ONLY if you assert that the
effort in the network case is ZERO -- and it's not.  The threshold
at which it becomes a denial of service is much higher, thankfully,
but even without reaching that threshold it's an abuse of the host
owner's bandwidth and CPU resources for connections which the 
scanner never intends to actually use.
  (Actually, this illustrates an aspect which the "rattling doorknobs
and windows" analogy completely fails to capture.)
  Portscans have costs and, in some cases, consequences.  These are
usually quite minor, but that's a matter of degree rather than of
ethical principle.

David Gillett


> -----Original Message-----
> From: Shawn Jackson [mailto:sjackson () horizonusa com]
> Sent: Thursday, March 18, 2004 8:02 AM
> To: gillettdavid () fhda edu; Jef Feltman;
> security-basics () securityfocus com
> Subject: RE: FW: Legal? Road Runner proactive scanning.[Scanned]
>
>
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu] 
> Sent: Wednesday, March 17, 2004 11:42 AM
> To: 'Jef Feltman'; security-basics () securityfocus com
> Subject: RE: FW: Legal? Road Runner proactive scanning.[Scanned]
>
> >  You call a hotel, and instead of asking for a non-smoking
> > double room overlooking the pool, you ask if room 1 is available,
> > then if room 2 is available, then if room 3 is available, and
> > so on.  At some point, this amounts to a denial of service
> > against the hotel switchboard operator....
>
> > Dave Gillett
>
> A portscan is a method of checking weather a service is accepting data
> or not. It's a simple connection that closes if the port responds. A
> denial of
> Service would be flooding that port with so much traffic that it can't
> respond to other requests, that is not the case with a portscan. The
> hotel
> Analogy is fundamentally flawed for this argument. You wouldn't be
> taking with the operator, a portscan would see if you can 'phone' the
> hotel, then
> When they pick up you verified the 'port' is open. Talking with the
> operator is akin to communicating with the port, thus you 
> 'browsing the
> page' and not just checking to see if the port is open.
>
>  Shawn

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------