Re: Yet another thread on the legality of port scanning

[Derek Schaible <dschaible () cssiinc com>]

On Thu, 2004-03-18 at 11:33, Barry Fitzgerald wrote:
> Charley Hamilton wrote:
>
> > > The normal means of communicating on the internet is via IP
> > > packets.
> >
> >
> > On that basis, electron transport is the standard method of
> > information transfer on the internet.  If I connect a power cord
> > to your router's ethernet jack, is that okay?  Obviously not.
> These anologies don't work together.  The normal means of connecting an 
> ethernet card to a network is not via a power cord.  The normal means of 
> connecting to a server *IS* sending IP packets to that server and 
> recieving them back.  Which port(s) the packets are sent to is 
> irrelivent.  Whether the content is an attack or not depends on the 
> content of the packets.  Just because some (very poorly designed) 
> hardware/software can't survive a port scan, doesn't mean that port 
> scans are attacks nor does it mean that they represent anomolous traffic.
------- snip - we get the point -------------------------------------

Perhaps its time we look at this in an entirely different way seeing as
how we are getting nowhere fast in this old debate.

If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am
generating no discernible traffic, causing virtually no cpu load, in
essence no damage or resources are wasted and the only thing learned is
what services this host is intending to serve. Period. Whether I can
access those services is totally up to the maintainer of the server.
Period.

However, if I decided to do some packet crafting via nmap's uber tools,
mixing invalid, unnatural flags in such a manner as to attempt bypassing
a firewall or fool filtered ports, we are in a whole new realm that has
nothing at all to do with general portscans. This sort of behavior is
detectable, preventable and prosecutable.

If I decide to try to cause your httpd deamon to crash and give me a
rootshell, again, this sort of behavior is detectable, preventable and
prosecutable.

If I try to flood your host with abnormally LARGE ICMP packets endlessly
from multiple hosts in an attempt to eat all of your bandwidth, this
sort of behavior is detectable, preventable and prosecutable.

A normal, default, friendly ICMP sweep or TCP connect is doing none of
these. It has no effect whatsoever on the strength of your APPLICATION
security.

Does this help?

-- 
Derek Schaible <dschaible () cssiinc com>
CSSI, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part