nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scanning the Internet for Vulnerabilities

From: Fernando Gont <fgont () si6networks com>
Date: Tue, 21 Jun 2022 05:09:13 -0300
Hi, Ronald,

On 21/6/22 03:53, Ronald F. Guilmette wrote:

In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1bee () si6networks com>,
Fernando Gont <fgont () si6networks com> wrote:


Note: What's most usually done out there is scanning for ports, rather
than for vulnerabilities.


Yes, and at least some of the responses in this thread have not, I think,
noted this rather important distinction.


Agreed.



For my part I intended to ask specifically about attitudes towards scanning
for actual vulnerabilities, e.g. those that have been assigned CVE numbers.
Please note that in most of these cases, "vulnerability scanning" is, for the most part, simply banner-grabbing, with some off-line comparison against CVE database -- with banner-grabbing being at times simply the result of completing the TCP three-way handshake (i.e., something that would happen anyway, unless doing non-connect() scans). IOW, you probably cannot even tell if you're being subject to a port-scan or a "vulnerability scan" of this type.
Then there are other cases where the scans are way more intrusive, such as e.g. scanning for SQL injection in web applications, or., e.g., simply scanning the vulnerability by trying to exploit it. I'd probably be concerned about these sorts of "scans", but not about port-scans/banner-grabbing. 




Depending on who is doing it, and why, my personal feeling is that even
here in 2022 this should still be viewed as being exceptionally anti-social,
and worthy of calling out publicly, but I must allow for the possibility
that my personal views on this may be antiquated and out of step with current
prevailing norms and attitudes.
Aside from what I've noted above, and without really taking a stance on whether what you not might or might not make sense, I'd probably argue that, the folks that one should probably e most concerned about would probably run the scans from VMs they probably paid with cryptocurrency. The attacks would probably be non-trivial to attribute, and if you manage to get their provider to take their VMs off-line, they would probably simply by a new one. -- not that I like it, but... "it is what it is". 

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont () si6networks com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Previous By Date Next
Previous By Thread Next

Current thread: