Penetration Testing mailing list archives
RE: Providers blocking portscans - bad news for pentest?
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Mon, 4 Jul 2005 19:35:55 -0700
Petr, The system they have installed has to have a threshold of some sort before a block is put into place (x scans per y seconds/minutes etc). Many of the portscan tools in use have the ability to stagger or control the frequency of probes with timeout variables, parallel host scanning options, and/or simultaneous port probes which may help in bypassing the throttle trigger of their new filter-bot. Nmap for instance can also modify the delay between each probe frame to scan as quickly or as slowly as desired using the --scan_delay flag. While this doesn't solve the issue it would at least allow you to continue pen-test work. The real pain is the fact that it slows down pen-testing by orders of magnitude. What used to take a few minutes to scan may now take several hours. Not an optimal solution but at least an interim one until you can convince the provider to work with you (or find another provider). Personally I use a dedicated virtual hosting provider for my pen-test work to get around a very similar issue with my current provider. YMMV. -- Erin Carroll "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: Petr.Kazil () eap nl [mailto:Petr.Kazil () eap nl] Sent: Monday, July 04, 2005 2:13 PM To: pen-test () securityfocus com Subject: Providers blocking portscans - bad news for pentest? <rant warning> Recently I had a worrying experience with my Internet provider that might be interesting for some of us. I had been doing LEGAL portscans from home, only to find my Internet access blocked a few hours later. I had done this many times before and had called and mailed their helpdesk, and it was never a problem. Their attitude was: "As long as nobody files a complaint against your scan, we will tolerate it." I read their "terms of use" and legal portscans / vulnerability scans were not prohibited. Their helpdesk still acknowledges that legal scans are not prohibited. (And IIRC a Dutch law court even decided that portscans are not illegal AT ALL, since they don't penetrate the system perimeter.) However they have recently installed a system that wil automatically block anyone doing a portscan. They mention a system of "aggregated firewalls" that behaves like a "bot". There is nothing that can be done against it. Asking for a temporary permission is useless and the provider does not provide any service without this filter anymore (other than expensive colocation). They say that with the explosion of trojans and worms they had to take these measures. Since this was the most "nerdy" and "tech friendly" provider in the Netherlands, many of my security colleagues had been doing their scans through them. Now they are being blocked too, and they are quite unhappy with the development. Even some companies that used ADSL accounts for doing security scans against their own infrastructure have been blocked. Although intellectually I should welcome this development (security gets better for most of us) emotionally I'm quite upset (where's the free Internet that I grew up with). <rant off> There is another consequence of this development. If providers start blocking suspect TCP/IP traffic then we will have to do our portscans from an IP-address near to the Internet entry point of our customers. But usually my customers don't have a free patch from where I could scan their external firewall interface. Most often they use an ADSL connection themselves to do their external portscans. And what if providers start filtering TCP/IP traffic. Then portscans will become very unreliable. Maybe this is "old news" for most of you, but since I haven't seen a discussion about this, I thought I should mention it.
Current thread:
- Re: Remote Desktop/Term. Serv information leakage, (continued)
- Re: Remote Desktop/Term. Serv information leakage Terry Vernon (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Paul Fields (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Thor (Hammer of God) (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Andre Protas (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Ha, Jason (Jul 02)
- Re: Remote Desktop/Term. Serv Information leakage kuffya (Jul 02)
- RE: Remote Desktop/Term. Serv Information leakage Paul Fields (Jul 05)
- RE: Remote Desktop/Term. Serv information leakage Salvador.Manaois (Jul 04)
- Providers blocking portscans - bad news for pentest? Petr . Kazil (Jul 04)
- RE: Providers blocking portscans - bad news for pentest? Erin Carroll (Jul 04)
- RE: Providers blocking portscans - bad news for pentest? Alexander Klimov (Jul 05)
- Re: Providers blocking portscans - bad news for pentest? RCS (Jul 05)
- Providers blocking portscans - bad news for pentest? Petr . Kazil (Jul 04)
- Re: Providers blocking portscans - bad news for pentest? Chris Brenton (Jul 04)
- Re: Providers blocking portscans - bad news for pentest? Robert BARABAS (Jul 05)
- Re: Providers blocking portscans - bad news for pentest? Maarten Hartsuijker (Jul 06)
- Message not available
- Re: Providers blocking portscans - bad news for pentest? Christoph Puppe (Jul 07)
- Re: Remote Desktop/Term. Serv information leakage Terry Vernon (Jul 01)