RE: Providers blocking portscans - bad news for pentest?

["Erin Carroll" <amoeba () amoebazone com>]

Petr,

The system they have installed has to have a threshold of some sort before a
block is put into place (x scans per y seconds/minutes etc). Many of the
portscan tools in use have the ability to stagger or control the frequency
of probes with timeout variables, parallel host scanning options, and/or
simultaneous port probes which may help in bypassing the throttle trigger of
their new filter-bot. Nmap for instance can also modify the delay between
each probe frame to scan as quickly or as slowly as desired using the
--scan_delay flag.

While this doesn't solve the issue it would at least allow you to continue
pen-test work. The real pain is the fact that it slows down pen-testing by
orders of magnitude. What used to take a few minutes to scan may now take
several hours. Not an optimal solution but at least an interim one until you
can convince the provider to work with you (or find another provider).
Personally I use a dedicated virtual hosting provider for my pen-test work
to get around a very similar issue with my current provider. YMMV.


--
Erin Carroll
"Do Not Taunt Happy-Fun Ball" 


> -----Original Message-----
> From: Petr.Kazil () eap nl [mailto:Petr.Kazil () eap nl] 
> Sent: Monday, July 04, 2005 2:13 PM
> To: pen-test () securityfocus com
> Subject: Providers blocking portscans - bad news for pentest?
>
> <rant warning> Recently I had a worrying experience with my 
> Internet provider that might be interesting for some of us.
>
> I had been doing LEGAL portscans from home, only to find my 
> Internet access blocked a few hours later.
>
> I had done this many times before and had called and mailed 
> their helpdesk, and it was never a problem. Their attitude 
> was: "As long as nobody files a complaint against your scan, 
> we will tolerate it." I read their "terms of use" and legal 
> portscans / vulnerability scans were not prohibited. Their 
> helpdesk still acknowledges that legal scans are not 
> prohibited. (And IIRC a Dutch law court even decided that 
> portscans are not illegal AT ALL, since they don't penetrate 
> the system perimeter.)
>
> However they have recently installed a system that wil 
> automatically block anyone doing a portscan. They mention a 
> system of "aggregated firewalls" 
> that behaves like a "bot". There is nothing that can be done 
> against it. 
> Asking for a temporary permission is useless and the provider 
> does not provide any service without this filter anymore 
> (other than expensive colocation). They say that with the 
> explosion of trojans and worms they had to take these measures.
>
> Since this was the most "nerdy" and "tech friendly" provider 
> in the Netherlands, many of my security colleagues had been 
> doing their scans through them. Now they are being blocked 
> too, and they are quite unhappy with the development. Even 
> some companies that used ADSL accounts for doing security 
> scans against their own infrastructure have been blocked.
>
> Although intellectually I should welcome this development 
> (security gets better for most of us) emotionally I'm quite 
> upset (where's the free Internet  that I grew up with). <rant off>
>
> There is another consequence of this development. If 
> providers start blocking suspect TCP/IP traffic then we will 
> have to do our portscans from an IP-address near to the 
> Internet entry point of our customers. But usually my 
> customers don't have a free patch from where I could scan 
> their external firewall interface. Most often they use an 
> ADSL connection themselves to do their external portscans.
>
> And what if providers start filtering TCP/IP traffic. Then 
> portscans will become very unreliable.
>
> Maybe this is "old news" for most of you, but since I haven't 
> seen a discussion about this, I thought I should mention it.