Re: Deutsche-Telekom sets the standard for network security! (??)

From: Bruce D. Ray (bray@iupui.edu)
Date: 12/18/01 

From: bray@iupui.edu (Bruce D. Ray)
Date: Mon, 17 Dec 2001 18:34:59 -0500

In article <mkrlv9.8ic.ln@charon.heiming.de>, Michael Heiming
<michael@heiming.de> wrote:

> Tim Haynes (usenet@stirfried.vegetable.org.uk) wrote at Monday 17
> December 2001 22:48:
>
> [snip]
>
> >
> > Of course, it is expected that an ISP should actually be responsibly
> > minded enough to take abuse reports seriously, investigate the cause
> > and advise its customers of their security failings.
>
> If you call a port scan as abuse, true they should do, but if you
> look at the ipchains log of a box 24/7 online, there will be numerous
> portscans all day long. I wouldn't although call them attack (as the
> OP), if someone is looking at your door/car, is this an abuse/attack?

Well, I do call port scans an abuse. I call port
scans deliberate hostile activity. There simply
isn't a legitimate reason for anyone outside of
the IU's IT Security Office to engage in a wholesale
port scan of my private NMR Center domain, and I've
even protested to IU's IT Security Office when they
did that. However, wholesale port scanning is what
has been tried from Deutsche-Telekom, from wanado.fr,
from chello.*, and from other European ISP's, all of
whom I've now permanently blocked. There absolutely
isn't any reason for attempts at anonymous FTP to a
system that sends a preliminary message clearly stating
that these systems are only available to authorized
users and that these systems do not provide any general
services and are not anonymous FTP servers. Furthermore,
when attempts to smash the stack follow these port scans,
then we've gone from simple abuse to active criminality.
Finally, when these attempts go so far as to download
criminal material onto someone's drives {e.g., child
pronography, which has been downloaded onto the drives
of one NMR facility's machines}, then the illegal purpose
of the original port scan becomes blindingly obvious.

Your analogy is faulty as well. An external port
scan, i.e., a port scan originating from outside the
domain of the machine being scanned, is not equivalent
to looking at the door or at the car. An external port
scan is equivalent to rattling the door in an attempt
to enter without express permission or invitation. The
mere fact that a machine is on the internet is neither
an invitation to contact that machine nor permission to
contact that machine. I should point out here that many
machines, particularly some types of medical diagnostic
equipment, are on the internet in order for the manufacturer
to conduct regular instrument checks to certify the
instrument the computer is hosting. Yes, such machines
ought to be protected. They are. However, we all know
that all protection methods are fallible. Failure of the
ISP to have and to enforce a prohibition against port
scanning outside of one's own domain

The only four legitimate reasons for contacting a
machine on the internet are:
  1. contact by the administrator of that machine;
  2. contact by an authorized user of that machine;
  3. contact to machine is a known and advertised
     public service provider on the specific port
     or ports for which services are known and
     advertised; or
  4. accidental contact caused by mistyping of an
     address and followed by immediate disconnect
     {and note that I do report this type contact
     to IU's IT Security Office}.
All other contacts are questionable at best, and
when conducted in the form of a port scan, are hostile
actions. 

-- 
Warning to commercial e-mailers {spammers}:  The e-mail
address provided above is for information purposes only
and is subjected to extensive e-mail filtering.  Do not
send unsolicited commercial e-mail to this address.

Relevant Pages

  • Abuse reporting based on whois
    ... an process to report this abuse to the ISP's who own the source IP ... then I read the sorted file and do an whois ... for about 30% of the abusive port scan traffic being blocked. ... nothing to report all the port targeted packet traffic. ...
    (freebsd-isp)
  • reporting port scaning abuse based on whois
    ... My ipfilter firewall is blocking 35 to 150 port scan packets per ... report this abuse to the ISP's who own the source IP address that is ... then I read the sorted file and do an whois ...
    (freebsd-questions)
  • Re: Duke Nukem 3D
    ... copy to could redistribute the binary for free, and the data files can ... be bought for significantly less than £15. ... Then you'd have a situation like RComp's Abuse and Lee Noar's Abuse and ... The performance of R Comp's port of Duke Nukem 3D is infinitely worse ...
    (comp.sys.acorn.games)
  • Re: Deutsche-Telekom sets the standard for network security! (??)
    ... I do call port scans an abuse. ... Would this be considered abuse? ...
    (comp.os.linux.security)
Quantcast