On Tue, 21 Dec 1999, Eric wrote:
> "Paul D. Robertson" wrote:
> > In that case, they'd probably be more interested in putting a stop to
> > you, and you'd perhaps run afoul of the law if you hit one of their
> > customer's machines. I'd recommend against it. Also, if they source
> > spoofed, you'd be scanning a bunch of other networks that don't belong to
> > an attacker. If those were the right networks, you'd probably be in
> > court pretty quickly if anyone backtraced the traffic to your AS. I'd
> > highly recommend getting competent legal advice from an attourney with a
> > clue prior to initiating anything like this.
>
> Obviously one would check for legal ramifications before actually
> implementing such a system.
It's not so obvious to everyone, and the social ramifications could be
much worse than the legal ones. Didn't Fred Cohen learn that one already?
> It does seem interesting, though, that the general feelings expressed
> here are that it would be much worse to implement such a system than
> it is for the people who are doing the port scanning. In the one case,
> you have someone trying to get ISPs to take care of their own problems
> and in the other case you have someone who is actively seeking systems
> to exploit and sometimes causing extremely serious damage to those
> systems.
>
> So why is port scanning by hackers so much less objectionable than a
> port scan by someone trying to get action taken against the hackers?
We expect the bad guys to do bad things, we don't expect the good guys to.
Just as we socially (generally) hold police and military forces to a
higher standard than those who they go against. Escellation of force by
"good guys" isn't generally acceptable socially, no matter how right or
wrong it may be.
Stealth scans make it too easy to spoof a scanning host for the scan-back to
be effective without harming other networks. If the scanner is scanning
from a compromised host, and your scan brings down another system on the
first victim's network, should that be justifyable collateral damage?
What if the scanner is using a /26 and your scan goes over the network
boundary into an innocent 3rd party's netblock?
While *why* you're doing something is important, you'll be more
frustrated than ever before when those ISPs start using your behaviour as
an excuse for theirs or their customers... "Oh, we were being scanned
from your addresses, so we scanned you back." is pretty difficult to
disprove without a node on the scanned network, and worse-yet, it may be
true if the addresses are spoofed. Trust me, the would be once someone
figured it out.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
