On Mon, 19 Jun 2000, Randy Edwards wrote:
> I'm pretty shocked at how hard I'm getting hit by port scans. While I
> know there are not "hostile" in nature, to me they're fairly close to it.
>
> So what I was wondering is what are the rules of net etiquette about port
> scans. In short, how do others perceive and react to them?
There doesn't appear to be wide-spread agreement on netiquette with regards
to ping probes, port scans and the like. But I'll give you my stance on the
issue. (I believe everyone should be entitled to my opinion. ;-)
Ultimately, if you're running a publicly connected host, you cannot
reasonable expect to never be contacted. People with absolutely no hostile
intent may simply type a hostname or IP address wrong, or think you're a
public server for one reason or another. In particular, if you're running an
anonymous FTP or HTTP server, you can't expect people not to come looking.
Thus, if your system is for private use only, make sure you explicitly state
such in your login banners, MOTD, and the like. Disable anonymous services,
or at the very least put them behind similar notices. Thus, if someone
continues past such warnings, you can be reasonably sure they are doing so
with hostile intent.
If you like analogies, you cannot expect to put up what looks like a store
front in a busy downtown section and expect nobody to ever look in the window.
But if they ignore your "CLOSED" sign and start trying to force the door open,
you're justified in getting angry.
As for specifics:
A ping probe (a single ICMP ECHO_REQUEST packet) is like that someone
looking in the window, and should be accepted. In fact, it is required per
Internet standards. All you people firewalling all ping packets: Your gateway
is broken.
A port scan is like someone trying the handle. If someone does it once,
well, you can't really chew their head off. But if they sit their pulling on
the door, or try it every day, you're justified in yelling at them.
Someone connecting to an anonymous service is again like trying the handle.
You can't really expect this not to happen. On the other hand, someone trying
to login as "root", trying various known exploits, or other things like that
is definitely hostile. It's like someone trying all your windows (no pun
intended) to see if you left one unlocked. Call the cops (contact their ISP)
or chase them away (ban their IP).
Hope this helps...
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
