Stealth Blocking

John Fraizer nanog at Overkill.EnterZone.Net
Thu May 24 23:43:50 UTC 2001

On Thu, 24 May 2001 Valdis.Kletnieks at wrote:

> On 00 Jan 00 00:00:00, Valdis.Kletnieks at said:
> > Be careful, it's not as clear-cut as it may seem.  At least in one US District
> > Court, portscanning was held to be legal (or more precisely, that you couldn't
> > count the cost of investigating one against damages)...
> s/was held to be legal/was not in and of itself held to be illegal/.
> Just a slightly different meaning there.. ;)
> I'll let the lawyers argue how to define "damages" as stated in
> 18 USC 1030(a)(5) - I wouldn't be surprised if a lawer attempted to
> claim that merely *FINDING* a vulnerability, but not exploiting it,
> causes "damage" the same way that driving past somebody's house and
> yelling "you have termites" causes damage if you investigate and
> finding that you do, in fact, have a termite problem.
> Of course, IANAL, and if anybody wants to cite case law please do so. ;)
> -- 
> 				Valdis Kletnieks
> 				Operating Systems Analyst
> 				Virginia Tech


I'm not a proponant of indiscriminate scanning of someone elses network
and I'm definately not a proponant of reading 60+ emails about open
relays, scanning, blah blah blah on NANOG every day on the off chance that
there will be something enlightening in them that hasn't already been said
1000 times before over the past year or so.  That said, I disagree with
your analogy as stated above.

If someone driving past your house yelling that you have termites causes
you to actually investigateand you DO actually have termites, they have
done you a favor.  You now have the opportunity to limit the scope of the
damage that the termites can do if you take the proper course of action.  
It works the same way with a vulnerable service on your network as well.  
However, in as much as I would be happy to demonstrate my firearms
collection to anyone caught "inspecting" my home for a termite problem
without my having specifically requested they do so, I don't think any of
us enjoy the daily scans against our networks.  Just like a responsible
homeowner will perform preventative maintenance and have their home
inspected on whatever recurring basis may be necessary to detect a
specific issue, responsible network operators maintain their OWN networks.

Please note the word RESPONSIBLE above.

That said, we all know that even the most dilligent homeowner/network
operator is sometimes caught off gaurd by some type of pest or
vermin.  When your particular pest/vermin infestation causes issues for
your neighbor or other networks, it is to be expected that they will
contact you about the issue.

If you spent hours each week maintaining your lawn to look like a golf
green only to find a single gopher hole right in the middle of it and you
noticed that your neighbor had 30 gopher holes in their front yard, you
have every reason to contact your neighbor with regards to that issue.

This doesn't give you the right to go running through every yard in your
community in the middle of the night with a spotlight and a .410 looking
for more gophers though.

If you know that your network is squeaky clean yet you get
SPAM/script-kiddies/whatever from some other network, you have every
reason to contact them with regards to the issue.

As pointed out in the previous homeowner example, this does NOT give you
any right to start scanning every network you can find for vulnerable
services, etc.

With that said, can we PLEASE drop this OLD, OLD, OLD thread or at least
move it somewhere else so the rest of us can manage to read our NANOG mail
in a timely fashion without having to wade through the hip-deep OT
messages whining about someone blocking this or someone scanning that?


John Fraizer
EnterZone, Inc

More information about the NANOG mailing list