Internet-wide port scans
mysidia at gmail.com
Tue Oct 16 23:43:34 UTC 2012
On 10/16/12, Darius Jahandarie <djahandarie at gmail.com> wrote:
> On Tue, Oct 16, 2012 at 12:57 AM, Scott Weeks <surfer at mauigateway.com>
> I always thought it wasn't allowed because of 18 USC § 2701, but
> IINAL, would be happy to hear otherwise :).
18 USC 2701 is not necessarily the only consideration.
I would rather say that there might be a risk of criminal and civil
liability, for all entities intentionally participating in, assisting
as accomplices in, or facilitating as service provider, software
provider, providers of information or operating instructions, etc,
for, anyone conducting or intentionally assisting an unauthorized port
scan of a different ISP's address space, that varies with
jurisdiction, and you should consult your counsel, to determine if
any precautions are appropriate to manage the risk, such as obtaining
proper Letters of authorization from IP address assignees in advance,
or if the responsible entity determines that you must abstain from
the activity entirely, because the risk level is too high.
By definition a reputable service, will not have a policy that you
may execute internet-wide port scans of arbitrary ports that include
IP networks/addresses that are not either assigned to you, your ISP
customer, or that you have specific written permission to scan, as
they will want to manage the risks to themselves properly as well.
Port scans are strongly associated with malicious activity.
And there are other risks of adverse actions, besides legal ones, such
as the service provider's address space becoming widely blacklisted or
Before a network service provider offers any kind of service that
permits the SPs' services
to be used for arbitrary port scans of other remote networks, they are
likely to have taken steps to protect themselves, by setting some
parameters must be met, before a scan is allowed.
> Darius Jahandarie
More information about the NANOG