Scanning the Internet for Vulnerabilities

Fernando Gont fgont at si6networks.com
Tue Jun 21 08:09:13 UTC 2022 

Hi, Ronald,

On 21/6/22 03:53, Ronald F. Guilmette wrote:
> In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1bee at si6networks.com>,
> Fernando Gont <fgont at si6networks.com> wrote:
> 
>> Note: What's most usually done out there is scanning for ports, rather
>> than for vulnerabilities.
> 
> Yes, and at least some of the responses in this thread have not, I think,
> noted this rather important distinction.

Agreed.


> For my part I intended to ask specifically about attitudes towards scanning
> for actual vulnerabilities, e.g. those that have been assigned CVE numbers.

Please note that in most of these cases, "vulnerability scanning" is, 
for the most part, simply banner-grabbing, with some off-line comparison 
against CVE database -- with banner-grabbing being at times simply the 
result of completing the TCP three-way handshake (i.e., something that 
would happen anyway, unless doing non-connect() scans). IOW, you 
probably cannot even tell if you're being subject to a port-scan or a 
"vulnerability scan" of this type.

Then there are other cases where the scans are way more intrusive, such 
as e.g. scanning for SQL injection in web applications, or., e.g., 
simply scanning the vulnerability by trying to exploit it. I'd probably 
be concerned about these sorts of "scans", but not about 
port-scans/banner-grabbing.



> Depending on who is doing it, and why, my personal feeling is that even
> here in 2022 this should still be viewed as being exceptionally anti-social,
> and worthy of calling out publicly, but I must allow for the possibility
> that my personal views on this may be antiquated and out of step with current
> prevailing norms and attitudes.

Aside from what I've noted above, and without really taking a stance on 
whether what you not might or might not make sense, I'd probably argue 
that, the folks that one should probably e most concerned about would 
probably run the scans from VMs they probably paid with cryptocurrency. 
  The attacks would probably be non-trivial to attribute, and if you 
manage to get their provider to take their VMs off-line, they would 
probably simply by a new one. -- not that I like it, but... "it is what 
it is".

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the NANOG mailing list