[Dshield] ISP where port scans are ok

KeithTarrant keithtarrant at spamcop.net
Tue Oct 1 05:52:32 GMT 2002


Ellen -

I had a little more time to look into this.  Here are GCI's terms of
service.  They backup the idea that you got a lazy employee.
http://www.gci.net/tnc/
<<snip>>
9. SUBSCRIBER MISCONDUCT; INDEMNITY
<<snip>>
You agree not to use the Service to:
<<snip>>
f. access any other person's computer, software, or data of any other
person without the knowledge and consent of such person;
<<snip>>
j. restrict, inhibit or otherwise interfere with the ability of any other
person to use or enjoy the Service, including, without limitation, posting
or transmitting any information or software which contains a virus, lock,
key, bomb, worm, Trojan horse or other harmful feature; or generating
levels of traffic sufficient to impede others' ability to send or retrieve
information.
<<and it goes on>>

So I would say probing strange computers clearly violates f. because
probing a computer requires accessing it, even if the probed computer
doesn't reply because it doesn't have a vulnerable server installed, or
because a software firewall stealths the port.  My computer has been
accessed once my computer receives your probe, whether or not my computer
replies.

If an external firewall intercepts the probe, so it doesn't get to my PC,
you are left with whether a judge would consider an external firewall to
be a computer or not.  I'm pretty sure most computer design engineers will
tell you firewalls are special purpose computers, but they aren't judges.
So who knows.

Not fixing a known contagious machine, or actually intentionally
transmitting something that would infect a machine (even if not received)
violates j.

But there is nothing forcing ISPs to enforce their Terms of Service, other
than that many courts would toss out the waiver clause at the top of "9.
SUBSCRIBER MISCONDUCT; INDEMNITY" and hold the ISP liable anyway if the
ISP knew such conduct was going on and the ISP didn't do anything (which
is probably why GCI's lawyers put in 9.f and 9.j).

Of course all this depending on what the judge decided on the day,
according to the laws in the jurisdiction where the judgement was handed
down (and now that I think about it, that jurisdiction might likely be
where the damage occured, not Alaska), and I'm still not a lawyer, but
anyway, it is judges that rule on law, after hearing the facts from both
sides.

As an aside, I think MyNetWatchman puts out a list of IP addresses that
admins can choose to block, and being a long duration scanner is how to
get on the list.

- Keith
----- Original Message -----
From: "KeithTarrant" <KeithTarrant at spamcop.net>
To: <list at dshield.org>
Sent: Monday, September 30, 2002 7:53 PM
Subject: Re: [Dshield] ISP where port scans are ok


> You'd also think they'd realize that port 80 scans over and over and
over
> indicate their customer's machine is probably compromised by a virus or
> worm and that most of the relevant viri and worms install backdoors, and
> that their service has been and is being used to jeapordize their
> customer's security, and that as a common carrier, once they have
> knowledge that their customer has a problem involving their service,
they
> have a legal responsiblity to relay that information so the customer can
> limit its losses (of course, in reality, the law is whatever the judge
> decides on the day (s)he hands down her verdict).
>
> Also note the spelling.  And you know any sizable company that permitted
> scanning would have a form letter for this.  And you'd think a large
> company could get the spelling in its form letters correct.
>
> It sounds like a demoralized lazy worker acting without proper
> supervision.  Maybe you want to send that email to their CEO.
>
> And of course scanning isn't necessarily illegal in most places, usually
> it is a violation of Terms of Service and that is why ISPs act.
>
> Why not try this, report that their customer's machine has been
> compromised and formally request that they pass the information on in
> order to limit their customers potential losses AND their own liabilty
for
> those losses
>
> ======== prototype port 80 letter ========
> Subject: Please warn your customer it has been hacked 123.123.123.123
>
> This is a friendly warning that the computer connected to your
> service at the IP address above appears to either be under the
> control of a hacker with a port 80 probe tool or infected with
> a Code Red variant.
>
> Please let the person or group responsible for that computer know,
> so that they can steps to minimize the damage done by the security
> breach, limit the spread of the contagion, and limit your own company's
> legal liability as a common carrier knowingly permitting a customer to
> suffer continuing damage from a security breach you knew about.
>
> All passwords typed into, and documents stored on,
> the computer may now be accessible to hackers.
>
> The probe wasn't successful, so no apology is necessary.  Thanks.
>
> Please consider investigating this incident.
>
> I have included all the information I have below.
>
> Good luck.
>
> - Keith
>
> (Many ISPs are now suspending clients who have demonstrated a
> repeated inability or unwillingness to secure their computers.)
>
> Any of these 3 free virus scanners detect existing infections:
> http://www.grisoft.com/html/us_index.htm
> http://housecall.antivirus.com/pc_housecall/
> http://www.pandasoftware.com/activescan/
>
> Security guides and tips are available here:
> http://www.cert.org/homeusers/
>
> --- append firewall or IDS log extract here ---
> =============
>
> You can even mention things like keyboard loggers and backdoors, and
maybe
> check with a lawyer to put in some scary sounding legalese.
>
> Maybe GCI will still ignore the warning, if you get a junior abuse
analyst
> they may not even read the letter, but if their customer suffers a loss
or
> further losses, and their customer ever becomes aware that you sent GCI
a
> warning, their customer will have a good chance of getting a court to
hold
> GCI liable.  (CGI won't know how often you purge your email logs.)  And
> maybe one day your letter will be drawn to the attention of a manager
and
> their policy will change.
>
> I've had pretty good luck in seeing port 80 probes end after sending
this
> letter.  And I haven't gotten any silly responses back either ("skans
> ain't illgal hear" LOL) .
>
> Keith
> (not a lawyer but used to work in insurance 20 years ago, although not
in
> Alaska, but how different can Alaskan law be)
>
> ----- Original Message -----
> From: "Ellen Clary" <ellen at dgi.com>
> To: <list at dshield.org>
> Sent: Monday, September 30, 2002 5:01 PM
> Subject: [Dshield] ISP where port scans are ok
>
>
> >
> > This suprised me.  So may ISPs have policies against port scanning.
> > Never mind that this system has likely been compromised.
> > I'm surprised that they don't care.
> >
> > A cable provider no less.  I guess I should consider it a plus that I
> got a
> > personal reply.
> >
> > Ellen Clary
> > Senior System Administrator
> > Dynamic Graphics
> >
> > --- Forwarded mail from ... at gci.com>
> >
> > To: "'ellen at dgi.com'" <ellen at dgi.com>
> > Subject: RE: (Fwd) Port Scan from 24.237.5.104 Sep 28
> > Date: Mon, 30 Sep 2002 11:26:16 -0800
> >
> > Thank you for contacting GCI ITS,
> >
> > Port scanning is not illigal on our network, if the issue becomes
> > more than just this, please let us know.
> > Thank You
> >
> >
> >
> > -----Original Message-----
> >
> > From: ellen at dgi.com [mailto:ellen at dgi.com]
> > Sent: Monday, September 30, 2002 8:46 AM
> > To: support at gci.net
> > Subject: (Fwd) Port Scan from 24.237.5.104 Sep 28
> >
> >
> > Hello,
> >
> > We received this port scan from 24.237.5.104
> >
> > Date of probes: Sep 28, 2002
> >
> > Pacific Timezone
> >
> > Time            Source IP       Destination IP  Port
> >
> > 104-5-237-24-cable.anchorageak.net.
> >
> > 09:58:02 24.237.5.104 65.211.242.1 80  TCP
> > 09:58:02 24.237.5.104 65.211.242.2 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.2 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.3 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.4 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.5 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.6 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.7 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.8 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.9 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.10 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.11 80  TCP
> > 09:58:05 24.237.5.104 65.211.242.12 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.13 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.14 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.15 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.16 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.17 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.18 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.19 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.20 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.21 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.22 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.23 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.24 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.25 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.26 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.27 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.28 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.29 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.30 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.32 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.31 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.33 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.34 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.35 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.36 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.37 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.38 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.39 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.40 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.41 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.42 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.43 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.44 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.45 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.46 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.47 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.48 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.49 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.50 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.51 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.52 80  TCP
> > 09:58:06 24.237.5.104 65.211.242.53 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.3 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.6 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.5 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.7 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.8 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.4 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.10 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.14 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.11 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.12 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.15 80  TCP
> > 09:58:08 24.237.5.104 65.211.242.13 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.18 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.19 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.16 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.20 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.17 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.21 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.26 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.23 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.24 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.28 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.27 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.25 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.32 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.30 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.34 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.31 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.33 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.39 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.38 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.40 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.41 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.36 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.37 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.43 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.46 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.47 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.44 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.45 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.50 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.51 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.52 80  TCP
> > 09:58:09 24.237.5.104 65.211.242.53 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.54 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.55 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.56 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.57 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.58 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.59 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.60 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.61 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.62 80  TCP
> > 09:58:10 24.237.5.104 65.211.242.63 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.54 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.55 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.56 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.57 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.63 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.59 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.61 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.62 80  TCP
> > 09:58:13 24.237.5.104 65.211.242.60 80  TCP
> >
> >
> >
> >
>
>
>





More information about the list mailing list