From: Petr.Kazil@eap.nl
Date: Mon Jul 04 2005 - 17:13:12 EDT
<rant warning> Recently I had a worrying experience with my Internet
provider that might be interesting for some of us.
I had been doing LEGAL portscans from home, only to find my Internet
access blocked a few hours later.
I had done this many times before and had called and mailed their
helpdesk, and it was never a problem. Their attitude was: "As long as
nobody files a complaint against your scan, we will tolerate it." I read
their "terms of use" and legal portscans / vulnerability scans were not
prohibited. Their helpdesk still acknowledges that legal scans are not
prohibited. (And IIRC a Dutch law court even decided that portscans are
not illegal AT ALL, since they don't penetrate the system perimeter.)
However they have recently installed a system that wil automatically block
anyone doing a portscan. They mention a system of "aggregated firewalls"
that behaves like a "bot". There is nothing that can be done against it.
Asking for a temporary permission is useless and the provider does not
provide any service without this filter anymore (other than expensive
colocation). They say that with the explosion of trojans and worms they
had to take these measures.
Since this was the most "nerdy" and "tech friendly" provider in the
Netherlands, many of my security colleagues had been doing their scans
through them. Now they are being blocked too, and they are quite unhappy
with the development. Even some companies that used ADSL accounts for
doing security scans against their own infrastructure have been blocked.
Although intellectually I should welcome this development (security gets
better for most of us) emotionally I'm quite upset (where's the free
Internet that I grew up with). <rant off>
There is another consequence of this development. If providers start
blocking suspect TCP/IP traffic then we will have to do our portscans from
an IP-address near to the Internet entry point of our customers. But
usually my customers don't have a free patch from where I could scan their
external firewall interface. Most often they use an ADSL connection
themselves to do their external portscans.
And what if providers start filtering TCP/IP traffic. Then portscans will
become very unreliable.
Maybe this is "old news" for most of you, but since I haven't seen a
discussion about this, I thought I should mention it.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:31 EDT