Is anyone familiar with the specific laws (in the US) regarding port scanning?

I'm very interested in testing the speed and accuracy of different port scanners on different operating systems. I have a lab with several physical boxes as well as VMware, but you just can't accurately simulate a large scale network with that (I'm talking 1000+ hosts).

The only time I really get to test enumeration tools on this kind of scale is when I'm actually on a paid pen testing job, but it's hard to really research and fine tune the parameters when you're on the clock. I've had issues in the past with large networks (10000+ hosts) and scans not being as fast or accurate as I would like, but I obviously can't simulate this kind of network at home.

Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

Any ideas?

Is anyone familiar with the specific laws (in the US) regarding port scanning?

I'm very interested in testing the speed and accuracy of different port scanners on different operating systems. I have a lab with several physical boxes as well as VMware, but you just can't accurately simulate a large scale network with that (I'm talking 1000+ hosts).

The only time I really get to test enumeration tools on this kind of scale is when I'm actually on a paid pen testing job, but it's hard to really research and fine tune the parameters when you're on the clock. I've had issues in the past with large networks (10000+ hosts) and scans not being as fast or accurate as I would like, but I obviously can't simulate this kind of network at home.

Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

Any ideas?

There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.

There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.

I spend an hour a day sometimes myself reporting nmap scan hits and other probes that I get on my IDS, writing to the appropriate abuse @'s

(You'll rarely hear back from them unless you report a logged intrusion, but for the most part they take the appropriate action)

I spend an hour a day sometimes myself reporting nmap scan hits and other probes that I get on my IDS, writing to the appropriate abuse @'s

(You'll rarely hear back from them unless you report a logged intrusion, but for the most part they take the appropriate action)

I keep a list of IP's that I've reported and occasionally check to see if that IP offends again. It's very seldom I have to report someone a second time.

What's even more fun than reporting the offender to their ISP is reporting them to the Netblock owner, which many times is not the ISP. Netblock owners don't like to find out that ISP's aren't doing their part in preventing attacks.

I keep a list of IP's that I've reported and occasionally check to see if that IP offends again. It's very seldom I have to report someone a second time.

What's even more fun than reporting the offender to their ISP is reporting them to the Netblock owner, which many times is not the ISP. Netblock owners don't like to find out that ISP's aren't doing their part in preventing attacks.

That's a very good idea and something that I'm going to start putting into practice.

What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...

What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...

Snort and other (classified :cool:) network traffic logging tools

What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...

I use Snort as well with a Passive Tap between my router and my firewall.

@swc, do you have OinkMaster configured?

I did write my own interface into the SnortDB a while ago that had a report generator and a form letter. I basically had a "One Click Bitch" button that once I selected an offender, I'd click the button and it would generate everything I needed for a report.

I use Snort as well with a Passive Tap between my router and my firewall.

@swc, do you have OinkMaster configured?

I did write my own interface into the SnortDB a while ago that had a report generator and a form letter. I basically had a "One Click Bitch" button that once I selected an offender, I'd click the button and it would generate everything I needed for a report.

Yep... Oink + Barnyard are configured. My tap is also working very well now (many thanks goto Streaker69 for his help!), and I sometimes run Wireshark at various points on my LAN to see if there's traffic other than DHCP and ARP on my machines.

The One Click Bitch button sounds very efficient!

There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.

I don’t bother reporting scans originating from asia, since it is pointless. Do you report scans coming from Europe? When you report, what do you say in your email? I generally say that “we have detected one of your IPs scanning our network…here is the log file…please don’t let it happen again.” I’d like to say “if we catch you again, we’ll take more aggressive measures” but I don’t know 1) if I can legally say that 2) if it’s helpful to threaten them

Also, kinda off topic, but has anyone gotten SO rules to work on snort?

I would recommend to anyone who has the time and resources to set up an IDS system and use it to test the various tools on backtrack, since it will enable you to 1) see the various attacks/scans packet by packet and 2) how to defend against them

I don’t bother reporting scans originating from asia, since it is pointless. Do you report scans coming from Europe? When you report, what do you say in your email? I generally say that “we have detected one of your IPs scanning our network…here is the log file…please don’t let it happen again.” I’d like to say “if we catch you again, we’ll take more aggressive measures” but I don’t know 1) if I can legally say that 2) if it’s helpful to threaten them

Also, kinda off topic, but has anyone gotten SO rules to work on snort?

I would recommend to anyone who has the time and resources to set up an IDS system and use it to test the various tools on backtrack, since it will enable you to 1) see the various attacks/scans packet by packet and 2) how to defend against them

You're right, I don't report anything unless it's from the US or Canada, and sometimes the UK. Anywhere else, you'll never get any response from them.

Although, if you do find that the Netblock owner is a US company reporting to them sometimes work.

Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

Any ideas?

Idea is to stop thinking about it now. Before you get in trouble. The only thing that comes to mind is a honeynet. It will take some time to set it up. If you wanted to simulate a large scale network then I would think a honeynet would be you're best option. Then theres the question of internal and external scanning. Also, are you scanning for a specific port or just being all around loud. There is a methology to scanning. What tools are you looking at for scanning? I'm sure someone knows which one is the fastest. FTP scanner, SQL? Talk to me.:D

Why not just stick with nmap. That gives you probably the best freedom to choose
any option you might like thus it gives quite good results. There are of course, insane
fast scanners out there, they are also highly detective, but they work ;) No names :P

Keep in mind that i've somehow experienced that if you can't ping it looks like that with
some scanners, it will actually take a little longer to scan. I don't know exactly why, and
i don't need a longer correction to understand exactly why xD

One word: scanrand

As I wrote in a post a couple of months ago, it has been shown in the past to be capable of scanning entire class B nets (65K+ hosts) with 8000 hits in 4 secs. It uses 'inverse SYN cookies' to accomplish this speed with no effort to retain the state of the sessions.

You'll have to play around with it, as I've never used it outside of my LAN. If you have permission to use this on a large scale network, please post your experiences!

+65'000 hosts in 4 secs? Even with only checking f.ex. port 80 or maybe some other port,
it seems high unlikely that one should be able to scan that fast. Except if your computer is
a monster machine and you are using it inside a lan then i might believe it. ;)