I recently posed a Twitter poll on the following question about Scanning as a Service (SaaS):
There are several companies who “scan the Internet” and provide the resulting data to paying customers. These scans can be a bit invasive. When do you think such scanning crosses a line?
The results were as follows:
10% - All scanning = bad 0% - Service enumeration = bad 45% - Account enumeration = bad 45% - Scan away! No problem!
I find these results to be interesting for several reasons. Most obviously, there is a very big split in how security folks think about scanning. There is a minority who come from what I’ll call the Old School perspective: thinking that ANY scanning is bad. (Note: I absolutely do not mean Old School in any sort of pejorative way - as will become clear momentarily…) The remainder of folks are split evenly between those holding the line at account enumeration and the whole laissez faire, go-ahead-and-scan-whatever-you-want point of view. No one chose to stop things at service enumeration - which I find a little surprising. I guess if you think a port scan is allowable, then poking around to find out exactly what service is behind an open port is fine as well.
As for my own, personal opinion… well… that’s going to take a bit of explaining.
For the networks that I run, my answer is:
Best of luck to you.
But remember, we’re talking about scanning the entire Internet, and that’s a whole different kettle of fish.
Unless and until I am placed in charge of the entire Internet - in order to fulfill the words of the ancient prophecy* - the bulk of what goes on out there is borderline kindergarten chaos. Few, if any, netblocks offer the kind of funhouse scanning journey that I can provide. We need to think about the children.
Here’s the thing (remember when I told you Old School folk to hang on for a bit?): In my opinion, scanning is wrong.
I know I’m going to get all kinds of flack about this (note: since I already admitted that, you really don’t need to send it…) but I’m Old School too. You don’t have any business messing with someone else’s stuff unless they invite you.
This is one of those things we teach our kids when they’re little - you never walk into someone’s house or room without being invited. It’s just not polite. You don’t plop down at a co-worker’s desk and start using their computer without asking. It’s just not polite.
In polite society, we ask permission before we use someone’s stuff.
Sometimes, there’s a widely accepted ongoing invitation, and that’s fine. Most houses have a sidewalk leading up to a front door, and a doorbell. Unless there’s a sign telling you not to, it’s totally permissible to walk up that sidewalk and ring that bell. I kinda think of websites behaving like this… they’re the sidewalks and doorbells of the Internet. If you’re going to get bent about someone connecting up to 80/TCP, then firewall that sucker off. Also, you need anger management.
But in polite society, we don’t go beyond the sidewalks and doorbells. We don’t go peeking through windows and rattling doors. And that’s why I don’t like this new trend.
Having these SaaSsy scanning folks attempting to legitimize port scans, service enumeration, and worse just muddies the waters for those of us trying to actually monitor our networks for real attacks. Over the past several months, I’ve been Tweeting out every new scan I’ve seen where someone is claiming legitimacy. It’s starting to get a little ridiculous. How am I supposed to see threats when the threats have become a business model?
My buddy Johannes Ullrich reminded me that the SANS Internet Storm Center has a feed of research-related IP space - ranges of IP addresses that claim that their scanning is legitimate. It can be grabbed in two flavors: straight up XML or JSON. While I applaud the effort, it just isn’t enough. Because of the thrashing in the industry, this list is never going to be comprehensive (in fact, Johannes updated the list from a netblock found in one of my tweets). And the paranoid security dude living deep inside me wonders what the hell are they doing with this research?
Of course the SaaSsy scanning folks will say, “But you can opt-out… Tell us you don’t want us to scan your netblock and we won’t. See how virtuous we are?"
I’m convinced that they do this stuff just to get me all riled up.
I shouldn’t have to opt-out. To return to the polite society metaphor, I don’t need to opt out of having someone poke around my property without my permission, and anyone who does go beyond the boundaries placed by polite society is automatically suspect. If I find you wandering around in my garage without my permission, you’re going to have some serious ‘splainin’ to do - to me and, likely, to the police. So why is it okay for someone to build a business that is modeled around the wholesale violation of the boundaries of polite society?
Sorry, you SaaSsy scanners - while what you do may (in some jurisdictions) be legal, as far as I’m concerned, that doesn’t make it right. Just saying you’re TOTES LEGIT doesn’t make it true.
Owner, Principal Consultant
Bad Wolf Security, LLC
March 24, 2021
*This is one of my favorite phrases to throw into conversation. I feel it lends an air of gravitas to even the most mundane activity. "Yes dear, I took out the garbage like you asked, in order to fulfill the words of the ancient prophecy."
I pretty much think that my wife deserves sainthood.