IETF Logo Mail Archive

Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting

westhawk <thp@westhawk.co.uk> Sun, 04 December 2022 19:23 UTC

Return-Path: <thp@westhawk.co.uk>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4C6EC14F747 for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 11:23:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unt-mccxMFHF for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 11:23:46 -0800 (PST)
Received: from smtp002.apm-internet.net (smtp002.apm-internet.net [85.119.248.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F5AEC14F736 for <dispatch@ietf.org>; Sun, 4 Dec 2022 11:23:43 -0800 (PST)
Received: (qmail 95073 invoked from network); 4 Dec 2022 19:23:41 -0000
X-APM-Out-ID: 16701818219507
X-APM-Authkey: 255286/0(159927/0) 64
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp002.apm-internet.net with SMTP; 4 Dec 2022 19:23:41 -0000
Received: from localhost (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id 07DB781865; Sun, 4 Dec 2022 19:23:41 +0000 (GMT)
Received: from zimbra003.verygoodemail.com ([127.0.0.1]) by localhost (zimbra003.verygoodemail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id R6iIcTf4NsRp; Sun, 4 Dec 2022 19:23:41 +0000 (GMT)
Received: from phage-rock.fritz.box (p548c8ebb.dip0.t-ipconnect.de [84.140.142.187]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id B5B3C8036E; Sun, 4 Dec 2022 19:23:40 +0000 (GMT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: westhawk <thp@westhawk.co.uk>
In-Reply-To: <059faafd-80b2-66c0-7d8d-0087220f92ab@taugh.com>
Date: Sun, 04 Dec 2022 20:23:39 +0100
Cc: Ollie IETF <ietf@olliejc.uk>, Dispatch WG <dispatch@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1BF670ED-F5A0-47C9-AF84-F376C878E6A3@westhawk.co.uk>
References: <20221204051320.0FF0650855F1@ary.qy> <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk> <059faafd-80b2-66c0-7d8d-0087220f92ab@taugh.com>
To: John R Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/Sy9ygYBiXs6TrVtaxy3DjYy5ylc>
Subject: Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 19:23:50 -0000

Based on my past experience of scanning, generally the folks in an org who legitimately ask for a scan aren’t the people who administer a given system.
The day-to-day maintainers of the target system probably won’t be warned (and shouldn’t be) of a red-team exercise.
Likewise the ‘results’ will go to the infosec department, rather than the local firewall folks.

You certainly don’t want them to be able to say ’this is off limits’ because a) it would defeat the purpose of a pentest b) it would act as a red-rag-to a bull 
for all hackers of any persuasions.

I’m really struggling to see who might realistically benefit from this.

T.


> On 4 Dec 2022, at 19:37, John R Levine <johnl@taugh.com> wrote:
> 
>> Perhaps generic probing is mostly malicious but if you include services that people and businesses often use or sign up for, it likely isn't all that malicious. Consider the following as scanners (not recommendations, just examples): MXToolBox, Detectify, Hardenize, Snyk
> 
> I take your point about scanning by request, but that makes the problem a whole lot simpler.
> 
> It's not hard to see how you could come up with standard ways for scanners to say here's the kinds of scanning they do and here's the IPs they scan from, and for the victims to say here's the IP ranges you can scan and the ports you can probe, and replies from the scanners saying here's what we found.  Since the parties already know wach other you can wrap it in OAUTH or the like to authenticate it.
> 
> Beyond that, I still don't see the point.  It's hard to think of anything other than http that lets you bundle an authentication token with a probe and even there, one of the major points of scanning is to find ports and servers that are open by mistake so they wouldn't be looking for the token.  To identify the scanners, do the scans from dedicated IPs.
> 
> It's hard to imagine a use for a public "go ahead and scan this range" (as distinct from sending a message to a known party) other than as a honeypot or security challenge.  The bad guys will scan anyway, and challenges have a poor reputation in the security world.
> 
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
> 
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch

v2.23.0 | Report a Bug | By Email