Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Internet wide DNS scanning - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Internet wide DNS scanning

We have received a request from a research group to let everyone know that they will be conducting Internet wide scanning of DNS servers. This is their request:

"Our team at the Network Architectures and Services Dept. (I8) of TU München, Germany, has started a DNS scan. This has similar goals as the scans that we have conducted for SSL and SSH in the past months. Once again, the purpose is purely scientific. The scanning machine is 131.159.14.42. We are querying DNS servers to resolve host names. We do not in any way try to compromise the servers. Additionally, the load caused by our activities should be very low on a single server. The idea of our queries is to get a better understanding of the inner workings of DNS, one of the most ubiquitous protocols of the Internet. We would it appreciate it very much if you added a comment in your database. Please note that we respond to every complaint and are happy to blacklist systems with annoyed admins." 

Their purpose is scientific research. Interesting, I call scanning without permission unethical, and rude. Here is what I recommend if you do not want to be part of the research, that you block all DNS requests from that IP address. They have performed similar SSH and SSL scans in the past, from different IP addresses. What do you think? Let us know via our Contact Us page or in comments below.

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

Adrien de Beaupre

353 Posts
ISC Handler
"Interesting, I call scanning without permission unethical, and rude."
Yes that's very interesting:)
Adrien de Beaupre
2 Posts Posts
Utilizing TCP/IP for it's intended purpose is hardly unethical. If you don't want everyone on the internet probing your DNS then simply restrict the port. If you attach a computer to the internet, start a service that binds a TCP/IP port and then listens for remote connections on that port, you can hardly be incensed about, or pass ethical judgment, on the packets that show up.
Adrien de Beaupre
1 Posts Posts
Amen
Adrien de Beaupre
2 Posts Posts
I was hit by these losers a couple years ago, and they've been on my blocklist ever since. Screw them and their BS research.

Institut fuer Informatik der TU Muenchen - Germany (malicious scanning)
188.95.234.0/24
131.159.0.0/16
Anonymous
Posts
"Interesting, I call scanning without permission unethical, and rude."

Agree. Aren't Europeans supposed to be better mannered w/ respect to privacy and so forth? Or are they just pretenders that go after big stories/deep pockets like Google, Microsoft, etc.
Dean

135 Posts Posts
"Utilizing TCP/IP for it's intended purpose is hardly unethical. If you don't want everyone on the internet probing your DNS then simply restrict the port. If you attach a computer to the internet, start a service that binds a TCP/IP port and then listens for remote connections on that port, you can hardly be incensed about, or pass ethical judgment, on the packets that show up."

So if I leave my keys in my car and the doors aren't locked, it's OK to drive it away?
Dean

135 Posts Posts
Ignoring the ethics, here's someone who has recently done the same: http://blog.erratasec.com/2013/09/im-scanning-udp53-right-now.html
Martijn

4 Posts Posts
"Utilizing TCP/IP for it's intended purpose is hardly unethical. If you don't want everyone on the internet probing your DNS then simply restrict the port. If you attach a computer to the internet, start a service that binds a TCP/IP port and then listens for remote connections on that port, you can hardly be incensed about, or pass ethical judgment, on the packets that show up."

"So if I leave my keys in my car and the doors aren't locked, it's OK to drive it away? "

I largely agree with the "Utilizing TCP/IP for it's intended purpose is hardly unethical..." comment.

My car is private property, whereas publicly addressable DNS is intentionally a service on the internet intended to be broadly, if not universally, available to anyone else on the internet to query.

That said, whether or not the "research" falls under the intended purpose of making one's DNS available is to me the question at hand. One could quite easily argue that such "research" probing is not within the intended purpose of making one's DNS available, particularly if it attempts to perform rather invasive probing. This seems to me a decision to be left up to each DNS owner.

TG
T

31 Posts Posts
I don't think your comparison is the same. If you drive your car to a public parking lot, anyone has the right to look at it, look in the windows, write down your license plate number, make, model, type of tires, take a picture if it, etc. No one has the right to enter it uninvited, cause damage, wait for you to show up and steal your purse/wallet, etc. Scanning Internet attached devices is like looking at the cars in the parking lot.
T
1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!