[IPv6crawler-wg] Fwd: Re: Response to port scanning security alert

Olivier MJ Crepin-Leblond ocl at gih.com
Sun Aug 1 22:53:00 BST 2010 

Interesting feedback from Eric Johnston.
What do you think? Good suggestions?
I was thinking of putting a page up on turtle which has a short intro
and link to the Web site. I might write this later this week.
In the meantime, I have also added a TXT field on turtle.ipv6matrix.org DNS.

Let me know what you think.

Warm regards,

Olivier


-------- Message original --------
Sujet: 	Re: Response to port scanning security alert
Date : 	Sun, 1 Aug 2010 22:01:41 +0100
De : 	Eric <eric at satsig.net>
Pour : 	Olivier MJ Crepin-Leblond <ocl at gih.com>
Copie à : 	Colin Johnston <colinj at mx5.org.uk>



Olivier

Many thanks for your email and the detailed explanation.  Now we know what 
you are doing it is no problem.  Our concern is that a portscan alarm might 
be a prelude to some more serious attack.  We block certain IP address 
ranges from known troublemakers.

The only details we recorded about the events are the two batches of 45 
emails from our firewall.  For examples, one from each batch:

A portscan was detected. Details about the event:
Time.............: 2010:07:30-12:46:37
Source IP address: 212.124.204.162 (turtle.ipv6matrix.org)

A portscan was detected. Details about the event:
Time.............: 2010:07:30-18:53:54
Source IP address: 212.124.204.162 (turtle.ipv6matrix.org)

Our firewall/gateway router is a VMWARE dedicated virtual PC running Linux 
and Astaro Security Gateway Software 7.506   Our web server in the local 
LAN.

We have not blocked your IP address and we don't want you to block our urls 
or IP address 95.154.204.250

Two suggestions ..

1.  We suggest that you put text at the index page of the web server(s) 
http://212.124.204.162/ and http://turtle.ipv6matrix.org/ explaining about 
your project. - perhaps some of your text in this email might help.  It is 
usual for search engine robots to leave a trail in the scanned server log 
file giving the url of the robot and if the server owner accesses that url 
it says something like "We are a robot collecting ..." This is reassuring to 
the scanned server owner.

2. Somehow our firewall detects that your IP address is called 
turtle.ipv6matrix.org  We wonder if the wording might be changed. 
networkscan.ipv6matrix.org   would be more meaningful.  We get many scanning 
attacks from all over the web and often the apparent source IP address has 
many PCs hidden in a LAN behind it.

Best regards, Eric and Colin (Network Administrator)

Eric Johnston 01245 352373
Dir. Satellite Signals Ltd. eric at satsig.net

--------------------------------------------------
From: "Olivier MJ Crepin-Leblond" <ocl at gih.com>
Sent: Saturday, July 31, 2010 7:24 PM
To: <eric at satsig.net>
Cc: <abuse at 2020media.net.uk>; <IPv6crawler-wg at gih.com>
Subject: Response to port scanning security alert

> Dear Mr. Johnston,
>
> further to our phone conversation this afternoon, and as promised,
> please find further information in this email about the IPv6 Matrix 
> project:
>
> I am the project manager for the ISOC-sponsored IPv6 Matrix project
> currently operating from the UK.
>
> I was alerted by 2020 Media Support, our upstream providers, that our
> crawler project has triggered a port scan alert with your routers and
> apologise for the disturbance. It appears that some firewall hardware
> report unusual traffic activity, mis-categorizing it as a port scan 
> attack.
>
> This project, sponsored in part by the Internet Society (
> http://www.isoc.org ) and run by the English Chapter of ISOC, aims to
> test the most popular Internet domains in the world for IPv6 connectivity.
> You are no doubt aware that the Internet is running out of IPv4
> addresses and that a transition towards IPv6 is the preferred option to
> maintain its viability and global scaling. Our aim is to track the
> spread of IPv6 worldwide, in order to provide more reliable statistics
> on IPv6 implementation and enable decision takers to migrate to the new
> addressing scheme in time before IPv4 addressing runs out. See figure 36
> on: http://www.potaroo.net/tools/ipv4/index.html
>
> This project is a public service to the Internet, and its results can be
> found on:
> http://www.ipv6matrix.org/
>
> A short project description can be found on:
> http://www.isoc.org/isoc/chapters/projects/awards.php?phase=10
>
> At present, we are still at beta testing stage, and are trying to work
> out any quirks in the back-end crawling code, so your feedback is very
> important to us. The .UK domain name space was tested on Thursday, with
> .NET space tested on Friday with .COM currently being tested this
> week-end. In order to have reliable results, we do not wish our IP
> addresses to end up on blacklists, and are therefore very attentive to
> feedback from domain admins such as you. If you have any more detailed
> log of the "port scan" event, I would really appreciate them so as for
> us to amend our crawling engine accordingly.
> Traceroute and Tracepath, as well as Ping, sometimes trigger firewalls,
> especially on specific ports.
>
> The only ports which we test connectivity to are:
> - Port 25 (SMTP),
> - Port 53 (DNS),
> - Port 80 (HTTP),
> - Port 443 (HTTPS)
> - Port 123 (NTP)
>
> All we do is to check if there is response on the port's IPv4 and IPv6
> address (if any IPv6 connectivity is found). This generates a minute
> amount of traffic.
>
> At the moment, the test collects data as follows for each Top Level 
> Domain:
>
> - MX                 : [type,domain,host, ipv4, ipv6, rank]
> - NS                  : [type,domain,host, ipv4, ipv6, rank]
> - WWW            : [type,domain,host, ipv4, ipv6]
> - NTP                : [type,domain,host, ipv4, ipv6]
> - Soa                 :
> [type,domain,soa,primary_by_rank,primary_inhouse,secondary,total,contact, 
> serial,
> refresh, retry, expire, minimum]
> - Geoip               :
> [type,domain,host,ipv4,ipv6,asn,city,region_name, country_code,
> longitude,latitude]
> - Reverse            : [type,domain,host, ipv4, ipv6, name4, name6 ]
> - Ping                : [type,domain,host, ipv4,
> ipv6,count,min,avg,max,std,min6,avg6,max6,std6]
> - Tcp25              : [type,domain,host,port,ipv4, ipv6,tcp,tcp6]
> - Tcp80              : [type,domain,host,port,ipv4, ipv6,tcp,tcp6]
> - Tcp443            : [type,domain,host,port,ipv4, ipv6,tcp,tcp6]
> - Tls                 : [type,domain,host,ipv4, reachable,tls]
> - Path                : [type,domain,host, ipv4, ipv6, mtu4, hops4,
> back4, path4, mtu6, hops6, back6, path6]
> - IPv6 Type           : [type,domain,host,ipv6,valid,prefixid,ipv6type]
> - IPv6 domain   : [domain,ns,mx,www,ntp]
>
> The tests will take place on a monthly basis, and you therefore might be
> receiving recurring security alerts in the future, unless you can
> parameter your firewall to ignore alerts from our crawler which runs on
> from 212.124.204.162.
> Alternatively, I would be happy to take your domain name out of the
> crawler's site testing list. If so, please email me the list of domain
> names which you are in charge of and I'll make sure they are removed
> from the testing list.
>
> I hope that this email has answered your concerns but if you have any
> further queries, I am happy to discuss them with you on: 07956 84 1113
>
> Warmest regards,
>
> Olivier
>
> -- 
> Olivier MJ Crépin-Leblond, PhD
> http://www.gih.com/ocl.html
>
>
>
> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://salsa.gih.co.uk/pipermail/ipv6crawler-wg/attachments/20100801/6680c727/attachment-0001.html>

More information about the IPv6crawler-wg mailing list