[IPv6crawler-wg] Fwd: RE: Response to NETGEAR port scanning security alert

Olivier MJ Crepin-Leblond ocl at gih.com
Sat Aug 7 11:15:36 BST 2010 

FYI

-------- Message original --------
Sujet: 	RE: Response to NETGEAR port scanning security alert
Date : 	Sat, 7 Aug 2010 02:00:55 +0100
De : 	Steven Burn <services at it-mate.co.uk>
Organisation : 	Ur I.T. Mate Group
Pour : 	'Olivier MJ Crepin-Leblond' <ocl at gih.com>



Olivier,
	Thank you for your e-mail.

My apologies for the delay in responding, and thank you for the information.

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

::: Declaration ::: 

Ur I.T. Mate Group is NOT a company, it is the name given to a collection of
websites developed and maintained by Steven Burn.

Websites and software currently owned, operated and developed by Ur I.T.
Mate Group are provided on a free to view and use basis. Ur I.T. Mate Group
does not and will not ask for or solicit, personal information*, password,
credit card details or payments. For more information, please see our
Privacy Policy. 

http://support.it-mate.co.uk/?mode=Documents&doc=Privacy

Ur I.T. Mate Group is based in the United Kingdom.

* Except where registration for an online service is required (e.g. forums,
sGB)

-----Original Message-----
From: Olivier MJ Crepin-Leblond [mailto:ocl at gih.com] 
Sent: 31 July 2010 19:19
To: services at it-mate.co.uk
Cc: abuse at 2020media.net.uk; IPv6crawler-wg at gih.com
Subject: Response to NETGEAR port scanning security alert

Dear Mr. Burn

I am the project manager for the ISOC-sponsored IPv6 Matrix project
currently operating from the UK.

I was alerted by 2020 Media Support, our upstream providers, that our
crawler project has triggered a port scan alert with your routers and
apologise for the disturbance. It appears that some firewall hardware
report unusual traffic activity, mis-categorizing it as a port scan attack.

This project, sponsored in part by the Internet Society (
http://www.isoc.org ) and run by the English Chapter of ISOC, aims to
test the most popular Internet domains in the world for IPv6 connectivity.
You are no doubt aware that the Internet is running out of IPv4
addresses and that a transition towards IPv6 is the preferred option to
maintain its viability and global scaling. Our aim is to track the
spread of IPv6 worldwide, in order to provide more reliable statistics
on IPv6 implementation and enable decision takers to migrate to the new
addressing scheme in time before IPv4 addressing runs out. See figure 36
on: http://www.potaroo.net/tools/ipv4/index.html

This project is a public service to the Internet, and its results can be
found on:
http://www.ipv6matrix.org/

A short project description can be found on:
http://www.isoc.org/isoc/chapters/projects/awards.php?phase=10

At present, we are still at beta testing stage, and are trying to work
out any quirks in the back-end crawling code, so your feedback is very
important to us. The .UK domain name space was tested on Thursday, with
.NET space tested on Friday with .COM currently being tested this
week-end. In order to have reliable results, we do not wish our IP
addresses to end up on blacklists, and are therefore very attentive to
feedback from domain admins such as you. If you have any more detailed
log of the "port scan" event, I would really appreciate them so as for
us to amend our crawling engine accordingly.
Traceroute and Tracepath, as well as Ping, sometimes trigger firewalls,
especially on specific ports.

The only ports which we test connectivity to are:
- Port 25 (SMTP),
- Port 53 (DNS),
- Port 80 (HTTP),
- Port 443 (HTTPS)
- Port 123 (NTP)

All we do is to check if there is response on the port's IPv4 and IPv6
address (if any IPv6 connectivity is found). This generates a minute
amount of traffic.

At the moment, the scan collects data as follows for each Top Level Domain:

- MX                 : [type,domain,host, ipv4, ipv6, rank]
- NS                  : [type,domain,host, ipv4, ipv6, rank]
- WWW            : [type,domain,host, ipv4, ipv6]
- NTP                : [type,domain,host, ipv4, ipv6]
- Soa                 :
[type,domain,soa,primary_by_rank,primary_inhouse,secondary,total,contact,
serial,
refresh, retry, expire, minimum]
- Geoip               :
[type,domain,host,ipv4,ipv6,asn,city,region_name, country_code,
longitude,latitude]
- Reverse            : [type,domain,host, ipv4, ipv6, name4, name6 ]
- Ping                : [type,domain,host, ipv4,
ipv6,count,min,avg,max,std,min6,avg6,max6,std6]
- Tcp25              : [type,domain,host,port,ipv4, ipv6,tcp,tcp6]
- Tcp80              : [type,domain,host,port,ipv4, ipv6,tcp,tcp6]
- Tcp443            : [type,domain,host,port,ipv4, ipv6,tcp,tcp6]
- Tls                 : [type,domain,host,ipv4, reachable,tls]
- Path                : [type,domain,host, ipv4, ipv6, mtu4, hops4,
back4, path4, mtu6, hops6, back6, path6]
- IPv6 Type           : [type,domain,host,ipv6,valid,prefixid,ipv6type]
- IPv6 domain   : [domain,ns,mx,www,ntp]

The scans will take place on a monthly basis, and you therefore might be
receiving recurring security alerts in the future, unless you can
parameter your firewall to ignore alerts from our crawler which runs on
from 212.124.204.162.
Alternatively, I would be happy to take your domain name out of the
crawler's site testing list. If so, please email me the list of domain
names which you are in charge of and I'll make sure they are removed
from the testing list.

I hope that this email has answered your concerns but if you have any
further queries, I am happy to discuss them with you on: 07956 84 1113

Warmest regards,

Olivier

-- 
Olivier MJ Crépin-Leblond, PhD
http://www.gih.com/ocl.html

-- 
Olivier MJ Crépin-Leblond, PhD
http://www.gih.com/ocl.html




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://salsa.gih.co.uk/pipermail/ipv6crawler-wg/attachments/20100807/3b793d36/attachment.html>

More information about the IPv6crawler-wg mailing list