[bjeds]

As a security professional I'm very disappointed when I read the (often angry) messages people have written to the maintainer/author of this software. You can read them here, in the ip range blacklist: https://github.com/robertdavidgraham/masscan/blob/master/dat...

If you don't want people on the internet to connect to your server, then you shouldn't allow network connections to your server. A few connections per minute hardly classify as abuse in any reasonable sense of the word.

The owner of the source network, on the other hand, (compared to the destination server), I think have a more legitimate reason to raise flags. Most cloud providers for example do not allow port scanning from their network (for various reasons). If you're gonna send out millions of packages all over the place I think it's good practice to inform your network provider first.

[nix23]

Yes this! I'm not a security professional but System Administrator, and i need tools like that, especially DoS and metasploit-kind tools to harden my own systems/services. We need tools like that, if we don't try to break our own Systems, someone else will do it (and this time with consequences).

BTW: Massscan is excellent at braking routers, over-flood them and they will often crash.

[m463]

> If you're gonna send out millions of packages all over the place I think it's good practice to inform your network provider first.

So amazon should notify AWS? :)

[bjeds]

:)

This reminds me of my favorite typo: https://slashdot.org/comments.pl?sid=406154&cid=21914102

[Kednicma]

As another security professional, I'm laughing my ass off. Imagine wondering what targets might be nice, and reading the comments in this file. How nice of them to email and tell us exactly which IP ranges are sensitive!

[garyfirestorm]

I'm not a security professional and I was exactly thinking this. Why would you give away your sensitive IP blocks.

[salawat]

Not everything is a technical system, and technology does not exist in a void. I'd think the field that coined the term social engineering would understand that.

The tech world is in for a rude awakening as technology becomes less a field of nothing but specialists, and actually gets infiltrated by a greater and greater number of tech-savvy, yet industry independent stakeholders.

We've had a social blank check to work from for the better part of half a century. You now have people writing children's intros to k8's. If you don't think that at some points technical problems don't start getting solved via social/legislative/legal means, you're in for a bit of a rough time.

[user5994461]

>>> A few connections per minute hardly classify as abuse in any reasonable sense of the word.

The tools is precisely advertised to be able to send 10M packets per second, to scan all internet or all ports quickly.

As a security professional, I wouldn't be surprised if someone runs this at home with gigabit fiber and DDoS the machines/networks they are testing.

[raesene9]

I'd guess they'll take our their home connection's networking kit at 10M pps before they take out the target server(s). Tools like massscan generally send 1-2 packets per port, so a target host just has to deal with < 130k packets, even assuming no intermediate firewalls are dropping the traffic to unused ports.

Also, minor nit, if it's just one machine doing the scanning, that's a DoS, not a DDoS :)

[wil421]

What if you sent 1-2 packets several times in a row to Apple’s entire IP range?

[gallexme]

Then u send 1-2 packets to apples entire ip range, there's not much harm done, the tool doesn't send packets to one and another, it partitions the whole ip list and sends it in random order so that not a single endpoint gets hirt hard , usually a single machine can handle easily 100k packets per second, they not hitting an application most of the time at all, they incomplete tcp packets, and just check for existence, they not sending a a huge chunk of packets repeatedly

[wil421]

I am not sure I would trust sending 16,777,216 packets to Apple several times in a row. Especially a company with a legal team as large as apple.

What is the difference between this tool and the drive by DDoS "testing" tools you can pay to use online. They seem identical to this tool except Masscan stops after the first try.

[gallexme]

I'm sure ur already sending 10k+ packets from just casually browsing their website, albeit they would be a lot bigger than massscans(which is a couple of bytes), vs http (a couple of million bytes(assuming the website isn't plain teyt)

[foota]

That's a completely trivial level of traffic at scale. I can almost guarantee this wouldn't even flag an alert, much less be investigated by legal.

[rndgermandude]

The difference this this tool is a hammer and like any tool the operator is responsible to use it safely and appropriately, while the botters are people advertising that they got a hammer, and are willing and eager to bludgeon people to death with it for some money.

[rblatz]

Apple wouldn’t even notice. For example recently there was an article here about 5 hackers that spent 3 months attacking Apple (white hat) and Apple seemed unaware until the bug reports were sent in.

[gallexme]

Ddos tools usually use amplification, instead of sending 1:1 bytes (that is u sending 1 byte and receive 1 byte as answer) They may query a database instead which a 30 byte search query results in couple thousand bytes of results + the load on the database

It would be expensive to just use raw network power to overwhelm a web service(u would need more bandwidth than the host)

Meanwhile with amplification u only need a 10th or less

Here an example https://www.imperva.com/learn/ddos/dns-amplification/

[raesene9]

Whilst I have no inside information on Apple, I'm pretty sure that'd be a tiny portion of the traffic they see daily. They may blackhole you just to cut down the noise, but frankly given the level of DDoS they'll get regularly, I doubt they'd bother.

For one very quick stat "The average size of DDoS attacks was at the mindblowing 26.37 GBps in Q2 2018"

[user5994461]

You got your units wrong. 26 GBps (208 Gbps) would be among the largest attacks recorded in history. Maybe you meant to say 26 Gbps which is 8 times less, but even that is a very large and notable attack, hardly any company could withstand it outside of CDN and big tech.

[raesene9]

that's a direct copy/paste from the first article on DDoS size I saw https://hostingtribunal.com/blog/ddos-statistics/ , I wasn't going for deep research, just making a point about massscan from one host not really representing a serious concern for someone like Apple.

[eptcyka]

If you have something listening on a port that can fall over by someone opening and closing a TCP connection, maybe that special something shouldn't be listening for things on the internet.

[nix23]

>runs this at home with gigabit fiber and DDoS the machines/networks they are testing

Yes i do that and i test my own routers with it.

[luckylion]

> A few connections per minute hardly classify as abuse in any reasonable sense of the word.

That's for one individual who's scanning something. On the receiving end, you're not dealing with one individual, you're dealing with many individuals who are probing for vulnerabilities.

If one guy intentionally steps on your foot, that's mildly annoying. If a thousand people intentionally step on your foot, that's a very different issue.

> Most cloud providers for example do not allow port scanning from their network (for various reasons).

They don't? They are often the source I see. Is that a policy thing where they say "yeah well please don't" or will they actively shut you down if you're doing it from their infrastructure?

[dodobirdlord]

Cloud providers are vigilant for signs that accounts have been compromised and are being used by hackers for nefarious things. It's in their best interest to detect this early and step in before the hackers can pile up a ton of charges that the account owner is then going to dispute. Some big clues are (1) seems to be mining cryptocurrency, (2) seems to be trying to DDoS something, (3) seems to be sending email spam, and (4) seems to be scanning the entire internet for vulnerabilities. Sending a ton of email is usually actively prohibited and the cloud provider will blackhole your packets because they're protective of the reputation of their address blocks. Scanning the internet is more of a "try it and see" sort of thing. If it's not a significant change in behavior from the background of what's normally going on in your account, or if you're doing it from a trivial number of machines, probably nothing will happen. If you suddenly spin up a ton of infrastructure for this purpose you can probably expect a friendly phone call fairly quickly, followed by having your account suspended until they hear back from you. If you run a big account with your cloud provider they won't go suspending your VMs willy-nilly, but also if you have a big account with your cloud provider they have your business number and expect you to answer it.

[rswail]

I once ran nmap from one EC2 in our account to another via EIPs (ie out to the internet and back again) to test the firewall and got a nastygram from AWS about running scans.

[catfish17]

You also have once offered an answer when everybody else was enjoying a rare level of incompetence. Remarkable.

[metafunctor]

If a thousand people intentionally step on your foot, and it bothers you, maybe take your foot off the pathway.

[_fat_santa]

Maybe I'm misunderstanding but how is this blocklist supposed to block anything. Take for example I'm a hacker that wants to port scan general dynamics (they were first on that list). Wouldn't all I need to do is remove their entry from the config file?

[creata]

Well yes, but it's not there to stop you, it's there to stop people who are smart enough to use masscan, but not smart enough to compile it. And I guess, much like locking your front door, there's also an element of keeping honest people honest.

[asddubs]

not even that, according to the linked issue:

> yes, configuration files are specified on the command-line and not hard-coded, so only those performing legitimate surveys of the Internet (possibly wanting to be responsible or respectful of those NOCs who still live in the world of generating abuse complaints when snort tells them to) would be likely to use them. Maybe there are a few script kids out there who are intelligent enough to avoid hitting the small collection of networks on this list to avoid their scans generating abuse complaints that may get their boxes killed, but I guess it's probably a near-zero population

[pwinnski]

Of course. The list isn't even used by default, users of the tool must specify it.

If somehow it were hard-coded into the tool, well, the source is available, as is the ability to port scan any one of a number of other ways.

[0x_rs]

Yes. I suppose, though, it's a win-win situation for both parties because the author can claim to have addressed complaints and hollow threats while allowing anyone to do as they desire and, may we say irresponsibly, remove it.

[Ancapistani]

Also a win for a third party malicious actor - they get a list of networks where the administrators decided to try to block scans instead of addressing their own issues...

[discreditable]

That exclude list is probably a great list for someone seeking weak targets.

[Igelau]

You mean the ungoodlist?

[simias]

I don't really understand the author's stance to be honest. I agree that it's silly to blame them but at the same time the author explicitly acknowledges that the tool is meant to mass-scan the internet and that it's a bad thing:

https://github.com/robertdavidgraham/masscan#how-to-scan-the...

>While useful for smaller, internal networks, the program is really designed with the entire Internet in mind. It might look something like this: [...]

>Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax: [...]

That 2nd bit is where that "exclude.txt" file comes in, it's not even used by default as far as I can tell.

So basically the author acknowledge that the software's intended purpose is bad, they also decided that it was their responsibility to maintain an exclude list. That's a bit odd IMO. I'd think that in these situations you can either say "I'm not responsible for people misusing my software" and in this case maintaining an exclude file with random addresses as people complain to you doesn't make sense, or you think that you share some of the responsibility if your software is used to do bad things and then it seems like it would make more sense to take the project down or take steps to make it harder for users to do these things.

[kchr]

What is odd exactly? The author is doing what he can to show people how they should use the tool (and not abuse it).

By also supplying an exclude file (and showing how to use it), the author goes a long way to help I'd you ask me.

The rest is up to to whomever decides to use/abuse it, as always.

[divbzero]

It’s ironic that those IP ranges are now recorded and distributed in code.

[lmilcin]

The issue is that in large enough population of people there will always be some that just don't understand the issue.

The people who look to project github for help are ones that already selected themselves. I bet for every one that posted on github there are dozens or more that went to the actual entity that tried to scan them or, better yet, blocked the scan or otherwise ensured it is harmless.