RealTime IT News

Network Breaches Blamed on Curious Source

There is no law against port scanning. Although snooping around someone else's network is frowned upon and certainly poor Netiquette, there is no legal authority to call upon until a crime is committed.

But what action should be taken when a network intrusion appears to have originated at Network Solutions? For that matter, what would merit a legitimate reason for Network Solutions to scan someone's network?

Jason Straight is looking for answers to each of these questions. Straight is the Chief Network Engineer at Northern Michigan Online. He has recently identified that several attacks made on his network potentially originated from Network Solutions.

Port scanning is like someone knocking at your door, they could deliver pizza or flowers, turn and run away before you answer, or violate the sanctity of your home and your privacy.

Sites that spider the Web may sound off an intrusion alarm, but that doesn't make them bad. The same alarm would sound from a malcontent seeking a way to exploit security holes in a network, as it would for a benevolent watchdog group looking to point out flaws and shore up Net security.

If a network server detects a port scan, one could argue that the act was in effect a denial-of-service attack, which is a punishable offense. Detail from a log file can show a great deal about the network snoop, even if the intruder tries to fool the source, but the data cannot show intent behind the act.

Network Solutions, Inc. is the world's largest registrar with more than 10 million domains in its grasp since 1993. It has recorded data for maintaining the .com, .net and .org top level domains, as well as access to more than 200 country-code domain names.

The firm provides access to the dot com directory, one of the largest "find engines" on the Net and Network Solutions continues to play a critical role developing the infrastructure of the Internet as we know it.

"On three different occasions and on two different servers more than 50 simultaneous connections completed the scans," Straight said.

Straight said that two people he spoke with displayed a certain amount of shock about the incidents, but both said that they had no explanation as to why their machines would access an outside server in such a way.

Chris Clough, Network Solutions spokesperson, said the company is officially investigating the incidents.

"Right now, this appears to be far outside normal business practices at Network Solutions," Clough said. "We don't have all the details, but it appears to be some sort of anomaly and our operations team is investigating."

Northern Michigan Online's Straight said that it's nearly impossible to verify who sent the packets, unless it can be determined at the source. Security systems that Straight had in place alerted him to the port scan, but it was the nature of the requests that caused his Snort program to identify the activity as a potential network intrusion.

"Even if my IDS software incorrectly identified the scan, why was there a scan at all," Straight asked.

SANS Institute is an online security a resource for IT personnel and network administrators. Alan Paller, SANS Institute director of research said there were three reasons why a firm like Network Solutions would complete a port scan.

"It could legitimately scan partners," Paller said. "It is not unreasonable for me to scan your system to check for vulnerabilities if I do business with you. I may need your permission, but most business-to-business contracts determine business partners rights to complete a network audit from time to time."

Paller said