There is no law against port scanning. Although snooping around someone else's network is frowned upon and certainly poor Netiquette, there is no legal authority to call upon until a crime is committed.

But what action should be taken when a network intrusion appears to have originated at Network Solutions? For that matter, what would merit a legitimate reason for Network Solutions to scan someone's network?

Jason Straight is looking for answers to each of these questions. Straight is the Chief Network Engineer at Northern Michigan Online. He has recently identified that several attacks made on his network potentially originated from Network Solutions.

Port scanning is like someone knocking at your door, they could deliver pizza or flowers, turn and run away before you answer, or violate the sanctity of your home and your privacy.

Sites that spider the Web may sound off an intrusion alarm, but that doesn't make them bad. The same alarm would sound from a malcontent seeking a way to exploit security holes in a network, as it would for a benevolent watchdog group looking to point out flaws and shore up Net security.

If a network server detects a port scan, one could argue that the act was in effect a denial-of-service attack, which is a punishable offense. Detail from a log file can show a great deal about the network snoop, even if the intruder tries to fool the source, but the data cannot show intent behind the act.

Network Solutions, Inc. is the world's largest registrar with more than 10 million domains in its grasp since 1993. It has recorded data for maintaining the .com, .net and .org top level domains, as well as access to more than 200 country-code domain names.

The firm provides access to the dot com directory, one of the largest "find engines" on the Net and Network Solutions continues to play a critical role developing the infrastructure of the Internet as we know it.

"On three different occasions and on two different servers more than 50 simultaneous connections completed the scans," Straight said.

Straight said that two people he spoke with displayed a certain amount of shock about the incidents, but both said that they had no explanation as to why their machines would access an outside server in such a way.

Chris Clough, Network Solutions spokesperson, said the company is officially investigating the incidents.

"Right now, this appears to be far outside normal business practices at Network Solutions," Clough said. "We don't have all the details, but it appears to be some sort of anomaly and our operations team is investigating."

Northern Michigan Online's Straight said that it's nearly impossible to verify who sent the packets, unless it can be determined at the source. Security systems that Straight had in place alerted him to the port scan, but it was the nature of the requests that caused his Snort program to identify the activity as a potential network intrusion.

"Even if my IDS software incorrectly identified the scan, why was there a scan at all," Straight asked.

SANS Institute is an online security a resource for IT personnel and network administrators. Alan Paller, SANS Institute director of research said there were three reasons why a firm like Network Solutions would complete a port scan.

"It could legitimately scan partners," Paller said. "It is not unreasonable for me to scan your system to check for vulnerabilities if I do business with you. I may need your permission, but most business-to-business contracts determine business partners rights to complete a network audit from time to time."

Paller said a second possibility was if Network Solutions security was breached.

"Perhaps someone took over a machine at Network Solutions to do the attack," Paller said. "An intruder could have compromised a sever at Network Solutions and launched the attack if it were angry with the firm and wanted to created trouble for the registrar by embarrassing them."

Paller said the third and most likely reason why Network Solutions would be accused of port scanning is because even the best tools available today can not determine if attack was spoofed.

"The way IP works there is not much of a chance to prove that Network Solutions was behind the scan," Paller said. "The most advanced scanning tools allow someone to be nearly anyone they want to be. That's the problem with IPv.4, its easily fooled."

Northern Michigan Online is not a Network Solutions partner, but as a full service ISP it does complete domain name services with the firm. Naturally, Straight said he gave serious consideration to the possibility that the attack was spoofed.

"DoS attacks are often spoofed because sending data to the victim does the damage, receiving return packets are not needed or desired," Straight said. "In this case there was no desire to disrupt my network, only to find out what was there. Spoofing the attack would mean the spoofer wouldn't get information returned. Also, why would a spoofer return on two other occasions to do it again?"

A final possibility is that the port scan was an inside job, there is a potential that a disgruntled employee on either side of the server could have completed or spoofed the port scan. The source of the port scan holds the key to providing an answer.

Network Solutions Clough said it is not clear where the port scans originated.

"We hope to have more information shortly," Clough said. "Our operations team has contacted Straight directly to better determine what the situation is. Right now it's not clear where this originated or what the exact details are at this time."

In the meantime, network engineers like Straight have to take every port scan seriously to determine what game of hide-and-seek is being played on a network, even though no one can be sure who is knocking at their door.