The curious case of Spamhaus, a port scanning scandal, and an apparent U-turn
Blocklist biz appears to swing ban-hammer at legit vuln scanners, denies doing so
Analysis In recent months, several security researchers have said Spamhaus has been automatically blocking people for carrying out legitimate network port scanning and failed to provide a prompt means of redress.
Spamhaus, a non-profit provider of blocklists and cyber-threat detection, insists nothing like that has happened at all. "The claim you are asking about is, in the politest words we can describe it, unadulterated codswallop," said Spamhaus ops administrator Luc Rossini in an email to The Register. "While Spamhaus does have a policy of listing sources of malicious port scanning (the key word being 'malicious'), our systems simply do not work the way this individual thinks."
"This individual" refers to Vincent Canfield, who runs server hosting and consultancy biz Ovo.sc, and recently, with the help of an infosec researcher who goes by the handle Not Dan, penned a post detailing alleged problems with Spamhaus.
"Spamhaus is listing all port scanning traffic without verifying the traffic comes from where it says," Canfield states in his post. "Instead of checking for e.g. banner scans, which require a TCP handshake or two-way UDP interaction, Spamhaus' honeypot servers are blacklisting all TCP SYNs it sees."
Or it was. Or never was, depending on whom you believe. But first some background.
Scanning ain't simple
A SYN scan, or half-open scan, waits for a SYN-ACK response from the server and if it receives a response, it does not respond. Such events generally are not logged because a TCP connection is never consummated. These port scans may be malicious reconnaissance or legitimate market and internet research, and the difference is not always obvious. But for those being blocked, the distinction matters a great deal.
Being blocked by Spamhaus can cause online damage similar to being excluded from Google Search; it means your website or internet service cannot be accessed through service providers that subscribe to its block list. As Canfield put it in his post, "being listed by Spamhaus is a death sentence."
"If hackers can still scan for vulnerable devices, but security researchers and anti-malware companies can't, then we have lost the ability to find out what's worth panicking about," Canfield wrote.
At the time, Dan Kaminsky, chief scientist at White Ops, joined the conversation to scold Spamhaus for failing to differentiate between useful research scans and malicious activity. For example, these scans reveal the number of devices and systems on the public-facing internet that may be running a vulnerable service, which is useful to both researchers and miscreants.
When packet.tel repeated its claim in early April, Spamhaus's Rossini responded by questioning the legitimacy of those doing the scanning: "If you want to look like real researchers it's simple; (i) Have a bona fide social purpose and objective for net-wide port scans ('coz we can' or 'coz it's legal' are not). (ii) Stop looking like script kiddies."
At this point, Dennis Schubert, a software engineer at Mozilla, returned fire by telling Rossini to think more carefully about his response. "If you want to look like a serious business actually working on spam protection, it's simple; (i) Don't blocklist IPs for doing ports cans while not sending spam. (ii) Stop acting like someone stole your cookies."
Rossini attempted to distinguish between "real security folks" like Schubert and those at packet.tel. "There's no port scanning issue in the security community," he responded. "Spamhaus works all the time with security researchers who scan the net 24/7."
But Schubert, after questioning the validity of claiming that packet.tel doesn't qualify as a legitimate security research group, retorted by insisting that several of his own networks (not related to Mozilla) had been blacklisted by Spamhaus as a result of authorized network scanning activity. "And while I was able to unblock some of those IPs, others never got removed, and your company ignored all my contact attempts," he said.
Rossini answered by noting that the right to scan ports of Spamhaus blocklist customers ends at the edge of their private networks.
"In short: Port scan the net all you like, but if you want to scan inside private networks of Spamhaus blocklist customers, then properly identify yourself and your research purpose," he said. "As long as we can verify you are a real researcher we can then ensure our systems don't block you."
To complicate matters, it's alleged that anyone who resents being scanned may be able to get Spamhaus to block the source IP addresses through the submission of fraudulent complaints.
This is why we can't have nice things
According to Canfield, the issue is not just that Spamhaus blocks legitimate scanning, but that its system is easily abused. He claims that he has demonstrated this indiscriminate behavior and that the command listed below can be used to spoof any IP address to get it blacklisted.
masscan --src-ip <victim_ip> -p 23 0.0.0.0/0 --rate=80000
In other words, it was possible to use a strangers' IP address as the source IP of an internet-wide scan, which would be blacklisted by Spamhaus, if it wasn't already whitelisted, when the scan touched one of Spamhaus's honey pots, it was claimed. That means if you wanted to dump anyone on Spamhaus's blocklist, you just had to use their public-facing IP address as the source address of a massscan, effectively giving them an internet kiss of death, it was claimed.
Rossini insists that wouldn't work. "Our systems require a TCP handshake which precludes a spoofed IP being listed in the first place," he said, adding in a follow-up message, "Where that to be true, it should logically follow that there should be at least some internet users out there complaining of getting listed by us due to their IPs being spoofed by some rogue third party. We are not aware of any."
Whether or not there is or was a way to get innocent third-parties blocked by scanning with a spoofed address, The Register has seen evidence of IP addresses blocked for scanning activity. Examples include an automated notification from the Spamhaus Block List (SBL) informing Canfield that an IP address for his Ovo.sc domain was added to the SBL.
SpamCannibal blacklist service reanimated by squatters, claims every IP address is spammyREAD MORE
"They blacklisted our test server with TCP SYNs being sent only, and then stopped blacklisting vulnerability scanners a day after I told everyone about it," he explained to El Reg.
But all that now appears to be water under the bridge. About a week ago, it appears Spamhaus changed how it handles port scans. Via Twitter DM, Not Dan told The Register, "I did a sampling of [Spamhaus'] ticket keywords since 4/1 and on 4/7 they stopped listing people for 'vulnerability scanning' (port scans)."
Asked about this apparent change-up, Rosini said, "We have not stopped listing malicious port scanners. May I again stress the word 'malicious' please. As with millions of other miscellaneous connections seen every day on the internet, port scans are simply 'background noise' and nothing our systems will flag for the SBL guys to look at unless there are certain factors present which combined denote malicious activity."
Whatever happened, it looks like a lesson in how a powerful organization can be encouraged to be more responsive to those it affects. Canfield said he's pleased Spamhaus is no longer blocking security researchers for SYN scans. "It just tickles me that we literally made them change their policies and then lie about it," he said. ®