Internet Vulnerability Scanning-Is It Lawful?

摘要

Applying these rules to the two major vulnerabilities of 2014 suggests where the boundary between lawful and unlawful scanning may fall. The ability of a host to perform NTP amplification can be tested by sending it a single, normal, Network Time Protocol command. Furthermore because NTP runs over the Unreliable Datagram Protocol (UDP), it is not possible to determine whether or not the NTP service is present without sending it a command, so there is no way that a scanner can "know at the time" of sending its first command that it is unauthorized. Provided the scanning packets are not sent at a rate that risks impairing the performance of a system or network, the activity appears unlikely to break the Computer Misuse Act 1990. By contrast the Heartbleed vulnerability affects the Secure Sockets Layer (SSL) protocol. Because this runs over the Transmission Control Protocol (TCP) the presence or absence of the service can be determined without sending an SSL command. If a TCP connection request succeeds then the scanner can use normal SSL commands to determine whether the heartbeat option is supported and, in some cases, whether the system is running a software version likely to be vulnerable. To this point, scanning should be implicitly authorized by the availability of the service and therefore lawful under the Computer Misuse Act. However testing whether the vulnerability actually is present requires an abnormal request so is likely to fall outside the implicit authorization; it may also involve a foreseeable risk of crashing the service.