, SecurityFocus 2000-07-07
A mysterious California company is sweeping the net for live hosts, and touching off alarms around the world.
I had to talk to the guy who got a page at 3:00 in the morning because his firewall was set off by what we were doing.
Security watchers began noticing the probes earlier this year. "When I came in to work in the morning, I saw pages and pages of traceroutes and pings," recalls Matthew Jach, a network security specialist under contract with the state of Wisconsin. "Some customers called me, really angry about lots of logs that they were reading, and asked me to do something about that problem," says Fabio Oliva, director of Safe Networks, a security services company in Sao Paolo, Brazil. Alif Terranson, administrator at Missouri FreeNet, asks rhetorically, "If someone is banging on your door for an hour, would you let it go, or would you call the cops?"
Terranson didn't call the police when Missouri FreeNet's firewall caught a flock of suspicious packets last month, but like other network administrators and security gurus troubled by the scanning, he traced the source of the probes and was surprised to find that the culprit wasn't a teenage cyberpunk reconnoitering his next target. Instead, it was Quova Inc., a six-month old technology company boasting fifty employees and financial backing from such VC stalwarts as Softbank and IDG Ventures.
The company web site told Terranson little about what Quova does, and offered nothing to explain why it was scanning. Quova, the site read, is an "Internet infrastructure company" operating in "stealth mode" -- a term of art that did nothing to reassure Terranson. "When I saw that, it raised the hairs on the back of my neck."
Matthew Jach discovered Quova as the company swept through the Wisconsin government's network last April. "It's not illegal, but to a lot of people it's invasive and rude to come through a network and do a ping scan," says Jach, who went so far as to complain to Quova's upstream provider, Exodus Communications, which assured him that the scans didn't violate Exodus' terms of service.
"I'm not aware of Quova doing anything invasive, or anything that could be considered a denial of service attack," says Eric Uratchko, policy enforcement specialist for Exodus. "If they were, we would certainly take action."
It may be a reflection of the times that Quova's probes are raising eyebrows.
The company's technique is to send every computer an ICMP Echo request, colloquially known as a 'ping.' A ping is a small packet of data that bounces harmlessly off of a system and back to the sender, and is typically used to measure response time.
Whenever a system answers, indicating that it's alive and online, Quova performs a "traceroute," determining the exact path Internet traffic takes to reach the remote computer from the company's Mountain View, California offices.
There are malicious uses of pings and traceroutes, but, generally, both types of traffic are harmless, and they reveal far less about a network than common hacker tools like "nmap" that probe each machine multiple times in search of open ports. Ping and traceroute utilities are standard on most flavors of Unix and Windows. "They're management tools," says Martin Roesch, an intrusion detection expert at Hiverworld. "They're not really invasive."
As little as four years ago, nobody would have noticed Quova's efforts, says Roesch, but escalating network intrusion rates and a spate of high-profile computer crimes are pushing administrators to levels of sensitivity bordering on the touchy. "It's good that everyone's awareness of computer security is so heightened that a traceroute is setting off alarm bells. On the other hand, it might be an overreaction, depending on the intent of people doing the traceroutes," says Roesch, who adds that if nothing else, the wholesale scanning may be a little rude. "I don't think Miss Manners would approve."
Quova officials acknowledge their scans, which they say will hit every working, non-governmental Internet address, from corporate systems to home PCs.
"We're trying to gain some information regarding performance and geographic location," says CEO Rajat Bhargava. "We're not trying to be invasive and gain information that's considered proprietary. We're just using pings and traceroutes, among other techniques, to populate a database which is used to help us deliver our service."
What that service is, and what the company's other techniques for gathering information might be, remains a mystery. "We haven't really been talking much about what we're doing. In general, our product and service is under wraps," says Bhargava, explaining that Quova is still in "stealth mode." The 27-year-old executive's last company, Service Metrics, sold to Exodus Communications in October for $280 million. It employs automated user agents at points scattered throughout the net to monitor performance of client's web sites.
According to records in the U.S. Patent and Trademark Office, the service mark "Quova" is registered for "providing demographic, geographic and psychographic information to others." Psychography is the science of targeting advertising to people with particular lifestyles or beliefs.
Bhargava says that service mark description is a broad category crafted by company attorneys, and has little to do with Quova's business plan. "We're not interested in profiling people, we're not interested in registration databases of people, or cookies," says Bhargava. "We've taken a completely non-invasive approach to figure out how to deliver a service that helps in areas of performance and geography without invading people's privacy."
Company CTO Derald Muniz says there's nothing inappropriate about Quova's probes, but that he's sympathetic to administrators who find them alarming. "I had to talk to the guy who got a page at 3:00 in the morning because his firewall was set off by what we were doing," says Muniz. Quova follows through on every complaint with emails or phone calls, and has sometimes exempted a network from scanning, Muniz says.
But after six months of constant probing, Quova says it's received only 100 complaints. A 1998 Internet mapping project by Bell Labs researcher Bill Cheswick drew 30 complaints after six months of scanning.
"Obviously, I want to decrease that number," says Muniz. To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."