Digg this story   Add to del.icio.us  
Scanning the World
Kevin Poulsen, SecurityFocus 2000-07-07

A mysterious California company is sweeping the net for live hosts, and touching off alarms around the world.

A secretive Silicon Valley startup is probing the Internet, tickling firewalls and intrusion detection systems across the globe and raising the ire of network administrators increasingly sensitized to potential harbingers of hack attacks.

Security watchers began noticing the probes earlier this year. "When I came in to work in the morning, I saw pages and pages of traceroutes and pings," recalls Matthew Jach, a network security specialist under contract with the state of Wisconsin. "Some customers called me, really angry about lots of logs that they were reading, and asked me to do something about that problem," says Fabio Oliva, director of Safe Networks, a security services company in Sao Paolo, Brazil. Alif Terranson, administrator at Missouri FreeNet, asks rhetorically, "If someone is banging on your door for an hour, would you let it go, or would you call the cops?"

Terranson didn't call the police when Missouri FreeNet's firewall caught a flock of suspicious packets last month, but like other network administrators and security gurus troubled by the scanning, he traced the source of the probes and was surprised to find that the culprit wasn't a teenage cyberpunk reconnoitering his next target. Instead, it was Quova Inc., a six-month old technology company boasting fifty employees and financial backing from such VC stalwarts as Softbank and IDG Ventures.

The company web site told Terranson little about what Quova does, and offered nothing to explain why it was scanning. Quova, the site read, is an "Internet infrastructure company" operating in "stealth mode" -- a term of art that did nothing to reassure Terranson. "When I saw that, it raised the hairs on the back of my neck."

Matthew Jach discovered Quova as the company swept through the Wisconsin government's network last April. "It's not illegal, but to a lot of people it's invasive and rude to come through a network and do a ping scan," says Jach, who went so far as to complain to Quova's upstream provider, Exodus Communications, which assured him that the scans didn't violate Exodus' terms of service.

"I'm not aware of Quova doing anything invasive, or anything that could be considered a denial of service attack," says Eric Uratchko, policy enforcement specialist for Exodus. "If they were, we would certainly take action."

Who is Quova?
It may be a reflection of the times that Quova's probes are raising eyebrows.

The company's technique is to send every computer an ICMP Echo request, colloquially known as a 'ping.' A ping is a small packet of data that bounces harmlessly off of a system and back to the sender, and is typically used to measure response time.

Whenever a system answers, indicating that it's alive and online, Quova performs a "traceroute," determining the exact path Internet traffic takes to reach the remote computer from the company's Mountain View, California offices.

There are malicious uses of pings and traceroutes, but, generally, both types of traffic are harmless, and they reveal far less about a network than common hacker tools like "nmap" that probe each machine multiple times in search of open ports. Ping and traceroute utilities are standard on most flavors of Unix and Windows. "They're management tools," says Martin Roesch, an intrusion detection expert at Hiverworld. "They're not really invasive."

As little as four years ago, nobody would have noticed Quova's efforts, says Roesch, but escalating network intrusion rates and a spate of high-profile computer crimes are pushing administrators to levels of sensitivity bordering on the touchy. "It's good that everyone's awareness of computer security is so heightened that a traceroute is setting off alarm bells. On the other hand, it might be an overreaction, depending on the intent of people doing the traceroutes," says Roesch, who adds that if nothing else, the wholesale scanning may be a little rude. "I don't think Miss Manners would approve."

More Stealth Promised
Quova officials acknowledge their scans, which they say will hit every working, non-governmental Internet address, from corporate systems to home PCs.

"We're trying to gain some information regarding performance and geographic location," says CEO Rajat Bhargava. "We're not trying to be invasive and gain information that's considered proprietary. We're just using pings and traceroutes, among other techniques, to populate a database which is used to help us deliver our service."

What that service is, and what the company's other techniques for gathering information might be, remains a mystery. "We haven't really been talking much about what we're doing. In general, our product and service is under wraps," says Bhargava, explaining that Quova is still in "stealth mode." The 27-year-old executive's last company, Service Metrics, sold to Exodus Communications in October for $280 million. It employs automated user agents at points scattered throughout the net to monitor performance of client's web sites.

According to records in the U.S. Patent and Trademark Office, the service mark "Quova" is registered for "providing demographic, geographic and psychographic information to others." Psychography is the science of targeting advertising to people with particular lifestyles or beliefs.

Bhargava says that service mark description is a broad category crafted by company attorneys, and has little to do with Quova's business plan. "We're not interested in profiling people, we're not interested in registration databases of people, or cookies," says Bhargava. "We've taken a completely non-invasive approach to figure out how to deliver a service that helps in areas of performance and geography without invading people's privacy."

Company CTO Derald Muniz says there's nothing inappropriate about Quova's probes, but that he's sympathetic to administrators who find them alarming. "I had to talk to the guy who got a page at 3:00 in the morning because his firewall was set off by what we were doing," says Muniz. Quova follows through on every complaint with emails or phone calls, and has sometimes exempted a network from scanning, Muniz says.

But after six months of constant probing, Quova says it's received only 100 complaints. A 1998 Internet mapping project by Bell Labs researcher Bill Cheswick drew 30 complaints after six months of scanning.

"Obviously, I want to decrease that number," says Muniz. To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."

    Digg this story   Add to del.icio.us  
Comments Mode:
Quova 2000-07-07
Anonymous (1 replies)
Quova 2000-07-07
Anonymous (3 replies)
Quova 2000-07-10
Anonymous
Quova 2000-07-10
Anonymous
Quova 2000-07-10
Anonymous
Anyone care to share the source IP? 2000-07-07
Anonymous (3 replies)
Anyone care to share the source IP? 2000-07-07
Anonymous (1 replies)
Anyone care to share the source IP? 2000-07-07
Anonymous (1 replies)
IP address range? 2000-07-07
Anonymous (3 replies)
IP address range? 2000-07-07
Anonymous (1 replies)
IP address range? 2000-07-07
Anonymous (1 replies)
IP address range? 2000-07-07
Anonymous (1 replies)
IP address range? 2000-07-10
Anonymous
IP address range? 2000-07-07
Anonymous (1 replies)
re: IP address range? 2000-07-07
Anonymous
IP address range? 2000-07-07
Anonymous
Why not .gov ?!? 2000-07-07
Anonymous (6 replies)
Why not .gov ?!? 2000-07-07
Anonymous (2 replies)
Why not .gov ?!? 2000-07-07
Anonymous
Why not .gov ?!? 2000-07-16
Anonymous
Why not .gov ?!? 2000-07-07
Anonymous
Why not .gov ?!? 2000-07-07
Anonymous (1 replies)
Why not .gov ?!? 2000-07-07
Anonymous
Why not .gov ?!? 2000-07-07
Anonymous
Why not .gov ?!? 2000-07-07
Anonymous
Why not .gov ?!? 2000-07-07
Anonymous (1 replies)
Why not .gov ?!? 2000-07-07
Anonymous
IP 2000-07-07
Anonymous (1 replies)
IP 2000-07-07
Anonymous (1 replies)
scanned by 64.41.164.56 2000-07-10
Anonymous
Quova 2000-07-07
Anonymous
Quova Website 2000-07-07
Anonymous (1 replies)
Quova Website 2000-07-07
Anonymous (1 replies)
Interesting... 2000-07-07
Anonymous
They ARE scanning .GOV 2000-07-07
Anonymous (2 replies)
They ARE scanning .GOV 2000-07-07
Anonymous
Acceptable network scanning? 2000-07-07
Anonymous (3 replies)
Acceptable network scanning? 2000-07-07
Anonymous
Acceptable network scanning? 2000-07-08
Anonymous
Acceptable network scanning? 2000-07-15
Anonymous
Yawn 2000-07-07
Anonymous
What can they really learn? 2000-07-07
Anonymous (4 replies)
What can they really learn? 2000-07-08
Anonymous (1 replies)
What can they really learn? 2000-07-09
Anonymous
What can they really learn? 2000-07-08
Anonymous
They can learn a LOT if they want to probe 2000-07-08
Anonymous (3 replies)
Test your security 2000-07-11
Anonymous
What can they really learn? 2000-07-08
Anonymous
Random information... 2000-07-07
Anonymous
who cares?! 2000-07-07
Anonymous
Permission for everything? :) 2000-07-07
Anonymous
It won't do them any good anyway 2000-07-08
Anonymous (1 replies)
It won't do them any good anyway 2000-07-09
Anonymous
Simple 2000-07-08
Anonymous
QUOVA 2000-07-08
Anonymous (1 replies)
Ignorance is bliss, no? 2000-07-10
Anonymous (1 replies)
Ignorance is bliss, no? 2000-07-10
Anonymous
Scanned In Seattle 2000-07-08
Anonymous (1 replies)
What possible explanation... 2000-07-10
Anonymous (1 replies)
What possible explanation... 2000-07-13
Anonymous
here is what they can find out 2000-07-09
Anonymous (2 replies)
Another rmovie buff I see 2000-07-10
Anonymous
here is what they can find out 2000-07-11
Anonymous
The Scanning is nothing wrong 2000-07-09
Anonymous
Slashdot Reported Range.....BS? 2000-07-09
Anonymous
Quote the range of IPs 2000-07-09
Anonymous (1 replies)
Stop it! 2000-07-10
Anonymous (1 replies)
Stop it! 2000-07-10
Anonymous
DNS scans as well? 2000-07-10
Anonymous
Why Does It Matter..... 2000-07-10
Anonymous
who cares ? 2000-07-10
Anonymous (1 replies)
who cares ? 2000-07-11
Anonymous
time domain reflectometer 2000-07-11
Anonymous (2 replies)
time domain reflectometer 2000-07-11
Anonymous
time domain reflectometer 2000-07-11
Anonymous (1 replies)
time domain reflectometer 2000-07-13
Anonymous
The nefarious plot... 2000-07-12
Anonymous
It seemed harmless at first 2000-07-13
Anonymous
Exodus Port Probes/DoD too??? 2000-07-15
Anonymous
Flooding the Internet... 2000-07-17
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus