Port scanning and legality

One day, I was sitting at home, minding my business and watching my firewall traffic. I was already in a heightened state of awareness because a foreign IP address had pinged my network.

This isn’t necessarily abnormal, but I wanted to be mindful of any possibility that an intrusion might take place. I was expecting bad actors to come knocking. I scanned the foreign IP address using Nmap. No big deal, right? Is there a legitimate issue of consent?

The simple answer is yes.

Nmap is a widely popular tool among everyone in the industry for port scans, vulnerability scanning, and a wide variety of other related features. In fact, many automated scanning scripts utilize Nmap as a backend.

When you google Is port scanning illegal?” it’s like you can’t find a straight answer. This is bothersome, especially when you factor in how zealous the law can be toward prosecuting cybercrimes. In truth, the relationship between the law in different countries and jurisdictions and the people who run port scans can be tricky and sometimes convoluted.

Bear with me, and let’s untangle this yarn.

The slippery slope of legality

Fundamentally, it is not a crime to conduct a port scan in the United States or the European Union. This means that it isn’t criminalized at the state, federal, or local levels. However, the issue of consent can still cause legal problems for unauthorized port scans and vulnerability scans. That’s because, depending on which flags you use, even if you're using it in its most basic form, it’s causing network noise, and someone has likely seen it.

According to the Nmap website, a common issue that can arise from unauthorized port scans is that the network being scanned will become aware of it and send an abuse complaint to your Internet Service Provider (ISP). This escalation is rare but not entirely unheard of.

One time back in 2008, I was running an open WiFi hotspot so I could experiment with ARP poisoning attacks against the hosts that connected to my network. I was scanning and sending so many packets that I saw my ISP log into my router and disable it. I was presented with a message that they believed my computer was infected with malware and gave steps to remediate it along with instructions on how to reactivate my router.

The thing about this is that the internet itself is a noisy place, and scanning happens frequently, but this doesn’t necessarily mean that a complaint won’t be made. The ISP can terminate a user’s subscription to their internet service. However, criminal prosecution is not entirely unheard of.

One landmark legal case centered around Scott Moulton, a consultant with a contract for overseeing the Cherokee County, Georgia, emergency 911 system. In December 1999, he received an assignment to establish a router linking the Canton, Georgia Police Department to the E911 Center. Fearing potential security risks to the E911 Center, Scott proactively conducted initial port scans on the relevant networks.

During the scanning procedure, he examined a Cherokee County web server, which was under the ownership and maintenance of a rival consulting firm known as VC3. Upon detecting the scan, VC3 sent an email to Scott, to which he responded by explaining that he was employed by the 911 Center and conducting security testing.

Subsequently, VC3 reported the incident to the police. As a consequence, Scott not only lost his E911 maintenance contract but also faced arrest on charges of purportedly violating the Computer Fraud and Abuse Act, specifically Section 1030(a)(5)(B) in the United States, which criminalizes anyone who “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.”

Damages, in the legal sense, do not necessarily mean physical, but also can encompass downtime caused by the incident, loss of time, the expenditure of resources spent for remediation, and so on.

Therefore, Scott initiated a defamation lawsuit against VC3, and in response, VC3 filed a countersuit in VC3 v. Moulton, which alleged violations of both the Computer Fraud and Abuse Act and the Georgia Computer Systems Protection Act.

Thankfully, the civil case was dismissed because it lacked merit, which was a major win for those of us who use port scans. Naturally, however, it set a new precedent for the possibilities of the legal issues that could arise in future cases.

“The Court holds that the plaintiff's act of conducting an unauthorized port scan and throughput test of the defendant's servers does not constitute a violation of either the Georgia Computer Systems Protection Act or the Computer Fraud and Abuse Act.”

Civ. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6, 2000)

While the above case took place in the US, India’s position makes clear that port scanning without prior consent is patently illegal and is defined as “Unauthorized Access” under The IT Act, 2000, Section 43, The IT Act, 2000.

We see your scans

I used to work as a network security analyst in a command center for a private Internet Service Provider. The client networks we monitored were often the recipients of port scanning by unknown individuals, mainly from China. From an Administrator’s perspective, port scans can appear as several different types of attacks that exhibit similar behaviors.

For example, computer viruses are well known for exploring ways to break into poorly defended network protocols as well as vulnerable web applications. This means that a virus, in the general sense, will search for the most optimal way to break into a network. This is usually done by scanning vulnerable ports and the services behind them in order to brute force or exploit them before launching a payload that can allow the attacker to remotely access and pivot across the network.

Another behavior port cans can exhibit is similar to a Denial of Service attack (DoS). That’s because of the tidal wave of packets being blasted at a fraction of a second from the unknown host and possible intruder.

However, it is important to note that the usual size of a TCP packet sent by a Nmap scan is usually 40 bytes, and an ICMP echo request is 28 bytes. This means that the effects of a port scan are not on par with an actual DoS attack, although it appears as an attack at first glance.

Think about it for a moment. It becomes evident when a single IP address is actively scanning all available ports without any delay. Also, more aggressive Nmap port scans return better results, but the packets sent are far more verbose, causing far more network noise, which is more noticeable to network guardians. I shouldn’t have to mention the massive Event logs these scans can accumulate, while we hope that the other side isn’t paying much attention to them.

In the culmination of things, written consent is vital. If your ISP is receiving abuse complaints, it is not out of the question for it to escalate into a lawsuit from the host you are scanning. Therefore, as a simple example, the written consent should include the following information:

  • A schedule including the dates and times of the scan
  • The IP range desired to be scanned
  • A list of tools that will be used
  • The individuals performing the scans

This is how you cover your bases. But for those of who just can’t stand the thought of obtaining consent, their best option is to anonymize their IP address and use a Virtual Private Server. Because, you know, if they’re going to do it anyway, there’s no stopping them. But my advice is simply to follow the right path.

More from Cybernews:

Long passwords won’t protect your accounts, report finds

23andMe confirms attackers stole raw genotype data

OneCoin fraudster gets ten years for laundering $400M

Bill Gates wants you to love humanoid robots

Taylor Swift deepfake amass 47 million views on X

Subscribe to our newsletter