Startup Scanning the World, from securityfocus

[Owen Creger]

Scanning the World
A mysterious California company is sweeping the net for live hosts, and
touching off alarms around the world. 
By Kevin Poulsen <mailto:klp@securityfocus.com>
July 7, 2000 12:38 AM PT

A secretive Silicon Valley startup is probing the Internet, tickling
firewalls and intrusion detection systems across the globe and raising the
ire of network administrators increasingly sensitized to potential
harbingers of hack attacks.

Security watchers began noticing the probes earlier this year. "When I came
in to work in the morning, I saw pages and pages of traceroutes and pings,"
recalls Matthew Jach, a network security specialist under contract with the
state of Wisconsin. "Some customers called me, really angry about lots of
logs that they were reading, and asked me to do something about that
problem," says Fabio Oliva, director of Safe Networks, a security services
company in Sao Paolo, Brazil. Alif Terranson, administrator at Missouri
FreeNet, asks rhetorically, "If someone is banging on your door for an hour,
would you let it go, or would you call the cops?" 

Terranson didn't call the police when Missouri FreeNet's firewall caught a
flock of suspicious packets last month, but like other network
administrators and security gurus troubled by the scanning, he traced the
source of the probes and was surprised to find that the culprit wasn't a
teenage cyberpunk reconnoitering his next target. Instead, it was Quova
Inc., a six-month old technology company boasting fifty employees and
financial backing from such VC stalwarts as Softbank and IDG Ventures.

The company web site told Terranson little about what Quova does, and
offered nothing to explain why it was scanning. Quova, the site read, is an
"Internet infrastructure company" operating in "stealth mode" -- a term of
art that did nothing to reassure Terranson. "When I saw that, it raised the
hairs on the back of my neck."
'I had to talk to the guy who got a page at 3:00 in the morning because his
firewall was set off by what we were doing. '
- -- Derald Muniz, CTO of Quova 
Matthew Jach discovered Quova as the company swept through the Wisconsin
government's network last April. "It's not illegal, but to a lot of people
it's invasive and rude to come through a network and do a ping scan," says
Jach, who went so far as to complain to Quova's upstream provider, Exodus
Communications, which assured him that the scans didn't violate Exodus'
terms of service.

"I'm not aware of Quova doing anything invasive, or anything that could be
considered a denial of service attack," says Eric Uratchko, policy
enforcement specialist for Exodus. "If they were, we would certainly take
action." 

Who is Quova? 
It may be a reflection of the times that Quova's probes are raising
eyebrows.

The company's technique is to send every computer an ICMP Echo request,
colloquially known as a 'ping.' A ping is a small packet of data that
bounces harmlessly off of a system and back to the sender, and is typically
used to measure response time. 

Whenever a system answers, indicating that it's alive and online, Quova
performs a "traceroute," determining the exact path Internet traffic takes
to reach the remote computer from the company's Mountain View, California
offices.

There are malicious uses of pings and traceroutes, but, generally, both
types of traffic are harmless, and they reveal far less about a network than
common hacker tools like "nmap" that probe each machine multiple times in
search of open ports. Ping and traceroute utilities are standard on most
flavors of Unix and Windows. "They're management tools," says Martin Roesch,
an intrusion detection expert at Hiverworld. "They're not really invasive."

As little as four years ago, nobody would have noticed Quova's efforts, says
Roesch, but escalating network intrusion rates and a spate of high-profile
computer crimes are pushing administrators to levels of sensitivity
bordering on the touchy. "It's good that everyone's awareness of computer
security is so heightened that a traceroute is setting off alarm bells. On
the other hand, it might be an overreaction, depending on the intent of
people doing the traceroutes," says Roesch, who adds that if nothing else,
the wholesale scanning may be a little rude. "I don't think Miss Manners
would approve."

More Stealth Promised 
Quova officials acknowledge their scans, which they say will hit every
working, non-governmental Internet address, from corporate systems to home
PCs.

"We're trying to gain some information regarding performance and geographic
location," says CEO Rajat Bhargava. "We're not trying to be invasive and
gain information that's considered proprietary. We're just using pings and
traceroutes, among other techniques, to populate a database which is used to
help us deliver our service."

What that service is, and what the company's other techniques for gathering
information might be, remains a mystery. "We haven't really been talking
much about what we're doing. In general, our product and service is under
wraps," says Bhargava, explaining that Quova is still in "stealth mode." The
27-year-old executive's last company, Service Metrics, sold to Exodus
Communications in October for $280 million. It employs automated user agents
at points scattered throughout the net to monitor performance of client's
web sites. 

According to records in the U.S. Patent and Trademark Office, the service
mark "Quova" is registered for "providing demographic, geographic and
psychographic information to others." Psychography is the science of
targeting advertising to people with particular lifestyles or beliefs. 

Bhargava says that service mark description is a broad category crafted by
company attorneys, and has little to do with Quova's business plan. "We're
not interested in profiling people, we're not interested in registration
databases of people, or cookies," says Bhargava. "We've taken a completely
non-invasive approach to figure out how to deliver a service that helps in
areas of performance and geography without invading people's privacy." 

Company CTO Derald Muniz says there's nothing inappropriate about Quova's
probes, but that he's sympathetic to administrators who find them alarming.
"I had to talk to the guy who got a page at 3:00 in the morning because his
firewall was set off by what we were doing," says Muniz. Quova follows
through on every complaint with emails or phone calls, and has sometimes
exempted a network from scanning, Muniz says.

But after six months of constant probing, Quova says it's received only 100
complaints. A 1998 Internet mapping project by Bell Labs researcher Bill
Cheswick drew 30 complaints after six months of scanning.

"Obviously, I want to decrease that number," says Muniz. To that end, the
company is working to refine its technique, so as to fly stealthily beneath
the radar of firewalls and intrusion detection systems. "It's a goal we
have," says Muniz. "Someday I'd like to get the system to the point where we
don't set off anybody's alarms." 



Owen C. Creger
Senior Network Engineer
Holland Systems, Corp.
950 Victors Way Suite 100
Ann Arbor, MI 48108
phone: 734.663.3737 fax: 734.663.9500
beeper: 517.794.3056
ocreger@holland-systems.com
www.holland-systems.com