What exactly defines an "unwarranted" connection?

Assume we're not talking about nmap (since it's widely known as a hacker tool which may muddy the waters), but instead of a user-written program that e.g. checks for open ports. If a port is open to the public internet, what exactly makes a connection to it "unwarranted"?

As for the AWS rule, scanning open ports does not violate, by itself, any of those things.

I have no idea how AWS defines it, but to my mind it's about two things: intent and impact.

Intent: What is the connection's purpose? To use a service, to map a topology, to identify potentially vulnerable targets, to consume resources?

Impact: How does the act of connecting (once or many times) affect the remote end of the connection? Is a critical resource being exhausted (network connections, cpu, memory, etc)? Is the remote end's service still available for its intended purpose?

There's no magic spot on the scales but the further you get away from "to use the service" on the Intent scale and "no detectable impact" on the Impact scale, the more trouble you're likely to run into.

Where did you buy this scale? Seriously, this sounds like the evil bit

What activity constitutes abuse is at the discretion of the provider. If it looks like abuse to them, then it is.

You're looking for a line in the sand (for whatever reason) but no provider will give one, nor should they. Because that would mean telling attackers how to get close to the line without going over it.

I do a lot of nmap scanning for fun and out of curiosity. I pick a site and check out what ports they have open on the server behind their domain. Never did any attacks nor do I intend to.

I'm asking questions to widen my understanding of how and why I might get in trouble for it.

I understand you're trying to get a concrete definition of "network abuse", but you won't find one. It's not really possible to create a concrete definition that won't somehow include legitimate user traffic.

And I know, now you want to define "legitimate user traffic".

The problem is that the expectation for such strictly defined terms is what leads to legalese that's impossible for anyone that isn't a lawyer to understand.

>As for the AWS rule, scanning open ports does not violate, by itself, any of those things.

Several years ago (so things may be different now), I snagged a free-tier (IIRC, it was free for six months or something like that) AWS instance specifically to battle-test my new firewall and config.

Within an hour of beginning tests, I received a notification from AWS asking me why I was doing port scans/etc. and that they wanted me to stop or I'd be kicked off.

I replied and documented that I was testing my own systems/networks and they backed off. I completed my testing and never heard anything from them after that.

Like I said, this was a few years ago (2019, I think), so things may be different now, but back then AWS was definitely proactive about this stuff.

A connection is unwarranted if AWS gets an abuse letter about it.

Back in the day, we got in trouble for NMAPing our own machines in our VPS...

But we signed a think with our rep to agree to only scan our own machines and then they let us do it..

Dont know if they will do that any more.

> violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device

A normal port scan does none of these things. Unless you have some really crappy equipment (I've seen routers choke on a SYN scan), but in my opinion then that's on you.

> unwarranted

Gosh they're going to have a heck of a time figuring out what is and isn't warranted.