Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

How Do You Handle Portscanning Attacks? 140

Posted by Cliff from the online-hassles dept.
Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"
This discussion has been archived. No new comments can be posted.

How Do You Handle Portscanning Attacks? More

How Do You Handle Portscanning Attacks?

Comments Filter:

  • Contact Comcast (Score:2, Informative)

    by rmjohnso ( 891555 )
    I would suggest you contact Comcast. They might be able to help you out, especially if you think it's a problem on your end. I've never heard of a Linksys router being made into a bot, though.

    On a side note, I've also go Comcast, and I've never run into anything like this. They do tend to have a lot of problems with their DNS servers, though.

    • Re:Contact Comcast (Score:3, Informative)

      by Kainaw ( 676073 )
      They do tend to have a lot of problems with their DNS servers, though.

      I called Comcast and found that the DNS sent with DHCP for the cable modems is actually the testing DNS server. I had set the DNS server IP address manually and I've had no DNS problems since. Unfortunatly, I'm at work, so I have no clue what the IP address is.
      • Unfortunatly, I'm at work, so I have no clue what the IP address is.

        You mean you can't ssh into your home box from the office.
        Loser.
        • I think cable modem companies frown on that sort of thing, and in fact block the relevent ports.

          D

          • Re:Contact Comcast (Score:3, Interesting)

            by robertjw ( 728654 )
            Umm... Comcast doesn't, at least not on my subnet.

            I actually had some discussions with the installers and local sales people for Comcast. Their attitude was a don't ask/don't tell policy for running services over their cable modem connections. As long as you aren't soaking up an extreme amount of bandwidth they don't really care if you are running a web server, ftp server, whatever.

            Besides, I could run ssh over any port I want.
            • What kind of isp cares if you run a server? He is being portscanned by pathetic script kiddies not comcast!
              • What kind of isp cares if you run a server?

                Kinda what I was thinking...
              • What kind of isp cares if you run a server?

                Read your TOS. I think you may be pleasantly surprised to find that running a server on your connection has been forbidden by your ISP. I know my does.

                • It's true, but it's designed so that buisnesses don't lease a consumer DSL line, and expect to run a web server off it full time. They lease commercial DSL lines for that sort of thing, same (peak) bandwidth as consumer, but much higher sustained. Doesn't mean you can't RUN a lightweight SSL, HTTP, FTP or other server for personal use. It's much easier to throw a file in the "website" folder of your computer and send your tech-inept friend a web link to download than explain FTP or AIM file transfer. I've b
                  • Not only that, but many ISPs will look the other way if you even want to run a commercial site off your DSL or Cable connection. As long as you don't get slashdotted you will be fine.
          • and in fact block the relevent [sic] ports

            which ones would those be, 0-65535 ?

      • Please post it when you get home. If only for backup purposes, it'd be good to have around.

      • I'm at work, but even I know the IP address of my Comcast cable modem is 127.0.0.1. Bring the the script kiddieZ!!1!

    • Re: (Score:3, Insightful)

      by account_deleted ( 4530225 )
      Comment removed based on user account deletion
    • One of their gateways in the way to warcraft was down for a week, 800 ping sometimes just a timeout, ping in game was 1800-2400, asked around on DSL forums and in vain sent an email to abuse@comcast.com explaining the ip and ping. The next day it was fixed...
    • I just wanted to chime in here and say that I agree w/the parent's post - contact Comcast. I had a similar problem a few months ago w/comcast (right around the time they upgraded speed to 4Mbps). I would do a speed test, and my d/l speed would end up something pitiful like 20Kbps while my upload was a little higher (but still pitiful) around 50-100Kbps. I thought that someone else in my area must be d/l'ing a bunch of stuff and chewing up the "shared" bandwidth for my area. I contacted comcast, told the

  • Not The Portscans (Score:4, Insightful)

    by asc4 ( 413110 ) on Wednesday June 15, 2005 @03:54PM (#12826351) Homepage
    Sounds to me like you have bigger problems than the portscanning. Even hundreds of simultaneous port scans are unlikely to chew through all your bandwidth on a cable line. Sounds to me like your computer(s) may be zombied and *that's* what's eating up your bandwidth.
    • Precisely. A few packets to try an open a connection on a specific port, even if they're trying 1000 ports is not going to add up to signficant badwidth. Of course they're probably only trying a couple dozen ports at most. In any case, assuming you're not running any servers, just start blocking incoming traffic. Basically, only allow outgoing, or established incoming. If someone tries to establish a new connection either drop, or reject it.
    • Good point. I wonder when he last ran a spyware scan?
    • I did once see a similar device nearly crushed when configured in a particularly unusual way. It was set to redirect traffic directed at any port over to a tarpit sitting behind it. After a few minutes of exposure on the wild internet several portscans and worms happened by. The device response slowed a bit, even though very little bandwidth was being used. These devices don't have much CPU and memory, and they are really not designed to front a tarpit on all ports like that. Poor little thing!

      Of c
    • Whoa down there buckeroo. Bandwith is not the only resource at stake here. Depending on the vendor of the router upstream, a port scan will consume route cache entries that may make it very hard to open new outbound connections. I know of a major university with the wrong vendor that was routinely getting taken down by a handful people scanning their /16. Yes it was a poor router design in that version, but it was happening. Considering you only get maybe 64k route cache entries that is only 1 or 2 near sim

  • Here's a suggestion... (Score:5, Funny)

    by TripMaster Monkey ( 862126 ) * on Wednesday June 15, 2005 @03:55PM (#12826363)


    Got the IP addys of your tormentors?

    Post them here!

    I'm sure some of us could persuade these kids that port scanning is bad for your health...

    ^_^

  • Mere portscanning doesn't intentionally clog all bandwidth.

    IANA network security expert, but I'd say put a more capable firewall behind the router (read: a Linux or BSD box) and make it the DMZ.

    At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)
    • Be careful with using a Linux box as a firewall - if you don't have experience hardening such systems, you could end up with a much better chance of it becoming a bot that your Linksys box (which is neither i386 nor runs a well-known Linux distro).

      You definitely wouldn't want to do a default install of any distro I know of (except Debian, that doesn't install much of anything except what you ask for).

    • Re:Sounds more like a DoS to me (Score:5, Informative)

      by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Wednesday June 15, 2005 @04:13PM (#12826615) Homepage
      Mere portscanning doesn't intentionally clog all bandwidth.
      Mod that statement up!

      In my expereience, when somebody's saying that `X is using up all my bandwidth', where `X' is things like virii, `hackers', ARP requests or something else, what that really means is that somebody doesn't really understand what's going on.

      Most cable modems have a lot of downstream bandwith and not so much upstream bandwidth -- but even the upstream bandwidth is far far more than is used by a standard port scan where somebody hits all your ports to see if they're open.

      And even that's unusual -- usually people seem to scan entire networks to see if one port is open, so a single scanner would only send a few packets at your box. It would take several thousand people hitting your box _at once_ like this to make things as bad as you make it sound.

      Your box may actually be under attack (a DoS attack.) I get a lot of trouble like this when people want the nick I use on IRC -- they packet my box incessantly. I've got 5 Mb/s downstream on my cable modem, so as long as my packet filtering isn't responding to each packet, it takes a pretty signifigant attack to kick me off of IRC. But if my system does respond to every packet with packets of approximately the same size, an attack of about 0.3 Mb/s is enough to bring everything down to a crawl. It's all a matter of configuring my filters properly ...

      Ultimately, what you should do is log all the packets being sent at your IP address with a tool like tcpdump, then send those logs to the abuse department of the ISP where they're coming from. If it's a DDoS attack, the odds are that the IPs are spoofed, but if it's really a portscan it's probably not (becuase they need to see the returning packets to see which ports are open.)

      You could also contact Comcat and see if they could filter the traffic out, though I'd reserve that option for an attack that lasts days and doesn't give up, because if they're anything like RR, getting to somebody who can actually do that will be very difficult.

      Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.

      • Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.

        It is probably faster to get a new IP on cable by changing your MAC address than waiting for a DHCP lease to expire.

        • It is probably faster to get a new IP on cable by changing your MAC address than waiting for a DHCP lease to expire

          Probably correct, though it's not always easy to do. Switching cards is easy enough, but it requires shutting down and opening up your computer. Some cards and/or OSs let you change the MAC address of a card on the fly, though it seems to be pretty rare.

          Some cable modems will let you `reset' them by various means (holding down the rest button at power up, holding it down for a long

      • Mere portscanning doesn't intentionally clog all bandwidth.

        Mod that statement up!

        Not true at all - I have a whopping great 24/1M ADSL plan and I constatnly achieve full speed (being only across the road from the phone exchange). If I portscan my mate with the Insane settings in Nmap he goes down for the count. I can flood him with enough traffic to saturate his 512k link for a couple of minutes.

        If I didn't like my mate I could easily take him off the net by asking nmap to scan his IP addr

        • If I portscan my mate with the Insane settings in Nmap he goes down for the count. I can flood him with enough traffic to saturate his 512k link for a couple of minutes.

          The only options I see useful in nmap for actually doing a DoS attack designed to suck up all of somebody's bandwidth are the `-D decoy1 [,decoy2][,ME],...' and the --data_length options.

          I found the `Insane' setting -- it's not really about flooding a host, it's about assuming that the latency is almost zero, so a scan will happen

          • found the `Insane' setting -- it's not really about flooding a host, it's about assuming that the latency is almost zero, so a scan will happen quickly.

            That's true to an extent, except that the Insane setting generally does not wait for a reply to packets before sending the next. It lets you flood the host, and if their connection is slower than yours and you run it enough times they end up with quite a backlog of packets they need to download from their ISP.

            My point was that it is possible to DoS s

            • Well, technically I am still portscanning. The side effect is that I'm DoS'ing him. Alas, he won't know that. All he'll see is a bunch of port scans in his firewall logs.

              At that point, I'd say you're DoSing him, and any port scanning would be the side effect. After all, the Insane option doesn't give the packets long enough to come back and probably does discard them once they come back, because they took too long. Also, if you're overloading his connection, some packets will be lost, making some po

    • If you happen to be using the ever-so-popular linksys WRT54G you may consider trying one of many custom firmwares like dd-wrt or openwrt. These can give you SSH and telnet access (from inside your lan) and then you can customize the firewall yourself. Other wise give ipcop a wing.

    • Re:Sounds more like a DoS to me (Score:4, Informative)

      by Medievalist ( 16032 ) on Wednesday June 15, 2005 @06:02PM (#12827702)
      Mere portscanning doesn't intentionally clog all bandwidth.
      True. Portscanning per se is harmless (some things that look like portscanning on cursory inspection are not).
      IANA network security expert, but I'd say put a more capable firewall behind the router (read: a Linux or BSD box) and make it the DMZ.
      No, bad advice; if a person would consider a port scan harmful (s)he is not qualified to run a secured general-purpose system (not even OpenBSD) as a firewall. Better to use a cable modem with an integrated firewall (making sure to keep it patched and not use default passwords) or a "dumb" cable modem with a dedicated firewall between it and the hub or switch (same caveats apply).
      At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)
      If he has port 22 live, and he's on broadband, then he certainly is experiencing the attack you are referring to. Everybody is.

    • At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)

      One way of dealing with that problem is to block China and Korea [okean.com] altogether. All the l33+ h4x0r5 who try to password guess on my ssh daemons come from educational institutions in Korea. Block them at the border router, problem goes away!

  • It's basically a fact of life on the Internet that you'll get port scanned. If you have an IP, probes are bound to happen.

    I'm sure someone could upload firmware to a router and set it up to port scan or other activity.

  • Answers. (Score:4, Funny)

    by irc.goatse.cx troll ( 593289 ) on Wednesday June 15, 2005 @04:10PM (#12826572) Journal
    Basicly, no. End users are the scum of the internet, no ISP really cares what happens to you as long as you pay the bill. If you don't, they don't care because others will.
    Your best bet would be to detect the port scan (eg, >5 sequential connections from the same host, or >15 nonsequential ones) and nullroute it so they get no response at all.
    Of course they can get around that, but if you're avoiding the common drones it doesnt matter.

    Second off, its not an attack, its just trying to get more information on you. Calling it an attack makes it sound bad, which furthers scare away the masses(who then get to vote on this stuff). If your isp didnt limit your upstream so much you wouldn't even notice it. nmap running in standard mode doesnt use nearly as much packets or bandwidth as my isp flooding me with arp who-has packets to see whos on.

    sidenote, be careful with whatever you do. Last time I found out a friend of mine ran a stupid windows firewall that would automaticly firewall anything that portscanned him, I spoofed a scan from his dns, then after I had fun watching him wonder why he couldnt resolve anything, I spoofed one from his gateway.
    Automated dropping is dangerous.

  • Disable ICMP echo reply (Score:5, Insightful)

    by crow ( 16139 ) on Wednesday June 15, 2005 @04:12PM (#12826595) Homepage Journal
    One thing that I did was to disable ICMP echo reply. (I allowed it from IP ranges that I'm likely to be at, but in general, it's turned off.) That means if someone tries to ping me, they don't get a response, so many script kiddies will assume that there is no computer at my IP address and move on.

    I've also set it up to drop incoming TCP requests for dead ports (actually, it blocks the outgoing connection refused packets). So if they scan ports that aren't open, they never get a single packet back.

    Essentially, unless they're connecting to something I intentionally have open, they can't tell that my system exists.

    • Re:Disable ICMP echo reply (Score:2, Informative)

      by Anonymous Coward
      Congratulations! You're violating RFC 1122 - Requirements for Internet Hosts and as such should not expect anything to necessarily work correctly!

      3.2.2.6 Echo Request/Reply: RFC-792
      Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.

      Have a wonderful day.
      • Congratulations! You're violating RFC 1122 - Requirements for Internet Hosts and as such should not expect anything to necessarily work correctly!

        3.2.2.6 Echo Request/Reply: RFC-792

        Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies

        You know what? I don't give a good goddamn about RFC 1122. Our servers get pounded on every port that is open, every day, since forever. Cutting off ping reduces it dramatically. So, by violating th
        • You know what? I don't give a good goddamn about RFC 1122. Our servers get pounded on every port that is open, every day, since forever. Cutting off ping reduces it dramatically. So, by violating that particulary RFC, I do have a more wonderful day.

          Um, so does microsoft.com... You don't want to be like them, do you?
    • If you have a fw inside a router, the router will send a "destination host unreachable" ICMP message in response to traffic to non-existant hosts.

      A drop will generally indicate:
      1) firewalling
      2) an inverse map - "I didn't get the ICMP 'dest. host unreachable', ergo something is there"

      blocking that outbound ICMP message is possibly a mistake if you have public net resources.

      As others pointed out, a drop vs. the icmp error slows the scan down nicely, though.
      • You don't get a dest host unreachable for hosts that don't exist. If the routing is correct to the network but the host doesn't exist, the echo-requests disappear into the void. Dropping icmp echo-request is simulating that behavior, the non-existant host.

        The router will only send a dest host unreachable if it has an ACL that blocks the traffic or if its next hop in the routing table is unreachable.
        • Your router may block the unreachables - that's a common lockdown step. But it is also correct behavior for the router on the destination net to send an ARP, determine that nobody is listening at that IP address, and reply to sender with the icmp dest unreachable (ICMP Type 3, Code 1). There's also a net unreachable that I haven't run into, Type 3, code 0.

          http://www.faqs.org/rfcs/rfc792.html [faqs.org]
          "Gateways in these networks may send destination unreachable messages to the source host when the
          destination host
    • Actually, if you have done some reading and used tools like nmap, you might be a little shocked to know that this tool can still tell if your online unless you really know what your doing. Turns out that certain "illegal" TCP flags can trigger the OS to reveal information about the ports they are scanning. So even if you think your blocking outgoing info, chance are your only blocking "legit" outgoing stuff, and your still in fact giving out tons of information to people that know TCP well enough to scan yo

  • Linksys ADMIN password (Score:4, Interesting)

    by SpaceLifeForm ( 228190 ) on Wednesday June 15, 2005 @04:12PM (#12826604)
    You did change it, right?

    And you don't allow access to it from un-trusted machines (i.e., the Internet), right?

    Otherwise, in theory, it could get pwned. It is running Linux and tools such as busybox.

  • Connectivity issues concerning Comcast can most likely be addressed by using an open DNS [slashdot.org] server among your Comcast ones. Try 4.2.2.4 - easy to remember!

    You might also be the victim of a lame DoS attack. Participate in any flamewars recently? Send relevant portions of your incoming traffic logs to the respective ISPs for (in)action.

    Another possible cause is one of the machines behind your firewall has been pwned and is now a spam zombie. Is your firewall blocking both incoming and outgoing?

  • portscans use minimal bandwidth, enough that even a modem can be portscanned without a major slowdown. If you're getting enough traffic to shut down your network, but not enough that comcast would notice it, this so-callled "portscan" is likely not the cause of your problems.

  • Switch to a Linux/UNIX firewall - DROP traffic (Score:3, Informative)

    by Tor ( 2685 ) on Wednesday June 15, 2005 @04:35PM (#12826836) Homepage
    Seen as none of the comments so far has answered your question, let me just offer my 2:

    Rather than using a Broadband NAT router, set up a firewall running Linux, *BSD, or similar. This way, you can send "irrelevant" traffic (e.g. ICMP ping requests, or TCP/UDP packets to ports on which you do not provide services) to the bit bucket ("DROP" in the language of Linux IPTables).

    This slows down port scanning of your machine (e.g. using "nmap") to near a grinding halt, and thereby reduces the bandwith consumed by such port scans to near zero.

    It is not bulletproof - someone could still direct DoS attacks against you - but it would nearly eliminate the traffic caused by causal port scanning of your machine.

    • What kind of freaky router are you used to, that doesn't drop packets with no destination? You didn't state any reason in your post for switching to an OS-based firewall, that the cheapest router doesn't already provide.

      All NAT routers I've seen need to be specifically set up to forward traffic, unless you set up your computer in a DMZ. If you don't set them up that way, packets will simply be dropped.

      There are other reasons to use a linux firewall, but not the ones you stated. Add to that that you'd requ
      • > All NAT routers I've seen need to be specifically set up to forward traffic, unless you set up your computer in a DMZ.

        or unless your router is listening to upnp traffic.
      • Routers don't typically DROP the traffic, they REJECT it. There is a crucial difference: REJECT means that a TCP NAK response is sent back to the originator (of the SYN request), allowing them to immediately discern that there is no service at the given port. This allows them to do port scanning much faster, and consequently hogs your bandwidth.

        In contrast, when you simply DROP incoming SYN requests in the bit bucket, the client has no way of knowing whether the response from your end is due to a net.lag
  • As has been mentioned, simply being scanned is likely not all of your problem, but I do know that Comcast scans all of their users' ports to see if they're breaching contract and hosting a website/ftp etc on common ports. I think theres about 5 that they just scan repeatedly.

    Funny story, in fact, they were scanning me and I didn't know who it was (all I had was an IP and very little knowledge about the internets) so I called them up and informed them that "such and such IP is attempting to haxor my boxor!

  • These are not script-kiddies (Score:5, Insightful)

    by mabu ( 178417 ) on Wednesday June 15, 2005 @04:40PM (#12826889)
    It's a fallacy that ignorant kids are behind the port scanning.

    It's spammers. It's professional organized crime. I believe the majority of these port scanning and worm/virus propagation is going on by organized groups looking to take over peoples' computers for the purpose of finding new IP space from which they can send unsolicited e-mail. If there are any script kiddies, they are a fraction of a fraction of the percentage of the traffic.

    My systems are constantly under probe attacks and port scans. The majority of these attacks originate from rogue IP space in China, Korea, and other areas that appear to be more liberal in doing business with the spammer organized crime contingent.

    At this point, I don't see technology making much difference. This is a political and enforcement issue.

    My advice is to contact your local District Attorney and demand that they start prosecuting computer tampering cases. We know these people are ultimately in the U.S. and can be caught even if they route from around the globe. We know they're breaking laws and can be prosecuted. We have laws in effect right now - we don't need more laws. We need enforcement and government authorities who WILL ENFORCE THE LAW AND STOP THESE PEOPLE. You can't count on ISPs to help since they profit from bandwidth consumption; you can't count on corporations to help, they are scared of any attempt to curtail cyber marketing of any sort. You must start on a local level and demand that the judicial and enforcement branches go after these criminals.

  • Tarpit... (Score:3, Informative)

    by wolf31o2 ( 778801 ) on Wednesday June 15, 2005 @05:00PM (#12827102)

    Seriously, dump that Linksys or other SOHO box and spring for a small *nix-based machine. Personally, I use a slimmed-down Linux box running iptables. I also use the TARPIT target. The TARPIT target is designed to keep the connection open until it times out. This slows port scans and worms to a crawl. While it takes slightly more resources on the firewall machine itself, it doesn't eat up any more bandwidth than the port scan itself would, except that now the bandwidth is spread over a longer period of time. It also helps to block other packet types that can cause issues, such as ICMP echo. It is definitely not a good idea to block all ICMP traffic, though. Also, try setting up QoS or some other form of traffic shaping to give priority to your packets, specifically ACK packets, as this will improve responsiveness and will keep you from being locked out of your connection, even when under a high bandwidth load.

    • Re:Tarpit... (Score:5, Insightful)

      by farble1670 ( 803356 ) on Wednesday June 15, 2005 @07:30PM (#12828360)
      so, the fellow posting the question is probably not the unix guru type, or he wouldn't have posted the question. to suggest that someone of low level or even moderate technical level start maintaining a unix box with firewall software is overkill to say the least. consider the power you're sucking for two boxes vs. one. consider the complexity of configuring rules. consider the space required for another box in your house (a lot of us live in apts or condos). consider the cost of aquiring the physical box (okay, pretty cheap, but probably not free).

      as long as you do not need to do anything fancy, the simplified firewalls on consumer-level routers work fine. i have ICMP echo turned off, and a few well-know ports open for apps. no problems.

      if this doesn't fix it for him, clearly this guy has some larger problem than port scanning. let's no mislead him.

  • I use online port scanning tools to check my home network. I don't know about your Linskys device but but some router/modem's allow you to configure a DMZ and to specify a private IP address you don't actually use. Basically, inbound portscans might see the DMZ but nothing else. Since the DMZ doesn't lead anywhere, your ports are stealthed and the scanner gets bored and tries elsewhere. This may not work on some Linskys router modems due to a software bug...

    Make sure that you disable inbound http and ftp.

  • Unlikely (Score:4, Informative)

    by thalakan ( 14668 ) <jspence@@@lightconsulting...com> on Wednesday June 15, 2005 @05:29PM (#12827398) Homepage
    It is very unlikely that scans are eating up all of your incoming bandwidth. I just checked, since I was curious:
    # tethereal -w scan.cap host <myserver> &
    # nmap -A -T5 -o scan.cap <myserver>
    # killall tethereal
    # tethereal -z io,stat,5 -r scan.cap > scan.sum
    # cat scan.sum

    IO Statistics
    Interval: 5.000 secs
    Column #0:
    | Column #0
    Time |frames| bytes
    000.000-005.000 1925 107376 <-- peak bandwidth
    005.000-010.000 315 17952
    010.000-015.000 492 28032
    015.000-020.000 669 38118
    020.000-025.000 655 37290
    025.000-030.000 186 12153
    030.000-035.000 72 9665
    035.000-040.000 61 4648

    ...
    # bc
    107376 * 8 <- convert to bits per second
    last/5 <- account for 5 second sampling
    171801
    4000000/last <- how many fit into 4 Mbps?
    23

    So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.

    But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.

    The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.

    The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.

  • In your router settings see if you can manually set the MAC address that Comcast sees. Once you change it, reboot your cable modem and router. Comcast will issue you a new IP address. If someone is targetting your IP, then it will be problem solved. If the attacks don't stop then either your PC or your router is 0wned.

  • Portscanning is not an attack. (Score:3, Insightful)

    by Medievalist ( 16032 ) on Wednesday June 15, 2005 @06:30PM (#12827923)
    Allow me to make a couple of points before I answer your specific questions...

    Don't confuse a portscan with a DOS attack. There is a difference, both in method and intent. Portscans are diagnostics or exploratory probes and are necessary for many benign purposes.

    I have been a comcast customer for many years at several locations. Their service is unreliable; the internet is sometimes unreachable and like all the big-name ISPs they let worms that could easily be stopped run rampant in their network. Their DNS infrastructure is also well below par. Since they have a regional monopoly, it is not necessary for them to provide a clean feed, there simply is no competition in their market sector.

    My comcast-connected systems are, like yours, portscanned constantly. So are my systems at work (where I have far less bandwidth in both directions) but I don't ever have connectivity problems on the non-comcast links.

    First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack?
    Again, if it's really a portscan, it's not an attack. But let's say it's a DOS over multiple ports so it looks like a portscan... you can reverse-resolve the addresses, figure out Comcast's IP-to-physical location mapping (easier than it sounds) and go burn down those people's houses. Other than that, probably not.
    Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?
    In theory, yes, absolutely. That's why you keep it up to date on patches and always change the default password. Here in the Real World [tm] you haven't supplied the type of router or patchlevel you are using so I can't go look it up on Google or astalavista. Some cable interface boxes are pretty secure due to hardware limitations, others make very good bots.

    Finally... most people on comcast that have major problems are infected with viruses or worms, usually propagated by email. Those that are not are sometimes suffering from bad grounds - check that your cable system and the electrical outlets that feed your computer and televison systems are all properly grounded.

    HTH, I'm off to dinner.

  • Use a good packet filter (Score:3, Informative)

    by mnmn ( 145599 ) on Wednesday June 15, 2005 @07:29PM (#12828348) Homepage
    Use it to block all ports and keep connection states.

    See in a portscan, they send a SYN, and you send back an ACK... and back and forth. They try to connect to a port, your tcpip stack replies with a drop connection and the increment the port and repeat. The amount of data going in each direction is roughly equal when the ports are closed.

    The amount of bandwidth you have is not symmetrical. The best ADSL can do is 4/.8 mbps for download/upload, and the best a docsis modem can do is similar. It is more likely that your upload bandwidth is chocked, since 4mbps of download bandwidth is plenty of room. Unless you have a 'lite' internet speed which is rediculously slow.

    So a packet filter simply doesnt take the packet. No replies, either TCP or ICMP. That also means they will give up trying to keep their bandwidth efficient, and start portscanning another IP that actually replies. And since TCPIP is several back and forth packets to connect, you'll save on some download bandwidth, and you'll save ALL of your precious upload bandwidth.

    Its even better if you have NO ports open at all from the outside, like ssh or http or smtp. That way intruders cannot know at all if you exist, and its just a waste to portscan all 4 billion IPs, all their TCP and UDP ports rather than just the IPs which actually reply.

    My favorite packetfilter is OpenBSD for obvious reasons, they clearly had the best packet filter until recently. Now the competition is close, since everyone seems to be copying them. I dont have much experience with iptables and it confuses me, but it has a much greater install base, and commercial companies to back it.

    I've tried the WRT56GX Linksys (latest wireless) router, and havent been impressed with its firewall options. I wonder if I can grab a linksys and replace the firmware with a much simpler OpenBSD embedded system (is there an Openbsd for ARM?). For serious outfits, I'd use OpenBSD on a pentium III-ish with two good nics and low power consumption for stability.

  • If it hasn't already been said... (Score:3, Interesting)

    by moorley ( 69393 ) on Thursday June 16, 2005 @10:44AM (#12832199)
    Turn off WIFI and check your bandwidth...

    Chances are someone's pulling your bandwidth via WIFI or its creating some problem.

    I haven't quite nailed it down yet but in the last few months both my personal network and a friend of mine's have been bogged down whenever the WiFi is turned on. I like to think I'm security savvy but I just started digging into it yesterday.

    I'll reconfigure the netgear so it only accepts the MAC addresses I have but it's still quite annoying. I didn't broadcast the SSID and I used WEP/WPA but my surfing lags horribly whenever WiFi is turned on. Even in rural Idaho there be issues.

    who'd thunk it?

    Good luck!

Slashdot Top Deals

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

Close