Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Networking

Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner? 265

jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.

But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.

I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?

Comments Filter:
  • Simple. (Score:3, Informative)

    by Zedrick ( 764028 ) on Wednesday December 23, 2015 @03:28AM (#51170099)
    Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).
    • Re:Simple. (Score:4, Informative)

      by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Wednesday December 23, 2015 @03:57AM (#51170185)

      Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).

      The problem is the IP range IS blocked. But the router does their port scan detection prior to the IP blacklist and will still notify him of the attack despite the packets being dropped.

      • Re:Simple. (Score:4, Informative)

        by Zedrick ( 764028 ) on Wednesday December 23, 2015 @04:14AM (#51170225)
        I missed that (but, 1st post...). Still, that's just a problem with a bad router. The packets should be blocked (dropped) right away, otherwise there's no point in blocking.
      • Re:Simple. (Score:5, Interesting)

        by mysidia ( 191772 ) on Wednesday December 23, 2015 @04:24AM (#51170271)

        The OP has been more than patient with them.... Assuming they are full TCP connects (non-spoofable); After complaining 3 times about ongoing abuse... I would definitely consider some internet routing table inspection, Identify their upstream providers, and start contacting the upstreams', after continued persistent scans of one IP. Don't stop politely contacting them to ask for help, until you get permanent resolution.

        9 times out of 10.... upstream providers will not turn off their customer, probably 10 times out of 10 for simple port scans, which are considered trivial. The industry does NOT consider a simple port scan equivalent to a DoS or hacking attempt, and Most providers will simply disqualify complaints about portscans.

        It's partly the OP's folly in having a security device generating excessive noise, especially about blocked IP addresses. I understand the OP may be constrained by product selection; However, Null-routing the offending range SHOULD be an option, and if not..... get a proper packet-filtering firewall to put in front of your UTM, or set an access-list entry on the router in front of it.

        However, if contacted, the abusing providers' upstream provider will likely forward the abuse reports to their customer.

        After you've done your homework in thoroughly documenting and verifiably reporting, and they have failed to resolve, then a few more iterations, and a seriously-harmed party would be getting their lawyers involved anyways. Probably NOT for a simple portscan however, the offending entities' upstreams might be concerned about it from a risk management perspective and pressure their customer to shape up.

        • Re:Simple. (Score:4, Interesting)

          by rapiddescent ( 572442 ) on Wednesday December 23, 2015 @07:03AM (#51170721)

          maybe - but the question is *why* are they doing this. I would be tempted to open a port and see if they attempt to access - then depending on the OP's locality there could be a computer misuse claim.

          • by bwcbwc ( 601780 )

            Odds are they have a really bad malware infestation and are clueless or have tried and failed to eradicate it. OP mentioned that they appear to be a small company.

        • by borcharc ( 56372 ) *

          upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.

          • by mysidia ( 191772 )

            upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.

            That is fine. By forwarding, they will have proven they received the message, AND the network in question will be more apt to respond in many cases.

            At a later stage of the game when you get your lawyers involved their upstream providers will likely respond, for example, it's not worth their while to fight a lawsuit you can file against the upstream provider about thei

            • Re:Simple. (Score:4, Interesting)

              by u-235-sentinel ( 594077 ) on Wednesday December 23, 2015 @10:58AM (#51171849) Homepage Journal

              upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.

              That is fine. By forwarding, they will have proven they received the message, AND the network in question will be more apt to respond in many cases.

              At a later stage of the game when you get your lawyers involved their upstream providers will likely respond, for example, it's not worth their while to fight a lawsuit you can file against the upstream provider about their customer's activities.

              Years ago I took a new position at a company when I received a phone call from an ISP stating that my servers were port scanning someone who complained. They were going to turn off our network access. Surprised, I looked into it. I discovered they were right. Someone had allowed malware to get installed on several of our systems. After some cleanup work we were good but it left an impression on me. Besides asking a new employer more in depth questions about their security (or lack of it), that ISP's would be a good place to file a complaint when you are port scanned over and over again.

              Might be time to contact THEIR ISP and yours. Ask them to block or disconnect them. If anything, once THEY get a phone call about the complaint, it will wake them up a bit :D

            • A possible movie and game idea, "After being ignored by the folks who think its your problem, deal with it. Introduce them to port scanning with an AR15." Move over cat videos on YouTube.
      • Turn of the notify and only check it when you are really really bored. First, this guy is running Sophos for a home network? WTF is the point to that other than tinfoil hat paranoia? Second and most importantly...... If you have something connected to this series of tubes some call the interwebs, you WILL GET SCANNED. That's how this shit works. Now in this case, it appears to be coming from a specific source he's already blocked. And....... then I call bullshit because every ISP puts a "no port sca
      • Then stop plugging some sophos bullshit here and install something free and open that lets you block things. For example pfsense or m0n0wall. I am sure there are others, but these are the ones that i use.

        If you have a decent firewall you dont actually care about portscans. You have a couple of ports open and you need to make sure that services running on these are safe. Alerting you with portscans will not improve your security one bit. The only useful thing you could do is automatically drop packets after

    • Something with a nice-sized ruleset that works on ASICs and you're done. Most companies sell them, and if you're just selectively passing traffic by IP range (or in fancier devices by port) why not offload the hard rules before wasting cycles on traffic you just want to drop? Or just another software device if you're not wanting to buy hardware.

      We do this for selective parts of the network where dropping attackers on one machine keeps them from running through an entire block of IPs. A lot of it's even scripted: more than 3 IPs getting brute forced? That's a 24 hour ban and email to the associated ARIN/APNIC/RIPE contact. Granted APNIC/RIPE tends to stay on that list a lot longer than 24 hours...

  • by Z00L00K ( 682162 ) on Wednesday December 23, 2015 @03:35AM (#51170117) Homepage

    So this time report it to appropriate authorities and if they don't take your case make a public letter into their local newspaper asking them what they are up to.

    • by freeze128 ( 544774 ) on Wednesday December 23, 2015 @04:28AM (#51170283)
      ...and then, post it to 4chan.
    • by mysidia ( 191772 ) on Wednesday December 23, 2015 @04:38AM (#51170311)

      So this time report it to appropriate authorities and if they don't take your case

      OR push the block on the IP range into the Firewall's routing table as a route to Null0, or to an access-list on the Firewall's upstream router

      Most providers summarily shove complaints about portscans and firewall alerts into the trash bin. The OP needs something material to base a legitimate abuse complaint on, such as logs showing an actual SSH brute force access attempt, that demonstrates the activity is a malicious attempted intrusion and not merely some reconnaissance effort, possible false alarm, or "background noise" such as W32/Blaster traffic from some host still running infected XP.

      The authorities DON'T CARE about portscans either, unless the OP has something much more material to investigate, or can prove a crime was committed with serious damage, they generally will not get involved... It doesn't hurt to report it to the civil authorities, but it's not going to do anything to alleviate OP's situation, either, which is an "overly chatty" firewall device.

      The real issue there is the Firewall and the lack of options to suppress spurious alerts, that should get taken up with the firewall vendor as a software issue.

  • ...those banging at your doors don't give a damn about laws. You could deny ALL from the attackers address range, but best bet is just shut down the targeted ports.

    • Re:Chances are... (Score:5, Informative)

      by Z00L00K ( 682162 ) on Wednesday December 23, 2015 @04:23AM (#51170263) Homepage

      One solution to such actions is to instead of blocking send them to a tar-pit server. That may look like a valid server but with very slow responses.

    • ...those banging at your doors don't give a damn about laws.

      Unless they have poor security and get hacked repeatedly. Some places you can almost just walk in, and if they are a small company, they may not feel that they have money to spend on proper security. Unless they are made painfully aware of the benefits.

  • So name them already (Score:5, Interesting)

    by ArchieBunker ( 132337 ) on Wednesday December 23, 2015 @03:39AM (#51170129) Homepage

    Lets hear who it is.

    • I think the submitter is doing the right thing by keeping it anonymous. This would prevent either a false positive, or in the case of a correctly leveled accusation, motivation for someone to game the system by convincing a bunch of people with the capabilities for more severe digital harassment to do their work.

      • I see your side, but I see the other as well. Since he reported it to the company once and the company "fixed it" temporarily, it doesn't sound like a false positive. If he posts the company's web site on Slashdot and that company's web site happens to get slashdotted (especially if they have a forum or mailbox where visitors can post complaints/issues), it might wake them up to the fact that someone in their IT/dev department is doing something they really should not be (whether it was ordered by the compa

  • by surfdaddy ( 930829 ) on Wednesday December 23, 2015 @03:40AM (#51170133)

    If you listen to the Security Now podcast, this sort of thing is all over the internet. It's a nasty place out there and actors from anywhere and everywhere are always checking addresses for vulnerabilities, etc. I suspect we all get that sort of thing.

    Unless it is DDOS'ing you, why is it an issue?

    • Re:Not a surprise (Score:5, Interesting)

      by wierd_w ( 1375923 ) on Wednesday December 23, 2015 @03:46AM (#51170157)

      Indeed, I routinely get portscans en-mass from china.

      Sometimes 5x a day or more. Really aggressive scans that last for hours.

      Not a lot you can do about it. Scanning for open ports is a legitimate activity on networks you own, so naturally, a big internetwork like the internet is going to be drowning in automated portscans, and automated blocking of them would break many legitimate services, if they make too many queries too quickly. (say for instance, metacrawlers and pals.)

      Just accept that the internet is not a cozy nice place. Bad things lie in wait for the unwary. Use modern protection, and be sensible in how you use it.

      really, that's all you can do unless you have actual DDoS style attacks leveled at you. THEN you call the feds.

      • Re:Not a surprise (Score:5, Insightful)

        by BenFranske ( 646563 ) on Wednesday December 23, 2015 @04:09AM (#51170213) Homepage

        This. There was a time that ISPs and people on the Internet cared about port scans, that time is long gone (by at least 15 years). If you have a public IP you should assume it's being scanned all the time. Once you assume that these types of alerts have little additional meaning. If it really bothers you then you should implement some kind of pre-filter to block the IP range. I understand that your particular device doesn't allow that so put another router with proper access control list support in front of it if it bothers you so much. TLDR, unless you live in the past it's time to get over port scanning.

      • by Comen ( 321331 )

        Exactly, welcome to the World Wide Web people!
        10-15 years ago when every company was getting their first firewall, I used to manage 100's of firewall for many companies. First thing that people would do is call me complain about the firewall logs showing all the port scans (mostly from Asia), this stuff goes on all the time, nothing you can really do about it, block on subnet they will use another. Unless you are getting DDOS'ed then you are fine. I good firewall will not send back a reject, but instead dro

      • Most of the people scanning are script kiddies, so unless you are vulnerable to the very specific things they are having a tool to attack the danger of the port scan is very low. I rather deal with the problem by making sure only authorized hosts can connect to specific services, or obfuscating common programs like Wordpress (like the database folders, and install directories....) just to break all these types of attacks. I also rather keep things "fixed" by being current on patches... Most of the exploits
  • Turn it off (Score:5, Insightful)

    by Xenna ( 37238 ) on Wednesday December 23, 2015 @03:41AM (#51170139)

    Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.

    Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.

    https://www.applianceshop.eu/s... [applianceshop.eu]

    (no commercial interest, just a satisfied customer)

    • by SJ ( 13711 )

      Lim Sao Tuk knows it's there, and he thanks you for keeping it up and running for so long. It has been a very useful machine for him.

      • by Xenna ( 37238 )

        Share the wealth, that's my motto ;-)

        Anyway, Lim asked me to say he prefers the Sophos stuff. He's also really fond of the McAfee stuff!

    • I was using pfsense with a special trigger script that counted how many times a particular IP raised alarms. I set it to some decently high number (some programs actually "port scan" as a part of their use...) and then only troubles were flagged. For other alerts (actual attacks) I might IP block someone instantly.... Just set the block time for a week or more and watch them give up. :)
  • by Marco Tedaldi ( 3390641 ) on Wednesday December 23, 2015 @03:42AM (#51170143)

    Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.

    Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
    Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!

    And don't suck up other peoples resources by whinging about it!

    • by Morgaine ( 4316 ) on Wednesday December 23, 2015 @05:52AM (#51170479)

      The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.

      The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.

      In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.

      Fix problems that you can solve. The others are not worth your time fretting about.

    • by mysidia ( 191772 )

      Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information.

      This is not true, port scans are not harmless, But they are not an attack in themselves either, there are quasi-legitimate uses, they are often not followed up by malicious activity via the same actor, and the community at large has accepted that they happen routinely, and they are a "lesser evil", like a strange man was seen walking across your front lawn: it is suspicious, but nobody's goin

      • They aren't followed up my malicious activity unless their is a vulnerability to exploit. My guess is all this port scanning has forced the guy to lock his system down pretty tight. It might now be safer due to all the port scanning.

        Excessive port scanning is abuse, but your ISP isn't going to address it, only the other guy's ISP is going to because that is where it originates, and only they can threaten to pull their access if they don't stop it. Efforts on this end are useless; keep hammering their ISP

  • by Z80a ( 971949 ) on Wednesday December 23, 2015 @03:57AM (#51170187)

    And see what they do with it.

    • by MrKaos ( 858439 ) on Wednesday December 23, 2015 @08:31AM (#51170969) Journal

      And see what they do with it.

      Exactly. If someone has screwed up then nothing will happen. If someone uses it, that's different and then you also have your misuse case as the basis for legal action if required (make sure to have misuse messages and warnings in place). Not that you want to take legal action, it's just being in the position to take that action if you can or need to.

  • Honestly, I wouldn't worry about it. If your firewall is halfway decent (and it sounds like it is), you shouldn't have anything to worry about as far as the security of your network. Unless, of course, you do something really dumb like open a port you shouldn't and have it refer to a port on a machine on your net (I'm presuming you're using NAT).

    Also, since it's highly likely you're network link is DHCP, your IP address might change periodically when your router goes to renew the DHCP lease. If your IP addr

  • The submitter's problem is that he keeps trying ELECTRONIC solutions to stop the port scanning. How about writing a letter on paper? This is how lawyers do it. That might scare the people doing the scanning enough to stop it.
  • by Rumagent ( 86695 ) on Wednesday December 23, 2015 @04:32AM (#51170293)

    Forget it and find a real problem to worry about.

  • by tlambert ( 566799 ) on Wednesday December 23, 2015 @05:09AM (#51170399)

    Your problem is UTM; but if you really care... pay Amazon a couple hundred $, spin up 100,000 instances for a really short time, and push them a couple of million dollars into bandwidth debt, and they won't bother you again.

    Alternately, buy something other than UTM, which filters before the alerts, instead of after.

  • by paj1234 ( 234750 ) on Wednesday December 23, 2015 @05:48AM (#51170469)

    You have the name of the chief executive? Write to him on paper with a stamp and tell him that his company is causing yours a nuisance. Say that under the provisions of statute X (whatever that may be in your country) you are entitled to claim compensation under the civil tort of harassment, or equivalent in your country. Enclose a copy of the relevant page of the legislation. There's sure to be plenty of legislation to choose from, take your pick. Enclose some printouts of the firewall warning messages.

    That CEO will have to cancel his game of golf. He will be furious about that. He doesn't want to think about tiresome technology matters. He wants to think about golf. Above all, he must avoid the electric fence and not have any silly legal troubles. He will bang some heads together and the port scans will stop.

    Someone asked me about receiving automated renewal reminders by email for an antivirus program he had ordered in error and then cancelled. He had asked not to receive such reminders anymore but they kept coming. The above steps worked for me.

  • Background noise (Score:5, Informative)

    by Bert64 ( 520050 ) <bert@nospam.slashdot.firenzee.com> on Wednesday December 23, 2015 @05:52AM (#51170481) Homepage

    The internet is full of background noise, not a lot you can do about it..
    Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.

    Having a router constantly notifying you about internet background noise is pointless and will only waste your time.

    • Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.

      Virtual +1 Insightful

  • If you need to choose between alarms and protection, then protection goes first.
    Then if you want, make the proper investigation and go the legal way: persistent port scanning is a ostile action, indeed.
  • by badger.foo ( 447981 ) <peter@bsdly.net> on Wednesday December 23, 2015 @06:28AM (#51170579) Homepage
    To me this sounds like the main problem is the "security" device that's generating a lot of noise.

    My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here [home.nuug.no] in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.

    With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.
  • by ledow ( 319597 ) on Wednesday December 23, 2015 @06:59AM (#51170707) Homepage

    Ignore.
    Filter the alert emails from that ISP if necessary.
    Get on with life.
    (P.S. Just double-check you put it on the block list).

    Run any internet server in any datacenter in the world and you get this times a thousand. You can't trace them all. Hell, you can't even spend the time to trace all those spam email attempts you would get either.

    What, precisely, do you think is being done to your connection that's worth the time and effort to even follow-up on it? A few packets hitting a firewall that is set to block and deny them any further access anyway?

    Get a life, honestly. And turn off alert emails for port-scans. Turn on proper IDS/IPS, but turn off that particular alert because - well - it happens all the time anyway and it isn't going to stop just because you stop one IP range.

    Spend the time you save on double-checking that people can't get into even the open services that you do offer to the net (SMTP, NTP, etc. if relevant). Whether you respond open or close, or whether the firewall rejects or allows, the requests still means that the packet was send, received, acted on, and replied to (or not, as the case may be). And in terms of your overall connection it's going to be like 0.001% of your traffic, if that.

    Then go and work in any static-IP, Internet-facing network department that runs in-house services like webservers, VPN, email, etc. And notice that they just wouldn't care and don't have the time to do anything about such trivial shite.

    • This is the only answer that needs to be posted. At my previous job, someone put a bug into the CIO's ear which got filtered down to my Director and I had to pull a report on all port scans for a year. Good news is with Dell SecureWorks is that generating the report was easy. Bad thing that I knew from the get go was the sheer numbers would amaze people who don't deal with this every day. I don't recall the numbers since it has been almost two years, but the smallest number to break down was some thing
  • Sounds like you're having the similar problem of ignorance that I have when reporting shodan's port scans. All I get is bleating about doing god's work to save the Internet. I don't care about that, I just want them to stop accessing my services. I expect the same from their upstream as well, but will report to them anyway just in case of a Christmas miracle ;-)

  • A Honeypot? (Score:5, Informative)

    by MagickalMyst ( 1003128 ) on Wednesday December 23, 2015 @08:27AM (#51170959)
    If they are scanning for ports then give them something to play with. :)

    Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.

    Once you have that information you can act accordingly - contact ISP, law enforcement, etc.
  • Why are you worried about port scans for your own machine that you control in every detail? Unless you've got some busted-ass daemon on some port, assuming you are not being DOSed or your bandwidth getting used up (which is very very unlikely), what do you think is going to happen? It's not like you have users on your machine who have kindergarten passwords which you can't control, is it?

    Fleabag lightweights are hitting ssh on my VPS all day every day. Let them knock themselves out. They ain't never gonna b

  • by XNormal ( 8617 ) on Wednesday December 23, 2015 @08:35AM (#51170985) Homepage

    Don't forward the scan reports to their abuse address. Spend a couple of cents to forward it through a mail-to-fax gateway to their fax number.

    I think it will stop much sooner this way.

  • I'm not sure about where you are, but here (UK) we have the ISPA which is a quasi regulatory body for ISPs. If you have a complaint with an ISP and can't get satisfactory resolution, then you can escalate the matter to the ISPA who can put pressure on them.
  • by visionsofmcskill ( 556169 ) <vision.getmp@com> on Wednesday December 23, 2015 @08:39AM (#51171013) Homepage Journal

    While other commenters have mentioned your alerting system should be disabled as its essentially worthless, theres a pretty simple fix if the IP's are known. Add their public ips to your router as additional WAN's or secondary IP's. Their traffic should now become unroutable and dropped before the appliance even tries to examine them. Or you could add a managed switch in front of your WAN which drops/blocks traffic from those IP's.

    Problem with doing these sorts of things is that over time your systems become a confusing mess of strange kludges and workarounds. Port scans really are super normal, and the true issue is your appliance not behaving as you'd desire.

    • This. The proper resolution here is to get your firewall manufacturer to alter their alerting system to send digests or condensed reports once a certain threshold has been reached. "IP x.x.x.x has portscanned you Y times in the last 24 hours."

      Otherwise, surprise, you're basically suffering a small DoS attack.

  • So, you're smart enough to have a firewall with port detection and know how to block a subnet, but you're not smart enough to write a filter that takes that port scan notification from that subnet and throw it in the trash? I've got buddies that work for banks, they do this crap all day long. They can't turn off port scan, because company policy, but they need to filter out stuff that doesn't matter. They do it at the monitoring software but most home users get email notifications. Use a mail client tha

  • Maybe a silly question on my part, but...

    Do you have your firewall set to discard unwanted packets silently? In other words, unless someone from the outside is hitting an IP and a port that you want open to the outside, there should be *no response* to outside queries (including port scans). If the firewall acknowledges the ping of the port *in any way* with a return packet, then the outside party knows there's something attached to that IP/port.

    It's always best to give the appearance that there's nothing r
  • by Jethro ( 14165 ) on Wednesday December 23, 2015 @10:02AM (#51171425) Homepage

    Set up a honeypot. Put a machine inside your network, and open some of the ports they're scanning on it. See what they're trying to do.

    As a bonus, /if/ they do anything, they have now actually broken the law and you can get law enforcement to actually do something.

  • "[T]he UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing"

    You're using a crap firewall.

  • Without knowing what company and what thier actual business model is, my first inclination assuming they have not been hacked, would be are you doing anything that is creating IP traffic that they might be observing, and thus scanning you back?

    .
    A case in point, I once bought an HP/WinME (pls don't ask) machine that came with some undocumented extra software that I didn't ask for, no surprise. The actual purpose of this "keyboard driver" system service was to keep any dialup session active, by pinging a

  • It doesn't sound like there is much you can do. But.. you could just filter your email so that this particular error report, when their particular ip is attached goes straight to trash.

  • If you're confident your system is secure against intrusions and you're monitoring things this closely, a port scan is ... nothing. Who cares? It's intrusions you care about, not probes. Just be sure anything you have open is secured. Monitor attempts to attack anything opened to the world.

    I personally don't monitor for port scans, I really don't care. Anything open on my servers is either secured, monitored, or if it's a legacy service I'm unsure about, sandboxed (chrooted, unprivileged, etc) to minim

  • by sims 2 ( 994794 ) on Wednesday December 23, 2015 @12:58PM (#51172923)

    http://portspoof.org/ [portspoof.org]
    http://www.saltwaterc.eu/ports... [saltwaterc.eu]

    Now whenever anyone scans you all ports show as open. pretty cool huh?

    Also great if you are trying to find out what ports your isp is blocking.

  • Start automatically bouncing every report to their abuse address?

    Yep. As it stands now, you're the one being inconvenienced.

    -jcr

  • Get a hobby. Seriously. Port scans are nothing. It's a waste of time trying to track them or stop them.

Can't open /usr/fortunes. Lid stuck on cookie jar.

Working...