Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner? 265
jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
Simple. (Score:3, Informative)
Re:Simple. (Score:4, Informative)
The problem is the IP range IS blocked. But the router does their port scan detection prior to the IP blacklist and will still notify him of the attack despite the packets being dropped.
Re:Simple. (Score:4, Informative)
Re: (Score:2)
At the bottom of the TCP/IP stack, there's the network chip. That has to receive a packet header and data, push it into the packet ring buffer, send an interrupt to the CPU, and wait for the next packet. It's up to the TCP/IP stack what to next; drop the packet, forward a datagram, or reconstruct packet data into a consistent stream of data.
Re: (Score:2)
Well, on professional grade routers/firewalls ACLs are compiled and pushed down to the FIB/CAM, which can indeed reject things in hardware. Some commodity cards also include onboard packet processors, but YMMV on support for configuring it.
As far as it generating alerts, that's the software's shortcoming for not supporting a way to selectivey silence alerts.
As far as the wasted bandwidth, if it is any consequenctial amount, you're pretty much without recourse unless you can show it is having a financial im
Re:Simple. (Score:5, Interesting)
The OP has been more than patient with them.... Assuming they are full TCP connects (non-spoofable); After complaining 3 times about ongoing abuse... I would definitely consider some internet routing table inspection, Identify their upstream providers, and start contacting the upstreams', after continued persistent scans of one IP. Don't stop politely contacting them to ask for help, until you get permanent resolution.
9 times out of 10.... upstream providers will not turn off their customer, probably 10 times out of 10 for simple port scans, which are considered trivial. The industry does NOT consider a simple port scan equivalent to a DoS or hacking attempt, and Most providers will simply disqualify complaints about portscans.
It's partly the OP's folly in having a security device generating excessive noise, especially about blocked IP addresses. I understand the OP may be constrained by product selection; However, Null-routing the offending range SHOULD be an option, and if not..... get a proper packet-filtering firewall to put in front of your UTM, or set an access-list entry on the router in front of it.
However, if contacted, the abusing providers' upstream provider will likely forward the abuse reports to their customer.
After you've done your homework in thoroughly documenting and verifiably reporting, and they have failed to resolve, then a few more iterations, and a seriously-harmed party would be getting their lawyers involved anyways. Probably NOT for a simple portscan however, the offending entities' upstreams might be concerned about it from a risk management perspective and pressure their customer to shape up.
Re:Simple. (Score:4, Interesting)
maybe - but the question is *why* are they doing this. I would be tempted to open a port and see if they attempt to access - then depending on the OP's locality there could be a computer misuse claim.
Re: (Score:2)
Odds are they have a really bad malware infestation and are clueless or have tried and failed to eradicate it. OP mentioned that they appear to be a small company.
Re: (Score:2)
upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.
Re: (Score:2)
upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.
That is fine. By forwarding, they will have proven they received the message, AND the network in question will be more apt to respond in many cases.
At a later stage of the game when you get your lawyers involved their upstream providers will likely respond, for example, it's not worth their while to fight a lawsuit you can file against the upstream provider about thei
Re:Simple. (Score:4, Interesting)
upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.
That is fine. By forwarding, they will have proven they received the message, AND the network in question will be more apt to respond in many cases.
At a later stage of the game when you get your lawyers involved their upstream providers will likely respond, for example, it's not worth their while to fight a lawsuit you can file against the upstream provider about their customer's activities.
Years ago I took a new position at a company when I received a phone call from an ISP stating that my servers were port scanning someone who complained. They were going to turn off our network access. Surprised, I looked into it. I discovered they were right. Someone had allowed malware to get installed on several of our systems. After some cleanup work we were good but it left an impression on me. Besides asking a new employer more in depth questions about their security (or lack of it), that ISP's would be a good place to file a complaint when you are port scanned over and over again.
Might be time to contact THEIR ISP and yours. Ask them to block or disconnect them. If anything, once THEY get a phone call about the complaint, it will wake them up a bit :D
Re: (Score:3)
Re: (Score:3)
Sprint will contact their business customers about things like this. They threatened to disconnect a T3 on a company I worked at because of a malware infection that was doing just this. When Sprint is willing to let go of $4500/mo worth of revenue over this, most ISPs should be willing to look into it. The apathy is what allows this behavior.
Re: (Score:3)
Re: (Score:3)
Your ISP sucks. They should be handing out /48's to all business accounts.
Re: (Score:3)
Also, the great thing about having a /64 on each segment for host addressing is there is no practical way to scan it.
Re: Simple. (Score:3)
Then stop plugging some sophos bullshit here and install something free and open that lets you block things. For example pfsense or m0n0wall. I am sure there are others, but these are the ones that i use.
If you have a decent firewall you dont actually care about portscans. You have a couple of ports open and you need to make sure that services running on these are safe. Alerting you with portscans will not improve your security one bit. The only useful thing you could do is automatically drop packets after
Re: Simple. (Score:2)
First of all, it might come as a surprise for you, but not all people live in the US of A. Where i live, "search and frisk" is not something that i know to have been done to anybody that knows anybody i know.
Second of all - you probably get my point despite the maybe-not-so-universal analogy i gave. Maximum you should do, is null-route the portscanning ips automatically. Me - i just ignore them and have done so since the early nineties. If your network security relies on people in the internet NOT portscann
Re: (Score:2)
I work on hardware that can do this. 99% of the firewalls used by home users are pure software firewalls because CAM memory is very expensive. I work for a company that makes CPUs specialized for packet processing and security, but even our low end CPUs are typically not used for the home firewall. Our current generation low end CPU can easily handle 10Gbps of traffic, our higher end ones can handle over 80Gbps of traffic with hardware offload engines for lookups, encryption, compression and packet processi
Get a switch that can block before your device? (Score:4)
Something with a nice-sized ruleset that works on ASICs and you're done. Most companies sell them, and if you're just selectively passing traffic by IP range (or in fancier devices by port) why not offload the hard rules before wasting cycles on traffic you just want to drop? Or just another software device if you're not wanting to buy hardware.
We do this for selective parts of the network where dropping attackers on one machine keeps them from running through an entire block of IPs. A lot of it's even scripted: more than 3 IPs getting brute forced? That's a 24 hour ban and email to the associated ARIN/APNIC/RIPE contact. Granted APNIC/RIPE tends to stay on that list a lot longer than 24 hours...
Re:Simple. (Score:5, Insightful)
obvious answer is obvious, report a feature request to sophos.
or buy a different firewall.
or do attack detection after it.
or just don't bother with doing anything with it(proper).
really this is a problem with his firewall device/software in it. I have no idea why this passed through to slashdot since he already tried contacting the offender and his isp.
Re: (Score:2)
Re:Simple. (Score:5, Informative)
If it's a choice between all or nothing, then I'd pick nothing.
Port scan alerts are a bad idea for three reasons.
1. These attacks are very common and excess noise of the alerts may distract you from real threats.
2, Port scans that get caught by these filters are usually benign. NMAP is the first tool that every little kid who thinks they are a hacker plays with before they learn some common sense.
3. Any sophisticated attack that actually stands a chance of working won't be detected by these simple mechanisms.
Hopefully, your firewall will detect the real threats using more sophisticated methods. If I were you I wouldn't count on it catching everything. Those alerts might be giving you a false sense of security. The only thing that alert is satisfying is the author's curiosity. It's not really protecting him.
Re: (Score:3)
He should scan them back, then forward his umused ports to a tarpit [wikipedia.org].
Re: (Score:3)
Re: (Score:3)
Port scans are not attacks though, they are a survey tool to get information about the device.
It is a bit strange that the scans are persistent -- what can repeated port scans tell you?
Anyways, another option is to set up a honeypot, expose some ports and see what the source does.
Re: (Score:2)
The first time didn't help. (Score:5, Insightful)
So this time report it to appropriate authorities and if they don't take your case make a public letter into their local newspaper asking them what they are up to.
Re:The first time didn't help. (Score:5, Funny)
Re:The first time didn't help. (Score:5, Insightful)
So this time report it to appropriate authorities and if they don't take your case
OR push the block on the IP range into the Firewall's routing table as a route to Null0, or to an access-list on the Firewall's upstream router
Most providers summarily shove complaints about portscans and firewall alerts into the trash bin. The OP needs something material to base a legitimate abuse complaint on, such as logs showing an actual SSH brute force access attempt, that demonstrates the activity is a malicious attempted intrusion and not merely some reconnaissance effort, possible false alarm, or "background noise" such as W32/Blaster traffic from some host still running infected XP.
The authorities DON'T CARE about portscans either, unless the OP has something much more material to investigate, or can prove a crime was committed with serious damage, they generally will not get involved... It doesn't hurt to report it to the civil authorities, but it's not going to do anything to alleviate OP's situation, either, which is an "overly chatty" firewall device.
The real issue there is the Firewall and the lack of options to suppress spurious alerts, that should get taken up with the firewall vendor as a software issue.
Re: (Score:3)
Expect the CEO to send it to IT because he doesn't understand it, and for it to simply disappear. CEOs are about making money, they don't like being the complaint dept. unless it is a complaint from a huge customer that is threatening to not give them money. They don't make the big bucks because they can deal with port scans.
Re: (Score:2)
Expect the CEO to send it to IT because he doesn't understand it, and for it to simply disappear. CEOs are about making money, they don't like being the complaint dept. unless it is a complaint from a huge customer that is threatening to not give them money. They don't make the big bucks because they can deal with port scans.
If you know who the company is, contact their legal department and ask them how much they like being (a) sued and (b) made into a news story.
Problem solved.
Re: (Score:2)
You would be shocked how often that backfires. They have lawyers on staff, paid to take chicken shit threats and shove them back down your throat. They can outspend you in a second flat, and run you into the poor house defending yourself. No, threatening a company and making claims they intentionally did something bad (particularly when you really don't know the whole story) is just a good way to end up broke and defeated.
Re: (Score:2)
Re: (Score:2)
Worked numerous times for me. Typically there is an open SSH port, and I just overload that. Does not need 1Gb/s and gets their attention pretty dam quick.
Re: The first time didn't help. (Score:2)
If you are exposed locally for questionable actions you may get uncomfortable questions from friends. It may be a worse punushment than being brought to court.
Chances are... (Score:2)
...those banging at your doors don't give a damn about laws. You could deny ALL from the attackers address range, but best bet is just shut down the targeted ports.
Re:Chances are... (Score:5, Informative)
One solution to such actions is to instead of blocking send them to a tar-pit server. That may look like a valid server but with very slow responses.
Re: (Score:2)
...those banging at your doors don't give a damn about laws.
Unless they have poor security and get hacked repeatedly. Some places you can almost just walk in, and if they are a small company, they may not feel that they have money to spend on proper security. Unless they are made painfully aware of the benefits.
So name them already (Score:5, Interesting)
Lets hear who it is.
Re: (Score:2)
Re: (Score:3)
I see your side, but I see the other as well. Since he reported it to the company once and the company "fixed it" temporarily, it doesn't sound like a false positive. If he posts the company's web site on Slashdot and that company's web site happens to get slashdotted (especially if they have a forum or mailbox where visitors can post complaints/issues), it might wake them up to the fact that someone in their IT/dev department is doing something they really should not be (whether it was ordered by the compa
Re: (Score:2, Funny)
Why do you assume there's only one female, and that she has multiple machines?
Yours,
The Grammar Nazi.
Re: (Score:2)
Because he is a sexist douchebag.
Women are not any worse than men when it comes to security and apps. At my (small) office, the opposite is true, it is always the guys getting viruses, usually from trying to check out porn.
Not a surprise (Score:3)
If you listen to the Security Now podcast, this sort of thing is all over the internet. It's a nasty place out there and actors from anywhere and everywhere are always checking addresses for vulnerabilities, etc. I suspect we all get that sort of thing.
Unless it is DDOS'ing you, why is it an issue?
Re:Not a surprise (Score:5, Interesting)
Indeed, I routinely get portscans en-mass from china.
Sometimes 5x a day or more. Really aggressive scans that last for hours.
Not a lot you can do about it. Scanning for open ports is a legitimate activity on networks you own, so naturally, a big internetwork like the internet is going to be drowning in automated portscans, and automated blocking of them would break many legitimate services, if they make too many queries too quickly. (say for instance, metacrawlers and pals.)
Just accept that the internet is not a cozy nice place. Bad things lie in wait for the unwary. Use modern protection, and be sensible in how you use it.
really, that's all you can do unless you have actual DDoS style attacks leveled at you. THEN you call the feds.
Re:Not a surprise (Score:5, Insightful)
This. There was a time that ISPs and people on the Internet cared about port scans, that time is long gone (by at least 15 years). If you have a public IP you should assume it's being scanned all the time. Once you assume that these types of alerts have little additional meaning. If it really bothers you then you should implement some kind of pre-filter to block the IP range. I understand that your particular device doesn't allow that so put another router with proper access control list support in front of it if it bothers you so much. TLDR, unless you live in the past it's time to get over port scanning.
Re: (Score:3)
Exactly, welcome to the World Wide Web people!
10-15 years ago when every company was getting their first firewall, I used to manage 100's of firewall for many companies. First thing that people would do is call me complain about the firewall logs showing all the port scans (mostly from Asia), this stuff goes on all the time, nothing you can really do about it, block on subnet they will use another. Unless you are getting DDOS'ed then you are fine. I good firewall will not send back a reject, but instead dro
Re: (Score:2)
Turn it off (Score:5, Insightful)
Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.
Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.
https://www.applianceshop.eu/s... [applianceshop.eu]
(no commercial interest, just a satisfied customer)
Re: (Score:2)
Lim Sao Tuk knows it's there, and he thanks you for keeping it up and running for so long. It has been a very useful machine for him.
Re: (Score:3)
Share the wealth, that's my motto ;-)
Anyway, Lim asked me to say he prefers the Sophos stuff. He's also really fond of the McAfee stuff!
Re: (Score:2)
Re:Turn it off (Score:5, Informative)
UTM 9 IS open source excep for the gui and FAR better and FAR more features than pfsense.
Not even close to being in the same leuage.
(no commercial interest, just a satisfied UTM 9 user (not customer))
Amusingly, I dealt with this very scenario just this week, except in reverse.
I installed the Sophos UTM on a Vista-vintage Optiplex. It was fine and responsive, and yes, the UI was beautiful, with lots of enterprise-grade features. The problem I had was that Sophos seemed to have a default 'deny any any' sort of rule in place that allowed HTTP, DNS, and...basically nothing else. I couldn't RDP out via nonstandard ports, I couldn't access IMAP mail, I couldn't get new Usenet articles in Agent, and that damn 'yellow triangle of limited connectivity' was proudly shown on all the Windows boxen on my LAN. I spent about two hours trying to get it to let SOMETHING through, Googled around, and...apparently there's some sort of voodoo that everyone else 'just knows' to make Sophos be a bit less strict, but for me it was like debating with the great-grandson of HAL9000: "Open the port 3389 doors, HAL." "I'm sorry Joey, I can't do that." Between that and the fact that Sophos went to the Sonicwall school of port forwarding hell, I installed pfSense.
pfSense allows traffic to flow the way one would expect a router to work; all the things that didn't work in Sophos worked just fine on pfSense. Port forwards can be as simple as a Linksys router (source port, destination port, IP address), or as complex as a Sonicwall. It's UI isn't nearly as pretty, but it's highly functional. The transparent proxy helps speed up HTTP traffic, which is helpful as I'm stuck with 2mbit/768k DSL for the immediate term.
I'm sure this is all a PEBKAC situation, and I do understand that Sophos's "assume the worst" stance has its place, but especially for being labeled for home users, I would have at least expected some sort of option in the initial config wizard to have the option between 'paranoid mode' and 'actual router' mode.
Port Scans are normal, stop whining! (Score:4, Informative)
Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.
Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!
And don't suck up other peoples resources by whinging about it!
Put a filter box in front of full firewall (Score:5, Interesting)
The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.
The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.
In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.
Fix problems that you can solve. The others are not worth your time fretting about.
Re: (Score:2)
Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information.
This is not true, port scans are not harmless, But they are not an attack in themselves either, there are quasi-legitimate uses, they are often not followed up by malicious activity via the same actor, and the community at large has accepted that they happen routinely, and they are a "lesser evil", like a strange man was seen walking across your front lawn: it is suspicious, but nobody's goin
Re: (Score:2)
They aren't followed up my malicious activity unless their is a vulnerability to exploit. My guess is all this port scanning has forced the guy to lock his system down pretty tight. It might now be safer due to all the port scanning.
Excessive port scanning is abuse, but your ISP isn't going to address it, only the other guy's ISP is going to because that is where it originates, and only they can threaten to pull their access if they don't stop it. Efforts on this end are useless; keep hammering their ISP
Just set up a honeypot (Score:5, Interesting)
And see what they do with it.
Re:Just set up a honeypot (Score:4, Informative)
And see what they do with it.
Exactly. If someone has screwed up then nothing will happen. If someone uses it, that's different and then you also have your misuse case as the basis for legal action if required (make sure to have misuse messages and warnings in place). Not that you want to take legal action, it's just being in the position to take that action if you can or need to.
I wouldn't worry about it (Score:2)
Honestly, I wouldn't worry about it. If your firewall is halfway decent (and it sounds like it is), you shouldn't have anything to worry about as far as the security of your network. Unless, of course, you do something really dumb like open a port you shouldn't and have it refer to a port on a machine on your net (I'm presuming you're using NAT).
Also, since it's highly likely you're network link is DHCP, your IP address might change periodically when your router goes to renew the DHCP lease. If your IP addr
Tarpit (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
DUH! (Score:2)
Easy solution (Score:3)
Forget it and find a real problem to worry about.
Your problem is UTM; but if you really care... (Score:3, Insightful)
Your problem is UTM; but if you really care... pay Amazon a couple hundred $, spin up 100,000 instances for a really short time, and push them a couple of million dollars into bandwidth debt, and they won't bother you again.
Alternately, buy something other than UTM, which filters before the alerts, instead of after.
Civil tort of harassment (Score:3)
You have the name of the chief executive? Write to him on paper with a stamp and tell him that his company is causing yours a nuisance. Say that under the provisions of statute X (whatever that may be in your country) you are entitled to claim compensation under the civil tort of harassment, or equivalent in your country. Enclose a copy of the relevant page of the legislation. There's sure to be plenty of legislation to choose from, take your pick. Enclose some printouts of the firewall warning messages.
That CEO will have to cancel his game of golf. He will be furious about that. He doesn't want to think about tiresome technology matters. He wants to think about golf. Above all, he must avoid the electric fence and not have any silly legal troubles. He will bang some heads together and the port scans will stop.
Someone asked me about receiving automated renewal reminders by email for an antivirus program he had ordered in error and then cancelled. He had asked not to receive such reminders anymore but they kept coming. The above steps worked for me.
Background noise (Score:5, Informative)
The internet is full of background noise, not a lot you can do about it..
Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.
Having a router constantly notifying you about internet background noise is pointless and will only waste your time.
Re: (Score:2)
Virtual +1 Insightful
Drop it (Score:2)
Then if you want, make the proper investigation and go the legal way: persistent port scanning is a ostile action, indeed.
Fixable with simple PF rules (Score:3)
My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here [home.nuug.no] in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.
With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.
Sigh (Score:3)
Ignore.
Filter the alert emails from that ISP if necessary.
Get on with life.
(P.S. Just double-check you put it on the block list).
Run any internet server in any datacenter in the world and you get this times a thousand. You can't trace them all. Hell, you can't even spend the time to trace all those spam email attempts you would get either.
What, precisely, do you think is being done to your connection that's worth the time and effort to even follow-up on it? A few packets hitting a firewall that is set to block and deny them any further access anyway?
Get a life, honestly. And turn off alert emails for port-scans. Turn on proper IDS/IPS, but turn off that particular alert because - well - it happens all the time anyway and it isn't going to stop just because you stop one IP range.
Spend the time you save on double-checking that people can't get into even the open services that you do offer to the net (SMTP, NTP, etc. if relevant). Whether you respond open or close, or whether the firewall rejects or allows, the requests still means that the packet was send, received, acted on, and replied to (or not, as the case may be). And in terms of your overall connection it's going to be like 0.001% of your traffic, if that.
Then go and work in any static-IP, Internet-facing network department that runs in-house services like webservers, VPN, email, etc. And notice that they just wouldn't care and don't have the time to do anything about such trivial shite.
Re: (Score:3)
Shodan abuse (Score:2)
Sounds like you're having the similar problem of ignorance that I have when reporting shodan's port scans. All I get is bleating about doing god's work to save the Internet. I don't care about that, I just want them to stop accessing my services. I expect the same from their upstream as well, but will report to them anyway just in case of a Christmas miracle ;-)
A Honeypot? (Score:5, Informative)
Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.
Once you have that information you can act accordingly - contact ISP, law enforcement, etc.
Don't wear yourself out worrying about nothing (Score:2)
Why are you worried about port scans for your own machine that you control in every detail? Unless you've got some busted-ass daemon on some port, assuming you are not being DOSed or your bandwidth getting used up (which is very very unlikely), what do you think is going to happen? It's not like you have users on your machine who have kindergarten passwords which you can't control, is it?
Fleabag lightweights are hitting ssh on my VPS all day every day. Let them knock themselves out. They ain't never gonna b
Forward it to their fax (Score:4, Funny)
Don't forward the scan reports to their abuse address. Spend a couple of cents to forward it through a mail-to-fax gateway to their fax number.
I think it will stop much sooner this way.
Regulator? (Score:2)
use their IP's (Score:3)
While other commenters have mentioned your alerting system should be disabled as its essentially worthless, theres a pretty simple fix if the IP's are known. Add their public ips to your router as additional WAN's or secondary IP's. Their traffic should now become unroutable and dropped before the appliance even tries to examine them. Or you could add a managed switch in front of your WAN which drops/blocks traffic from those IP's.
Problem with doing these sorts of things is that over time your systems become a confusing mess of strange kludges and workarounds. Port scans really are super normal, and the true issue is your appliance not behaving as you'd desire.
Re: (Score:2)
This. The proper resolution here is to get your firewall manufacturer to alter their alerting system to send digests or condensed reports once a certain threshold has been reached. "IP x.x.x.x has portscanned you Y times in the last 24 hours."
Otherwise, surprise, you're basically suffering a small DoS attack.
Half Smart (Score:2)
So, you're smart enough to have a firewall with port detection and know how to block a subnet, but you're not smart enough to write a filter that takes that port scan notification from that subnet and throw it in the trash? I've got buddies that work for banks, they do this crap all day long. They can't turn off port scan, because company policy, but they need to filter out stuff that doesn't matter. They do it at the monitoring software but most home users get email notifications. Use a mail client tha
Stealth mode (Score:2)
Do you have your firewall set to discard unwanted packets silently? In other words, unless someone from the outside is hitting an IP and a port that you want open to the outside, there should be *no response* to outside queries (including port scans). If the firewall acknowledges the ping of the port *in any way* with a return packet, then the outside party knows there's something attached to that IP/port.
It's always best to give the appearance that there's nothing r
Late to the party, but... (Score:3)
Set up a honeypot. Put a machine inside your network, and open some of the ports they're scanning on it. See what they're trying to do.
As a bonus, /if/ they do anything, they have now actually broken the law and you can get law enforcement to actually do something.
Well, here's your problem... (Score:2)
"[T]he UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing"
You're using a crap firewall.
Threat responce and possible course of action (Score:2)
.
A case in point, I once bought an HP/WinME (pls don't ask) machine that came with some undocumented extra software that I didn't ask for, no surprise. The actual purpose of this "keyboard driver" system service was to keep any dialup session active, by pinging a
Filter your email (Score:2)
It doesn't sound like there is much you can do. But.. you could just filter your email so that this particular error report, when their particular ip is attached goes straight to trash.
Ignore it (Score:2)
If you're confident your system is secure against intrusions and you're monitoring things this closely, a port scan is ... nothing. Who cares? It's intrusions you care about, not probes. Just be sure anything you have open is secured. Monitor attempts to attack anything opened to the world.
I personally don't monitor for port scans, I really don't care. Anything open on my servers is either secured, monitored, or if it's a legacy service I'm unsure about, sandboxed (chrooted, unprivileged, etc) to minim
Easy. Open all of the ports. (Score:3)
http://portspoof.org/ [portspoof.org]
http://www.saltwaterc.eu/ports... [saltwaterc.eu]
Now whenever anyone scans you all ports show as open. pretty cool huh?
Also great if you are trying to find out what ports your isp is blocking.
Re: (Score:2)
Thanks for this.
The trollface was worth it.
Re: (Score:2)
My advice? (Score:2)
Re: (Score:2)
Re:No NAT??? (Score:5, Interesting)
I have many boxes directly on the internet, NAT would only add an extra layer of headaches... I only open the services i actually want to offer, so if i used port forwarding i would have exactly the same services listening but with added overhead.
Re:No NAT??? (Score:4, Informative)
Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.
Port Address Translation breaks the end-to-end model of TCP/IP. IPv6 is designed to remove the need for NAT entirely. The network admin is supposed to actually know how to build a proper firewalling router to keep other networks out or to limit what resources they can reach.
Good firewalls deny incoming connections by default, and only allow them when they're solicited by a machine on the local side, and even then, only when the return traffic from the untrusted network conforms to expectations based on the trusted machine's initial outgoing request. This can get a little tricker with protocols that use more than one port or semirandomly chose ports from a range, but it seems to work pretty well even with public IPs on devices.
Re: (Score:2)
Because you then went over your bandwidth quota and your ISP wasn't forwarding anymore packets to you maybe?
Seriously, I hope those 4k blocks were tarpitted at least (long delay between each block)
Re: (Score:2)
If the user didn't have a bandwidth cap, then no, you'd want to serve as much as possible, but have it in a low priority QoS profile. If the attacker was saving files you could exhaust their free disk space eventually, most of these hacked shells don't have terabytes available.
Re: (Score:2)
What intelligence? That the attacker fires off every known OpenSSL exploit when it finds something listening on 22?
Re: (Score:2)
if by number you mean 2 (britain and germany), then yes. possession of nmap is illegal, although not enforced. it's basically a law to give them ammunition when they nab you and have nothing on you.
Re: (Score:2)
while i was still at the university, our networking professor warned us about Germany and mentioned that similar laws were about to be passed in the UK. and then i read it in nmap's faq or in /usr/share/docs/nmap a few years later. i think it predates cameron.
having nmap on your computer is treated the same way as if you walked around with lock picking tools. presumption of guilt.
Re: (Score:2)
That's like saying ringing someone's doorbell is going to use up all their electricity.
Doesn't mean it's okay for someone to keep ringing it all day...
Re: (Score:2)
It's not young people that are ruining this place: the young people don't hang out here, and instead spend their time elsewhere besides a washed-up tech site. This place is mostly populated by angry old farts who just sit around in their Depends and complain about new technologies and changing society. The above is probably one of them.