Stopping ip range scans
william at elan.net
william at elan.net
Mon Dec 29 13:09:27 UTC 2003
On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote:
> There are two types of network: Enterprise and Service Provider.
I kind of have both types. I call them unmanaged and managed. For certain
ip blocks (always larger then /24) all traffic is passing through linux
firewall with multiple vlans & ethernet ports to be able to accomodate
multiple customers at the same time. I'd like to at least stop this scan
for everything behind the firewall. Would be best if I stop it for entire
network too, but that is just a wish and I did not see any easy way to do
it using cisco configuration and modifying access lists every minute is
probably not too interesting (here I again get reminded of the cooperative
bgp filtering draft I worked on for bogons with Michael, Rob & Joren, see
http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt
I'll have to wait until its part of OS to try something for scan prevention...).
> The job of the service provider is very simple. Just provide plain
> Internet connectivity.
The above is true if you're very "plain" network provider. Some of us do
more then just simple internet connectivity services...
> if the traffic is detined to an IP which is
> in my network, it is considered legitimate traffic. )
The problem is these are random scans, the traffic is going to ips that
are not used and never were. They're clearly a random sequential scans.
> But it can block your legitimate traffic as well.
I've thought about it and the way I see it - if somebody is scanning me,
its not a legitimate traffic to me and big potential security risk. So if
same ip hits within fraction of a sec 2 or 3 sequential ip addresses on
some monitoring device, it seems ok for me if its blocked for next 10 minutes
(but not permanently). I don't think any legitimate traffic would be lost
in this case. (Note: definition of "legitimate" varies from network to
network and from one person to another).
--
William Leibzon
Elan Networks
william at elan.net
More information about the NANOG
mailing list