Stopping ip range scans

william at elan.net william at elan.net
Mon Dec 29 11:47:15 UTC 2003


 Recently (this year...) I've noticed increasing number of ip range scans 
of various types that envolve one or more ports being probed for our
entire ip blocks sequentially. At first I attributed all this to various 
windows viruses, but I did some logging with callbacks soon after to 
origin machine on ports 22 and 25) and substantial number of these scans 
are coming from unix boxes. I'm willing to tolerate some random traffic 
like dns (although why would anybody send dns requests to ips that never 
ever had any servers on them?), but scans on random port of all my ips - 
that I consider to be a serious security issue and I'm getting tired of it 
to say the least (not to mention that its drain on resources as for example
routers have to answer and try to route all the requests or answer back 
that they could not).
  So I'm wondering what are others doing on this regard? Is there any 
router configuration or possibly intrusion detection software for linux 
based firewall that can be used to notice as soon as this random scan 
starts and block the ip on temporary basis? Best would be some kind of way 
to immediatly detect the scan on the router and block it right there...
Any people or networks tracking this down to perhaps alert each other?

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the NANOG mailing list