Stopping ip range scans

Perry E. Metzger perry at piermont.com
Mon Dec 29 16:36:55 UTC 2003


william at elan.net writes:
>  Recently (this year...) I've noticed increasing number of ip range scans 
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to various 
> windows viruses, but I did some logging with callbacks soon after to 
> origin machine on ports 22 and 25) and substantial number of these scans 
> are coming from unix boxes. I'm willing to tolerate some random traffic 
> like dns (although why would anybody send dns requests to ips that never 
> ever had any servers on them?), but scans on random port of all my ips - 
> that I consider to be a serious security issue

It isn't a serious security issue.

> and I'm getting tired of it to say the least

Then turn off your logging of it. I quit paying attention to scans
MANY years ago, when they started happening more than once an hour. In
an era where a honeypot will be attacked minutes after being put on
the net, scans are as interesting to report as litter at a landfill.

> (not to mention that its drain on resources as for example
> routers have to answer and try to route all the requests or answer back 
> that they could not).

Drain on resources? I bet if you actually calculate the cost in
dollars of answering the scans per year, it is probably smaller than
the amount you are paid in a few minutes. The time you've spent
thinking about it has been the biggest drain on your company's
resources.

>   So I'm wondering what are others doing on this regard?

Most people I know are ignoring scans. There is no other rational
course to take. People will twist your doorknobs, and if you pay
attention every time they do, you'll go mad. You can't possibly block
every host on the net trying it, and some are even doing it for
perfectly legitimate purposes like mapping the network or trying to
figure out if one of your users has been infected with a virus or some
such.

In any case, there are huge numbers of infected and compromised
machines out there doing this. You'd have to black hole most of the
net to stop it. I don't see what the point is. You won't make your
machines more secure by pretending you could block scans. Sure, you
can waste your time and money trying to stop that, but I'd suggest you
simply spend that time actually making your machines more secure
instead of adding Potemkin security like "blocking scans".

I've seen many people complain about such things in the past, and then
it turns out they don't even have all their Windows servers patched
properly and they aren't doing any ingress filtering so their machines
can happily send forged packets all over the net. Fix your actual
security problems first -- worry about window dressing later if at
all.

By the way, the most sophisticated attackers are scanning using
techniques that don't trigger IDS systems, like doing random walks of
the port space in thousands of blocks at once from large numbers of
scan hosts -- any given CIDR block only sees the occasional packet,
and they don't have nice signatures like being sequential and from the
same initiating address. Taken to extreme levels, you will never catch
such people. Spend your time fixing security holes on your net instead.

-- 
Perry E. Metzger		perry at piermont.com



More information about the NANOG mailing list