Stopping ip range scans
Chris Brenton
cbrenton at chrisbrenton.org
Mon Dec 29 11:24:34 UTC 2003
On Mon, 2003-12-29 at 06:47, william at elan.net wrote:
> Recently (this year...) I've noticed increasing number of ip range scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially.
You're lucky. I've been watching this slowly ramp up for the last 10.
;-)
> At first I attributed all this to various
> windows viruses, but I did some logging with callbacks soon after to
> origin machine on ports 22 and 25) and substantial number of these scans
> are coming from unix boxes.
Since no one (to my knowledge) has ever been arrested or sued over a
port scan, there is nothing holding back the script kiddies from doing
them at will. Heck, check the archives here and you will find a number
of posts where various people feel this is legitimate and justifiable
activity.
> I'm willing to tolerate some random traffic
> like dns (although why would anybody send dns requests to ips that never
> ever had any servers on them?)
Simplicity. Its easier to write a scanner that just hits every and/or
random IPs rather than troll to look for legitimate name servers. That
and the unadvertised ones are more likely to be vulnerable anyway.
> So I'm wondering what are others doing on this regard? Is there any
> router configuration or possibly intrusion detection software for linux
> based firewall that can be used to notice as soon as this random scan
> starts and block the ip on temporary basis?
Check out Bill Stearns Firebrick project:
http://www.stearns.org/firebricks/
Basically, these are plug-in rule sets for iptables. The three you are
interested in are ban30, checksban and catchmapper. If you want a little
less overhead, you can use catchmapreply. Also, the bogons module might
be interesting for an ISP environment. Note that the plength module
implements some of the fragment size limitations I was querying this
group about a few weeks back. :)
> Best would be some kind of way
> to immediatly detect the scan on the router and block it right there...
> Any people or networks tracking this down to perhaps alert each other?
Check:
http://www.dshield.org/
I *think* Johannes has even added the ability to query based on AS.
HTH,
C
More information about the NANOG
mailing list