Stopping ip range scans
Phil Rosenthal
pr at isprime.com
Tue Dec 30 02:25:03 UTC 2003
Out of curiosity.....
How many of your scans come from hijacked IP space?
On Dec 29, 2003, at 6:47 AM, william at elan.net wrote:
>
>
> Recently (this year...) I've noticed increasing number of ip range
> scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to
> various
> windows viruses, but I did some logging with callbacks soon after to
> origin machine on ports 22 and 25) and substantial number of these
> scans
> are coming from unix boxes. I'm willing to tolerate some random traffic
> like dns (although why would anybody send dns requests to ips that
> never
> ever had any servers on them?), but scans on random port of all my ips
> -
> that I consider to be a serious security issue and I'm getting tired
> of it
> to say the least (not to mention that its drain on resources as for
> example
> routers have to answer and try to route all the requests or answer back
> that they could not).
> So I'm wondering what are others doing on this regard? Is there any
> router configuration or possibly intrusion detection software for linux
> based firewall that can be used to notice as soon as this random scan
> starts and block the ip on temporary basis? Best would be some kind of
> way
> to immediatly detect the scan on the router and block it right there...
> Any people or networks tracking this down to perhaps alert each other?
>
> --
> William Leibzon
> Elan Networks
> william at elan.net
>
--Phil Rosenthal
ISPrime, Inc.
More information about the NANOG
mailing list