North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Stopping ip range scans
On Mon, 2003-12-29 at 06:47, [email protected] wrote: > Recently (this year...) I've noticed increasing number of ip range scans > of various types that envolve one or more ports being probed for our > entire ip blocks sequentially. You're lucky. I've been watching this slowly ramp up for the last 10. ;-) > At first I attributed all this to various > windows viruses, but I did some logging with callbacks soon after to > origin machine on ports 22 and 25) and substantial number of these scans > are coming from unix boxes. Since no one (to my knowledge) has ever been arrested or sued over a port scan, there is nothing holding back the script kiddies from doing them at will. Heck, check the archives here and you will find a number of posts where various people feel this is legitimate and justifiable activity. > I'm willing to tolerate some random traffic > like dns (although why would anybody send dns requests to ips that never > ever had any servers on them?) Simplicity. Its easier to write a scanner that just hits every and/or random IPs rather than troll to look for legitimate name servers. That and the unadvertised ones are more likely to be vulnerable anyway. > So I'm wondering what are others doing on this regard? Is there any > router configuration or possibly intrusion detection software for linux > based firewall that can be used to notice as soon as this random scan > starts and block the ip on temporary basis? Check out Bill Stearns Firebrick project: http://www.stearns.org/firebricks/ Basically, these are plug-in rule sets for iptables. The three you are interested in are ban30, checksban and catchmapper. If you want a little less overhead, you can use catchmapreply. Also, the bogons module might be interesting for an ISP environment. Note that the plength module implements some of the fragment size limitations I was querying this group about a few weeks back. :) > Best would be some kind of way > to immediatly detect the scan on the router and block it right there... > Any people or networks tracking this down to perhaps alert each other? Check: http://www.dshield.org/ I *think* Johannes has even added the ability to query based on AS. HTH, C
|