North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Stopping ip range scans

  • From: william
  • Date: Mon Dec 29 07:08:32 2003

On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote:

> There are two types of network: Enterprise and Service Provider.
I kind of have both types. I call them unmanaged and managed. For certain 
ip blocks (always larger then /24) all traffic is passing through linux 
firewall with multiple vlans & ethernet ports to be able to accomodate 
multiple customers at the same time. I'd like to at least stop this scan 
for everything behind the firewall. Would be best if I stop it for entire 
network too, but that is just a wish and I did not see any easy way to do 
it using cisco configuration and modifying access lists every minute is 
probably not too interesting (here I again get reminded of the cooperative
bgp filtering draft I worked on for bogons with Michael, Rob & Joren, see
I'll have to wait until its part of OS to try something for scan prevention...).

> The job of the service provider is very simple. Just provide plain
> Internet connectivity.
The above is true if you're very "plain" network provider. Some of us do 
more then just simple internet connectivity services...

> if the traffic is detined to an IP which is
> in my network, it is considered legitimate traffic. )
The problem is these are random scans, the traffic is going to ips that 
are not used and never were. They're clearly a random sequential scans.

> But it can block your legitimate traffic as well. 
I've thought about it and the way I see it - if somebody is scanning me, 
its not a legitimate traffic to me and big potential security risk. So if 
same ip hits within fraction of a sec 2 or 3 sequential ip addresses on 
some monitoring device, it seems ok for me if its blocked for next 10 minutes 
(but not permanently). I don't think any legitimate traffic would be lost
in this case. (Note: definition of "legitimate" varies from network to 
network and from one person to another).

William Leibzon
Elan Networks
[email protected]