North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Stopping ip range scans
On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote: > There are two types of network: Enterprise and Service Provider. I kind of have both types. I call them unmanaged and managed. For certain ip blocks (always larger then /24) all traffic is passing through linux firewall with multiple vlans & ethernet ports to be able to accomodate multiple customers at the same time. I'd like to at least stop this scan for everything behind the firewall. Would be best if I stop it for entire network too, but that is just a wish and I did not see any easy way to do it using cisco configuration and modifying access lists every minute is probably not too interesting (here I again get reminded of the cooperative bgp filtering draft I worked on for bogons with Michael, Rob & Joren, see http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt I'll have to wait until its part of OS to try something for scan prevention...). > The job of the service provider is very simple. Just provide plain > Internet connectivity. The above is true if you're very "plain" network provider. Some of us do more then just simple internet connectivity services... > if the traffic is detined to an IP which is > in my network, it is considered legitimate traffic. ) The problem is these are random scans, the traffic is going to ips that are not used and never were. They're clearly a random sequential scans. > But it can block your legitimate traffic as well. I've thought about it and the way I see it - if somebody is scanning me, its not a legitimate traffic to me and big potential security risk. So if same ip hits within fraction of a sec 2 or 3 sequential ip addresses on some monitoring device, it seems ok for me if its blocked for next 10 minutes (but not permanently). I don't think any legitimate traffic would be lost in this case. (Note: definition of "legitimate" varies from network to network and from one person to another). -- William Leibzon Elan Networks [email protected]
|