North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Stopping ip range scans

  • From: Phil Rosenthal
  • Date: Mon Dec 29 21:27:17 2003

Out of curiosity.....
How many of your scans come from hijacked IP space?
On Dec 29, 2003, at 6:47 AM, [email protected] wrote:

Recently (this year...) I've noticed increasing number of ip range scans
of various types that envolve one or more ports being probed for our
entire ip blocks sequentially. At first I attributed all this to various
windows viruses, but I did some logging with callbacks soon after to
origin machine on ports 22 and 25) and substantial number of these scans
are coming from unix boxes. I'm willing to tolerate some random traffic
like dns (although why would anybody send dns requests to ips that never
ever had any servers on them?), but scans on random port of all my ips -
that I consider to be a serious security issue and I'm getting tired of it
to say the least (not to mention that its drain on resources as for example
routers have to answer and try to route all the requests or answer back
that they could not).
So I'm wondering what are others doing on this regard? Is there any
router configuration or possibly intrusion detection software for linux
based firewall that can be used to notice as soon as this random scan
starts and block the ip on temporary basis? Best would be some kind of way
to immediatly detect the scan on the router and block it right there...
Any people or networks tracking this down to perhaps alert each other?

William Leibzon
Elan Networks
[email protected]

--Phil Rosenthal
ISPrime, Inc.