How Do You Handle Portscanning Attacks?

Contact Comcast by rmjohnso · 2005-06-15 07:52 · Score: 2, Informative

I would suggest you contact Comcast. They might be able to help you out, especially if you think it's a problem on your end. I've never heard of a Linksys router being made into a bot, though.

On a side note, I've also go Comcast, and I've never run into anything like this. They do tend to have a lot of problems with their DNS servers, though.

--
"Extremism in the pursuit of liberty is no vice. Moderation in the pursuit of justice is no virtue." --Barry Goldwater

Re:Contact Comcast by Kainaw · 2005-06-15 08:05 · Score: 2, Informative

They do tend to have a lot of problems with their DNS servers, though.

I called Comcast and found that the DNS sent with DHCP for the cable modems is actually the testing DNS server. I had set the DNS server IP address manually and I've had no DNS problems since. Unfortunatly, I'm at work, so I have no clue what the IP address is.

--
The previous comment is purposely vague and generalized, but all of the facts are completely true.
Re:Contact Comcast by JVert · 2005-06-15 08:16 · Score: 1

One of their gateways in the way to warcraft was down for a week, 800 ping sometimes just a timeout, ping in game was 1800-2400, asked around on DSL forums and in vain sent an email to abuse@comcast.com explaining the ip and ping. The next day it was fixed...
Re:Contact Comcast by Anonymous Coward · 2005-06-15 08:33 · Score: 0

I got portscanned a whole lot when I was on comcast. I still do, now that I'm on a different ISP. But, portscans don't eat up huge chunks of bandwidth---if you simply ignore the packets, and you're getting 500-byte packets fired at 400 different ports spanning over two minutes simultaneously from twenty different IPs, you'd have to have a max downstream of 320Kbit to fill your connection up, and cable tends to have a fair bit more than that!!
And, at that rate, nearly 15000 people would be scanning you a day... and if that were happening to everybody on an ip with ~50000 customers, that would mean, on average, every US citizen portscans two and a half comcast addresses a day.
(I hope my math is right, otherwise my post loses some of its impact *g*)
-os
Re:Contact Comcast by robertjw · 2005-06-15 09:03 · Score: 0, Offtopic

Unfortunatly, I'm at work, so I have no clue what the IP address is.

You mean you can't ssh into your home box from the office.
Loser.

--
Find coupons in Greeley
Re:Contact Comcast by magefile · 2005-06-15 09:09 · Score: 1

Please post it when you get home. If only for backup purposes, it'd be good to have around.
Re:Contact Comcast by daviddennis · 2005-06-15 09:13 · Score: 1

I think cable modem companies frown on that sort of thing, and in fact block the relevent ports.

D
Re:Contact Comcast by robertjw · 2005-06-15 09:18 · Score: 2, Interesting

Umm... Comcast doesn't, at least not on my subnet.

I actually had some discussions with the installers and local sales people for Comcast. Their attitude was a don't ask/don't tell policy for running services over their cable modem connections. As long as you aren't soaking up an extreme amount of bandwidth they don't really care if you are running a web server, ftp server, whatever.

Besides, I could run ssh over any port I want.

--
Find coupons in Greeley
Re:Contact Comcast by ultramkancool · 2005-06-15 09:52 · Score: 1

What kind of isp cares if you run a server? He is being portscanned by pathetic script kiddies not comcast!
Re:Contact Comcast by BridgeBum · 2005-06-15 10:03 · Score: 1

You can always use 4.2.2.2, which is nice and easy to remember.

--
My UID is the product of 2 primes.
Re:Contact Comcast by robertjw · 2005-06-15 10:04 · Score: 1

What kind of isp cares if you run a server?

Kinda what I was thinking...

--
Find coupons in Greeley
Re:Contact Comcast by DrSkwid · 2005-06-15 10:08 · Score: 1

and in fact block the relevent [sic] ports

which ones would those be, 0-65535 ?

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Contact Comcast by Chess_the_cat · 2005-06-15 10:36 · Score: 1

What kind of isp cares if you run a server?
Read your TOS. I think you may be pleasantly surprised to find that running a server on your connection has been forbidden by your ISP. I know my does.

--
Support the First Amendment. Read at -1
Re:Contact Comcast by cpeterso · 2005-06-15 11:25 · Score: 2, Funny

I'm at work, but even I know the IP address of my Comcast cable modem is 127.0.0.1. Bring the the script kiddieZ!!1!

--
cpeterso
Re:Contact Comcast by sharkey · 2005-06-15 12:08 · Score: 1

I would suggest you contact Comcast. They might be able to help you out
Ahhhh, the optimism of the hopelessly naive. Remember, the people working at the cable ISPs are there for a reason: they were too dumb to get jobs at the phone company.

Tell me if my standards are too high, but when the Tier 3 support for an ISP servicing Indianapolis, IN can't even find Indiana on a map, you know you're fucked for paying them.

--

--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Re:Contact Comcast by sharkey · 2005-06-15 12:11 · Score: 1

What does not knowing the IP address of Comcast's DNS servers have to do with getting a shell session to a subscriber's home machine?

--

--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Re:Contact Comcast by Hadlock · 2005-06-15 13:36 · Score: 1

It's true, but it's designed so that buisnesses don't lease a consumer DSL line, and expect to run a web server off it full time. They lease commercial DSL lines for that sort of thing, same (peak) bandwidth as consumer, but much higher sustained. Doesn't mean you can't RUN a lightweight SSL, HTTP, FTP or other server for personal use. It's much easier to throw a file in the "website" folder of your computer and send your tech-inept friend a web link to download than explain FTP or AIM file transfer. I've been on SBC, Verizon DSL and Comcast cable, and never had a problem.

--
moox. for a new generation.
Re:Contact Comcast by robertjw · 2005-06-15 15:35 · Score: 1

I could ssh into my home machine and look at the DNS settings from work.

--
Find coupons in Greeley
Re:Contact Comcast by robertjw · 2005-06-15 15:38 · Score: 1

Not only that, but many ISPs will look the other way if you even want to run a commercial site off your DSL or Cable connection. As long as you don't get slashdotted you will be fine.

--
Find coupons in Greeley
Re:Contact Comcast by DetrimentalFiend · 2005-06-15 15:44 · Score: 1

Nope, only 1-65535 :-)
Re:Contact Comcast by DrSkwid · 2005-06-15 20:55 · Score: 1

=)

I must admit I had never figured that port 0 was valid but I can't see any reason in RFC 793 - Transmission Control Protocol that prohibits port 0 being used and IANA's port number document merely says that it is "reserved".

However :

# sshd -p 0 -D
Bad port number.

it might be a neat hack if firewalls skip port 0 or some such

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Contact Comcast by PayPaI · 2005-06-15 21:40 · Score: 1

4.2.2.[1-6] are all good nameservers from gtei/genuity/verizon
1.2.2.4.in-addr.arpa domain name pointer vnsc-pri.sys.gtei.net. 2.2.2.4.in-addr.arpa domain name pointer vnsc-bak.sys.gtei.net. 3.2.2.4.in-addr.arpa domain name pointer vnsc-lc.sys.gtei.net. 4.2.2.4.in-addr.arpa domain name pointer vnsc-pri-dsl.genuity.net. 5.2.2.4.in-addr.arpa domain name pointer vnsc-bak-dsl.genuity.net. 6.2.2.4.in-addr.arpa domain name pointer vnsc-lc-dsl.genuity.net.
If I remember, 4.2.2.3 used to be i-will-not-steal-service.gtei.net
Re:Contact Comcast by JofCoRe · 2005-06-16 07:52 · Score: 1

I just wanted to chime in here and say that I agree w/the parent's post - contact Comcast. I had a similar problem a few months ago w/comcast (right around the time they upgraded speed to 4Mbps). I would do a speed test, and my d/l speed would end up something pitiful like 20Kbps while my upload was a little higher (but still pitiful) around 50-100Kbps. I thought that someone else in my area must be d/l'ing a bunch of stuff and chewing up the "shared" bandwidth for my area. I contacted comcast, told them my suspicions, and they sent a tech out to look @ my computer. I talked to the tech when they were there, and told him in no uncertain terms that the traffice WAS NOT coming from my machines (I have a firewall, and the external light was flashing wildly, while the trusted side was not -- pretty obvious that I'm not the cause of the traffic). After that, he contacted their cable technicians, and the next day there was a comcast truck outside my place for a little bit, and when I got home there was a note on my door saying that they had replaced a bad cable someplace outside. (past my house, since my cable was still the same)

After that, my speed was right back up where it should be.

--

Place sig here.
Re:Contact Comcast by ultramkancool · 2005-06-16 11:12 · Score: 1

I read mine over and discovered... They don't recommend it for security reasons but nothing else. Besides it's not like they can stop you anyways. I mean are they gonna charge you $5 for every open port?
Re:Contact Comcast by BlogPope · 2005-06-17 10:33 · Score: 1

Comcast, for one. They also care if you VPN to your work network.

--
My other car is a Popemobile
Re:Contact Comcast by robertjw · 2005-06-17 10:54 · Score: 1

Comcast, for one. They also care if you VPN to your work network.

How do you define care? As in it's listed in their TOS? They shut you down for it? You work for them and hunt people down that run websites or connect to their machine locally?

Almost a year ago I contacted our local Comcast business sales rep to see about a data line to our office. I wanted to see if I could sign up for an account where I could host a server. They did not offer an account that allowed server hosting in our area at that time, but she basically told me if we signed up for a business account and didn't have too much traffic it would be fine. She kind of skated around the issue - probably so she didn't get in trouble about it later.

Not long after that I had a Comcast connection installed at home. The installer there basically told me the same thing. Said if there was a serious problem with bandwidth usage they would contact me before they shut anything down.

This may have to do with the infrastructure they have in my local area, so your results may vary. I've been SSHing into my home connection from work since the end of last summer and they haven't said a word. I also use BT quite a bit, no complaints about that either. I imagine they have more of a problem with windows machines and viruses/spyware than they do with a few people running web servers or ftp servers.

--
Find coupons in Greeley
Re:Contact Comcast by ciscoguy01 · 2005-06-19 10:02 · Score: 1

If you have a linksys router there is always WallWatcher. You tell the linksys what IP to send the logs to and you get them all for analysis. You will KNOW where they are coming from. Pretty slick really.
http://wallwatcher.com/
I notice it supports lots of other brand routers now.

I had a spammer attempting to send mail to my home dsl line, constant port 25 attempts. Filtered of course but you would think they would have noticed that address was not accepting mail after months of trying. Nope. The guy was so persistent I contacted his ISP and their security NOC people responded immediately, they filtered me in their router.

They wouldn't consider making their customer STOP SPAMMING or anything like that, which is what I requested they do. Heh.

--
.
Re:Contact Comcast by petermgreen · 2005-06-19 10:40 · Score: 1

in the standard socket apis 0 is used as a code for random/os assigned port.

ie its what you use when binding a socket for an outgoing connection or if you wan't to have a socket to listen on but don't really care about its port number since you will be telling your peer that by some other means.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register

Not The Portscans by asc4 · 2005-06-15 07:54 · Score: 4, Insightful

Sounds to me like you have bigger problems than the portscanning. Even hundreds of simultaneous port scans are unlikely to chew through all your bandwidth on a cable line. Sounds to me like your computer(s) may be zombied and *that's* what's eating up your bandwidth.

Re:Not The Portscans by Nos. · 2005-06-15 08:54 · Score: 1

Precisely. A few packets to try an open a connection on a specific port, even if they're trying 1000 ports is not going to add up to signficant badwidth. Of course they're probably only trying a couple dozen ports at most. In any case, assuming you're not running any servers, just start blocking incoming traffic. Basically, only allow outgoing, or established incoming. If someone tries to establish a new connection either drop, or reject it.
Re:Not The Portscans by fm6 · 2005-06-15 09:37 · Score: 1

Good point. I wonder when he last ran a spyware scan?
Re:Not The Portscans by RickPartin · 2005-06-15 12:09 · Score: 1

If it is spyware or a virus using all the bandwidth doesn't Comcast automatically detect this sort of thing and shut your connection off automatically? I know Charter cable internet does untill you fix the problem.
Re:Not The Portscans by Gary+W.+Longsine · 2005-06-15 16:58 · Score: 2, Interesting

I did once see a similar device nearly crushed when configured in a particularly unusual way. It was set to redirect traffic directed at any port over to a tarpit sitting behind it. After a few minutes of exposure on the wild internet several portscans and worms happened by. The device response slowed a bit, even though very little bandwidth was being used. These devices don't have much CPU and memory, and they are really not designed to front a tarpit on all ports like that. Poor little thing!

Of course, this is unlikely to be the source of the problem experienced by Kainaw. An infested PC is much more likely.

--
If you mod me down, I shall become more powerful than you could possibly imagine.

Here's a suggestion... by TripMaster+Monkey · 2005-06-15 07:55 · Score: 4, Funny

Got the IP addys of your tormentors?

Post them here!

I'm sure some of us could persuade these kids that port scanning is bad for your health...

^_^

--
____

~ |rip/\/\aster /\/\onkey

Re:Here's a suggestion... by HTL2001 · 2005-06-15 07:59 · Score: 2, Funny

slashdot:
Faster than a gag order, more powerfull than a botnet

I probably horrably mangled that quote, but whatever

--
By reading this, you have given me brief control of your mind.
Re:Here's a suggestion... by graphicartist82 · 2005-06-15 08:10 · Score: 1

What you're forgetting is that the "script kiddies" mentioned probably read slashdot too :)
Re:Here's a suggestion... by TripMaster+Monkey · 2005-06-15 08:18 · Score: 1

In that case, they'll probably quit on their own after reading my previous post. ;)

Problem solved...that'll be $175 (American).

^_^

--
____
~ |rip/\/\aster /\/\onkey
Re:Here's a suggestion... by Anonymous Coward · 2005-06-15 08:27 · Score: 0

No, not the quote, just the spelling. its...powerfull-ly horrable...but whatever
Re:Here's a suggestion... by Agilo · 2005-06-15 08:56 · Score: 1

127.0.0.1

--
- Agilo
Re:Here's a suggestion... by lscoughlin · 2005-06-15 09:08 · Score: 2, Funny

All Right!!!

I'm going to so end that sucker right now, i've got it all loaded up and i'm about to hit the ent

--
Old truckers never die, they just get a new peterbilt
Re:Here's a suggestion... by LWATCDR · 2005-06-15 09:09 · Score: 0, Redundant

I dare those script kiddies to come after my box. I have it locked down so tight that even the NSA could not hack it. I will even give you my IP address. It is 127.0.0.1
Hack away!

--
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Re:Here's a suggestion... by Jackhamr · 2005-06-15 10:04 · Score: 1

Your computer is not secure at all! I just deleted everything on your hard drive! Oh, and I saw the porn that you have been looking at. Nice stuff.
Re:Here's a suggestion... by fordboy0 · 2005-06-15 10:45 · Score: 1

Yeah, nice. You have the same taste in pr0n as me, but alas I've deleted all yours.

--
Ligaguinggligagiggagoogoogwillgo
Re:Here's a suggestion... by sharkey · 2005-06-15 11:54 · Score: 1

Able to climb the stairs of their parents' basement in a single go for a snack!

--

--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.

Sounds more like a DoS to me by bersl2 · 2005-06-15 07:57 · Score: 2, Insightful

Mere portscanning doesn't intentionally clog all bandwidth.

IANA network security expert, but I'd say put a more capable firewall behind the router (read: a Linux or BSD box) and make it the DMZ.

At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)

Re:Sounds more like a DoS to me by mutterc · 2005-06-15 08:06 · Score: 2, Interesting

Be careful with using a Linux box as a firewall - if you don't have experience hardening such systems, you could end up with a much better chance of it becoming a bot that your Linksys box (which is neither i386 nor runs a well-known Linux distro).
You definitely wouldn't want to do a default install of any distro I know of (except Debian, that doesn't install much of anything except what you ask for).
Re:Sounds more like a DoS to me by dougmc · 2005-06-15 08:13 · Score: 5, Informative

Mere portscanning doesn't intentionally clog all bandwidth.
Mod that statement up!
In my expereience, when somebody's saying that `X is using up all my bandwidth', where `X' is things like virii, `hackers', ARP requests or something else, what that really means is that somebody doesn't really understand what's going on.

Most cable modems have a lot of downstream bandwith and not so much upstream bandwidth -- but even the upstream bandwidth is far far more than is used by a standard port scan where somebody hits all your ports to see if they're open.

And even that's unusual -- usually people seem to scan entire networks to see if one port is open, so a single scanner would only send a few packets at your box. It would take several thousand people hitting your box _at once_ like this to make things as bad as you make it sound.

Your box may actually be under attack (a DoS attack.) I get a lot of trouble like this when people want the nick I use on IRC -- they packet my box incessantly. I've got 5 Mb/s downstream on my cable modem, so as long as my packet filtering isn't responding to each packet, it takes a pretty signifigant attack to kick me off of IRC. But if my system does respond to every packet with packets of approximately the same size, an attack of about 0.3 Mb/s is enough to bring everything down to a crawl. It's all a matter of configuring my filters properly ...

Ultimately, what you should do is log all the packets being sent at your IP address with a tool like tcpdump, then send those logs to the abuse department of the ISP where they're coming from. If it's a DDoS attack, the odds are that the IPs are spoofed, but if it's really a portscan it's probably not (becuase they need to see the returning packets to see which ports are open.)

You could also contact Comcat and see if they could filter the traffic out, though I'd reserve that option for an attack that lasts days and doesn't give up, because if they're anything like RR, getting to somebody who can actually do that will be very difficult.

Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.
Re:Sounds more like a DoS to me by biglig2 · 2005-06-15 08:15 · Score: 2, Interesting

Well, try a firewall specific distro then, such as m0n0wall. It's excellent, basically FreeBSD with everything cut out but the firewall. Link is http://m0n0.ch/wall, and I'm sure there are plenty of other hardened distros.

--
~~~~~ BigLig2? You mean there's another one of me?
Re:Sounds more like a DoS to me by TheMysteriousFuture · 2005-06-15 08:26 · Score: 2, Informative

Better yet, use PFSense which is a fork of m0n0wall, but with a goal of higher level functionality.

After you use the latest installer, go to http://www.pfsense.com/updates/ and grab the latest version, then update via the 'firmware' tab on the web interface.

--
.sig
Re:Sounds more like a DoS to me by l00pback · 2005-06-15 09:12 · Score: 1

Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.

It is probably faster to get a new IP on cable by changing your MAC address than waiting for a DHCP lease to expire.
Re:Sounds more like a DoS to me by jazman_777 · 2005-06-15 09:18 · Score: 1

Be careful with using a Linux box as a firewall - if you don't have experience hardening such systems, you could end up with a much better chance of it becoming a bot that your Linksys box (which is neither i386 nor runs a well-known Linux distro).
Which is why I tried OpenBSD. I found pf much easier than iptables, and it does NAT quite easily, too. A default install is secure. And the documentation in the FAQ is very helpful in getting your box configured.

--
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Re:Sounds more like a DoS to me by dougmc · 2005-06-15 09:22 · Score: 2, Interesting

It is probably faster to get a new IP on cable by changing your MAC address than waiting for a DHCP lease to expire
Probably correct, though it's not always easy to do. Switching cards is easy enough, but it requires shutting down and opening up your computer. Some cards and/or OSs let you change the MAC address of a card on the fly, though it seems to be pretty rare.
Some cable modems will let you `reset' them by various means (holding down the rest button at power up, holding it down for a long time, leaving the modem off for a long time) and in fact may require that before they'll work with another MAC address (because you're limited to one IP address, and it'll think you still have the old one.)

And then you need to make sure your DHCP client doesn't request the same IP address again -- many do this by default.

All in all, getting a new IP address from your cable modem network is often a PITA -- but it's nothing compared to the PITA it is to actually get somebody on the phone at their support organziation who understands what a DoS attack is and can actually help you with it.
Re:Sounds more like a DoS to me by KevinKnSC · 2005-06-15 09:37 · Score: 2, Informative

OP has a linksys router. Showing a new MAC to Comcast involves nothing more than going to the linksys box web admin page and typing in something new.
Re:Sounds more like a DoS to me by nri · 2005-06-15 09:46 · Score: 1

try
apt-get install macchanger
or
http://www.alobbs.com/macchanger

It'll allow you to change your mac adress

--
if :w! doesn't work, try :!cvs commit -m""
Re:Sounds more like a DoS to me by ultramkancool · 2005-06-15 10:00 · Score: 1

If you happen to be using the ever-so-popular linksys WRT54G you may consider trying one of many custom firmwares like dd-wrt or openwrt. These can give you SSH and telnet access (from inside your lan) and then you can customize the firewall yourself. Other wise give ipcop a wing.
Re:Sounds more like a DoS to me by Medievalist · 2005-06-15 10:02 · Score: 3, Informative

Mere portscanning doesn't intentionally clog all bandwidth.
True. Portscanning per se is harmless (some things that look like portscanning on cursory inspection are not).
IANA network security expert, but I'd say put a more capable firewall behind the router (read: a Linux or BSD box) and make it the DMZ.
No, bad advice; if a person would consider a port scan harmful (s)he is not qualified to run a secured general-purpose system (not even OpenBSD) as a firewall. Better to use a cable modem with an integrated firewall (making sure to keep it patched and not use default passwords) or a "dumb" cable modem with a dedicated firewall between it and the hub or switch (same caveats apply).
At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)
If he has port 22 live, and he's on broadband, then he certainly is experiencing the attack you are referring to. Everybody is.
Re:Sounds more like a DoS to me by DrSkwid · 2005-06-15 10:18 · Score: 1

or Use Windows XP which has even *more* functionality

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Sounds more like a DoS to me by yuri+benjamin · 2005-06-15 11:37 · Score: 2, Interesting

nothing compared to the PITA it is to actually get somebody on the phone at their support organziation who understands what a DoS attack is

I work for a cable provider in New Zealand. We have all been shown logs of a typical DoS attack and logs of typical filesharing and how to tell the difference. (We don't ban filesharing, but we do charge for extra traffic after a set amount (1GB, 5GB or 10GB depending on the plan)).

I'm not sure what our techies do about DoS attacks.

We don't ban running servers or anything. It's the customer's bandwidth - they've paid for it and they can use it for anything that's legal. I don't understand ISPs banning customers from sshing into their box or putting up a personal web page.

Heck, we even give them a static IP to make it easier (and can change it if required but it takes a few days to provision).

--
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
Re:Sounds more like a DoS to me by thegrassyknowl · 2005-06-15 12:07 · Score: 1

Mere portscanning doesn't intentionally clog all bandwidth.

Mod that statement up!

Not true at all - I have a whopping great 24/1M ADSL plan and I constatnly achieve full speed (being only across the road from the phone exchange). If I portscan my mate with the Insane settings in Nmap he goes down for the count. I can flood him with enough traffic to saturate his 512k link for a couple of minutes.

If I didn't like my mate I could easily take him off the net by asking nmap to scan his IP address repeatedly with the insane options. It doesn't quite DOS him completely but it does slow him down heaps.

Now, imagine all these script kiddies who don't know crap about shit running their latest 1ee7 h4x0r "tool". I'd wager that any rate control settings on their tools won't get used.

I constantly see scans in my logs that come in so quick they do put a drain on the connection. It costs me money, its annoying and there's nothing I can do about it because they don't seem to accept the ICMP-HOST-UNREACHABLE reply that my router sends them.

I agree with the only solution. Log all the packets being sent, even a simple firewall log showing the scan helps, but tcpdump or etheral will be better. Send that to the attacker's ISP and also your own ISP. My ISP is particularly helpful when a huge slab of your monthly data allowance (I counted 1G last month and I didn't have the modem plugged into the phone for all of it) gets chewed up by these morons.

--
I drink to make other people interesting!
Re:Sounds more like a DoS to me by moyix · 2005-06-15 12:35 · Score: 2, Funny

Hmm, I've never needed anything so fancy.

ifconfig eth0 hw ether b0:0b:b0:0b:b0:0b
always did the job just fine.
Re:Sounds more like a DoS to me by /dev/trash · 2005-06-15 12:46 · Score: 1

What would it cost to lay some cable to the US?
Re:Sounds more like a DoS to me by 0racle · 2005-06-15 12:53 · Score: 1

b0:0b:b0:0b:b0:0b

heheheheh, I'm so clever.

--
"I use a Mac because I'm just better than you are."
Re:Sounds more like a DoS to me by dougmc · 2005-06-15 13:46 · Score: 1

If I portscan my mate with the Insane settings in Nmap he goes down for the count. I can flood him with enough traffic to saturate his 512k link for a couple of minutes.
The only options I see useful in nmap for actually doing a DoS attack designed to suck up all of somebody's bandwidth are the `-D decoy1 [,decoy2][,ME],...' and the --data_length options.
I found the `Insane' setting -- it's not really about flooding a host, it's about assuming that the latency is almost zero, so a scan will happen quickly.

If I didn't like my mate I could easily take him off the net by asking nmap to scan his IP address repeatedly with the insane options.
Then you're not really port scanning him anymore -- your DoS'ing him. A port scan is about finding out which ports he has open -- but there's little point in doing it more than once per port, unless you think his system will respond randomly or something.
nmap is not meant as a DoS tool, but I guess if you abuse it appropriately, it'll throw lots of trash packets at a host. But there's much better tools out there for that.
Re:Sounds more like a DoS to me by jonadab · 2005-06-15 14:00 · Score: 1

> It costs me money, its annoying and there's nothing I can do about it
> because they don't seem to accept the ICMP-HOST-UNREACHABLE reply that
> my router sends them.

Then don't send it.

Host Unreachable implies that the host is unreachable *at the moment*, but might potentially be reachable at some other time. It tells the attacker less than having the port "closed" (where it sends a reply saying nothing's listening on that port, but verifying that there is a system there and possibly providing information about what TCP/IP stack is in use), but it doesn't tell them nothing.
Ideally you should send no reply at all to port scans. Let them run traceroute and watch the trail vanish at your ISP, as if you were not connected at all.

Of course, that doesn't prevent them from scanning you anyway. Repeatedly.

--
Cut that out, or I will ship you to Norilsk in a box.
Re:Sounds more like a DoS to me by flawedgeek · 2005-06-15 14:12 · Score: 1

I dunno about you, but with my setup, comcast's more concerned with the MAC of the cable modem than whatever's plugged into it. I've switched between routers, PCs and all sorts of combos over the past few years, and it still works perfectly.

--
My other Sig is .40 caliber.
Re:Sounds more like a DoS to me by thegrassyknowl · 2005-06-15 14:48 · Score: 1

Ideally you should send no reply at all to port scans.

Actually, that's not true. Sending no reply is as good as sending a reply. If my IP address was not routed by my ISP at any time (ie, I'm not online) then the ISP's router should send some kind of reply telling the scanner that my IP address is not reachable.

Sending no reply actually says "hey, I'm here but I am 1337 and trying to hide behind this transparent screen with a big flashing light and siren on my head".

True, sending a port closed reply does disclose some information that can possibly be used to determine what OS and IP stack you are running, but at the end of the day I don't think that's such a problem. If you really think it's a problem you can mangle the packets in your firewall output chain to try and give them a bum steer.

Sending a host/destination unreachable reply with my ISP's router as the source address really tells the attacker nothing at all and actually (unless their router runs exactly the same IP stack as my desktop) sends the attacker on a bum steer if they are trying to do OS fingerprinting.

--
I drink to make other people interesting!
Re:Sounds more like a DoS to me by thegrassyknowl · 2005-06-15 14:58 · Score: 2, Interesting

found the `Insane' setting -- it's not really about flooding a host, it's about assuming that the latency is almost zero, so a scan will happen quickly.

That's true to an extent, except that the Insane setting generally does not wait for a reply to packets before sending the next. It lets you flood the host, and if their connection is slower than yours and you run it enough times they end up with quite a backlog of packets they need to download from their ISP.

My point was that it is possible to DoS someone using just a portscan if your connection is significantly faster than theirs and you feel like running a few thousand portscans on their IP address. Whether it is smart, easy or generally useful remains to be seen, but it is possible.

Then you're not really port scanning him anymore -- your DoS'ing him

Well, technically I am still portscanning. The side effect is that I'm DoS'ing him. Alas, he won't know that. All he'll see is a bunch of port scans in his firewall logs.

but there's little point in doing it more than once per port, unless you think his system will respond randomly or something.

There is point if all I want to do is cause him grief. It doesn't matter how the remote system responds - whether there's closed or open ports, or even if I get a reply at all. If I was seriously interested in finding open ports I'd use scans that are less likely to be noticed, not just bombard him with zillions of packets.

--
I drink to make other people interesting!
Re:Sounds more like a DoS to me by dougmc · 2005-06-16 05:02 · Score: 1

Well, technically I am still portscanning. The side effect is that I'm DoS'ing him. Alas, he won't know that. All he'll see is a bunch of port scans in his firewall logs.
At that point, I'd say you're DoSing him, and any port scanning would be the side effect. After all, the Insane option doesn't give the packets long enough to come back and probably does discard them once they come back, because they took too long. Also, if you're overloading his connection, some packets will be lost, making some ports look like they were filtered, even if they aren't. That, and you're probably not even looking at which ports nmap reports open any more, if any.
Once you use the `insane' option to port scan somebody over the Internet, and you do it over and over and over, it's pretty obvious you're doing a DoS attack and not just port scanning.

As for what it looks like, some of the most effective DoS tools (or at least the most difficult to filter at the ISP level) just flood a host with packets from random IPs, to and from random ports. Take out the random IPs part, and tell nmap to go in random order, and that could look just like a port scan. And most people don't know how to tell the difference.

There is point if all I want to do is cause him grief.
Then you're DoSing him. A single portscan, even of all 65536 ports, on a cable modem host, will not cause signifigant grief unless either 1) you're doing it repeatedly, or 2) the target sees his logs and freaks out, causing his own grief. And if you're doing it repeatedly, you're probably more interested in the grief than the ports he has open.
A portscan of all 65536 ports will require about 2.5 MB of data to be sent (40 bytes/packet, 65536 packets), and less is likely to be returned. Most cable modems can handle that in a few seconds.
Re:Sounds more like a DoS to me by Dachannien · 2005-06-16 16:38 · Score: 1

Generally, an ISP will dutifully route packets intended for you to your box, even if it's turned off, and won't get involved in determining whether or not your host is active.
Re:Sounds more like a DoS to me by Anonymous Coward · 2005-06-17 01:49 · Score: 0

ISP's use routers. What's the command (for e.g. Cisco IOS) for sending a packet even when the (non-existing) destination doesn't answer ARP-requests, and thus the router has no f**king
idea where to send the packet?

Perfectly Normal by vasqzr · 2005-06-15 08:05 · Score: 1

It's basically a fact of life on the Internet that you'll get port scanned. If you have an IP, probes are bound to happen.

I'm sure someone could upload firmware to a router and set it up to port scan or other activity.

Comment removed by account_deleted · 2005-06-15 08:09 · Score: 2, Insightful

Comment removed based on user account deletion

Answers. by irc.goatse.cx+troll · 2005-06-15 08:10 · Score: 3, Funny

Basicly, no. End users are the scum of the internet, no ISP really cares what happens to you as long as you pay the bill. If you don't, they don't care because others will.
Your best bet would be to detect the port scan (eg, >5 sequential connections from the same host, or >15 nonsequential ones) and nullroute it so they get no response at all.
Of course they can get around that, but if you're avoiding the common drones it doesnt matter.

Second off, its not an attack, its just trying to get more information on you. Calling it an attack makes it sound bad, which furthers scare away the masses(who then get to vote on this stuff). If your isp didnt limit your upstream so much you wouldn't even notice it. nmap running in standard mode doesnt use nearly as much packets or bandwidth as my isp flooding me with arp who-has packets to see whos on.

sidenote, be careful with whatever you do. Last time I found out a friend of mine ran a stupid windows firewall that would automaticly firewall anything that portscanned him, I spoofed a scan from his dns, then after I had fun watching him wonder why he couldnt resolve anything, I spoofed one from his gateway.
Automated dropping is dangerous.

--
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx

Disable ICMP echo reply by crow · 2005-06-15 08:12 · Score: 4, Insightful

One thing that I did was to disable ICMP echo reply. (I allowed it from IP ranges that I'm likely to be at, but in general, it's turned off.) That means if someone tries to ping me, they don't get a response, so many script kiddies will assume that there is no computer at my IP address and move on.

I've also set it up to drop incoming TCP requests for dead ports (actually, it blocks the outgoing connection refused packets). So if they scan ports that aren't open, they never get a single packet back.

Essentially, unless they're connecting to something I intentionally have open, they can't tell that my system exists.

Re:Disable ICMP echo reply by Anonymous Coward · 2005-06-15 09:20 · Score: 2, Informative

Congratulations! You're violating RFC 1122 - Requirements for Internet Hosts and as such should not expect anything to necessarily work correctly!

3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.

Have a wonderful day.
Re:Disable ICMP echo reply by Mercury2k · 2005-06-15 10:13 · Score: 2, Informative

Actually, if you have done some reading and used tools like nmap, you might be a little shocked to know that this tool can still tell if your online unless you really know what your doing. Turns out that certain "illegal" TCP flags can trigger the OS to reveal information about the ports they are scanning. So even if you think your blocking outgoing info, chance are your only blocking "legit" outgoing stuff, and your still in fact giving out tons of information to people that know TCP well enough to scan you.
Re:Disable ICMP echo reply by Neil+Blender · 2005-06-15 12:07 · Score: 2, Insightful

Congratulations! You're violating RFC 1122 - Requirements for Internet Hosts and as such should not expect anything to necessarily work correctly!

3.2.2.6 Echo Request/Reply: RFC-792

Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies

You know what? I don't give a good goddamn about RFC 1122. Our servers get pounded on every port that is open, every day, since forever. Cutting off ping reduces it dramatically. So, by violating that particulary RFC, I do have a more wonderful day.
Re:Disable ICMP echo reply by pegr · 2005-06-17 05:22 · Score: 1

You know what? I don't give a good goddamn about RFC 1122. Our servers get pounded on every port that is open, every day, since forever. Cutting off ping reduces it dramatically. So, by violating that particulary RFC, I do have a more wonderful day.

Um, so does microsoft.com... You don't want to be like them, do you?

Linksys ADMIN password by SpaceLifeForm · 2005-06-15 08:12 · Score: 3, Interesting

You did change it, right?

And you don't allow access to it from un-trusted machines (i.e., the Internet), right?

Otherwise, in theory, it could get pwned. It is running Linux and tools such as busybox.

--
You are being MICROattacked, from various angles, in a SOFT manner.

DNS, DoS, and braaaains by spoonyfork · 2005-06-15 08:14 · Score: 1

Connectivity issues concerning Comcast can most likely be addressed by using an open DNS server among your Comcast ones. Try 4.2.2.4 - easy to remember!

You might also be the victim of a lame DoS attack. Participate in any flamewars recently? Send relevant portions of your incoming traffic logs to the respective ISPs for (in)action.

Another possible cause is one of the machines behind your firewall has been pwned and is now a spam zombie. Is your firewall blocking both incoming and outgoing?

--
Speak truth to power.

One question... by Anonymous Coward · 2005-06-15 08:24 · Score: 0

If your computer is connected to the internet through a Linksys/whatever router, how do you know you're being portscanned?

Re:One question... by Fox_1 · 2005-06-15 09:26 · Score: 4, Funny

One question... (Score:0) by Anonymous Coward on Wednesday June 15, @01:24PM (#12826733) If your computer is connected to the internet through a Linksys/whatever router, how do you know you're being portscanned? it's like a horror movie : The ISP said that there were no outside connections. The Zombie is in the house with you! Get out, do you hear me? Get out now.

--
The rock, the vulture, and the chain
Re:One question... by BridgeBum · 2005-06-15 10:08 · Score: 1

Feeding the troll, but Linksys does have logs...

--
My UID is the product of 2 primes.

portscanning != DoS by Inominate · 2005-06-15 08:33 · Score: 1

portscans use minimal bandwidth, enough that even a modem can be portscanned without a major slowdown. If you're getting enough traffic to shut down your network, but not enough that comcast would notice it, this so-callled "portscan" is likely not the cause of your problems.

Switch to a Linux/UNIX firewall - DROP traffic by Tor · 2005-06-15 08:35 · Score: 2, Informative

Seen as none of the comments so far has answered your question, let me just offer my 2:

Rather than using a Broadband NAT router, set up a firewall running Linux, *BSD, or similar. This way, you can send "irrelevant" traffic (e.g. ICMP ping requests, or TCP/UDP packets to ports on which you do not provide services) to the bit bucket ("DROP" in the language of Linux IPTables).

This slows down port scanning of your machine (e.g. using "nmap") to near a grinding halt, and thereby reduces the bandwith consumed by such port scans to near zero.

It is not bulletproof - someone could still direct DoS attacks against you - but it would nearly eliminate the traffic caused by causal port scanning of your machine.

Re:Switch to a Linux/UNIX firewall - DROP traffic by Slashdot+Junky · 2005-06-15 15:22 · Score: 1

Smoothwall is and great and easy Firewall/DHCP Server/Router/etc Linux distro. Grab/buy an unused PC, download the ISO, burn the disc, and install. The install takes 5 minutes max. The PC could be a very low end system and it will work fine. I will require at least two NICs in your case. Place the box between your cable modem and LAN switch. Smoothwall is capable of so much out of the box and can be extended through add-ons.

smoothwall.org

Later,
-Slashdot Junky

--
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
Re:Switch to a Linux/UNIX firewall - DROP traffic by maunleon · 2005-06-15 16:29 · Score: 2, Insightful

What kind of freaky router are you used to, that doesn't drop packets with no destination? You didn't state any reason in your post for switching to an OS-based firewall, that the cheapest router doesn't already provide.

All NAT routers I've seen need to be specifically set up to forward traffic, unless you set up your computer in a DMZ. If you don't set them up that way, packets will simply be dropped.

There are other reasons to use a linux firewall, but not the ones you stated. Add to that that you'd require more space, more power, higher cost, and put out more heat.
Re:Switch to a Linux/UNIX firewall - DROP traffic by SomeGuyFromCA · 2005-06-16 11:10 · Score: 1

> All NAT routers I've seen need to be specifically set up to forward traffic, unless you set up your computer in a DMZ.

or unless your router is listening to upnp traffic.

--
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
Re:Switch to a Linux/UNIX firewall - DROP traffic by Tor · 2005-06-18 00:40 · Score: 1

Routers don't typically DROP the traffic, they REJECT it. There is a crucial difference: REJECT means that a TCP NAK response is sent back to the originator (of the SYN request), allowing them to immediately discern that there is no service at the given port. This allows them to do port scanning much faster, and consequently hogs your bandwidth.

In contrast, when you simply DROP incoming SYN requests in the bit bucket, the client has no way of knowing whether the response from your end is due to a net.lag (slow connection) or whether you are not listening on the given port. Although "nmap" has ways around this, it nevertheless slows down their port scanning as well as lowers their use of bandwidth.

Specifically, the question here was related to a Linksys router. Looking at the product documentation for a random Linksys product (BEF SER41), I see no reference to this type of functionality.
Re:Switch to a Linux/UNIX firewall - DROP traffic by Anonymous Coward · 2005-06-22 17:25 · Score: 0

My dlink seems to drop traffic, it does not return a nak.

Come on, home router bios writers are lazy. They'd rather drop packets than handle them.

Comcast scans you by biryokumaru · 2005-06-15 08:35 · Score: 1

As has been mentioned, simply being scanned is likely not all of your problem, but I do know that Comcast scans all of their users' ports to see if they're breaching contract and hosting a website/ftp etc on common ports. I think theres about 5 that they just scan repeatedly.

Funny story, in fact, they were scanning me and I didn't know who it was (all I had was an IP and very little knowledge about the internets) so I called them up and informed them that "such and such IP is attempting to haxor my boxor!" (well, not exactly like that...)

People have mentioned, like, ICMP auto-respond or sumthin, and that might have something to do with it, with one of the ports they scan. Are you breaching contract?

--
When you're afraid to download music illegally in your own home, then the terrorists have won!

These are not script-kiddies by mabu · 2005-06-15 08:40 · Score: 4, Insightful

It's a fallacy that ignorant kids are behind the port scanning.

It's spammers. It's professional organized crime. I believe the majority of these port scanning and worm/virus propagation is going on by organized groups looking to take over peoples' computers for the purpose of finding new IP space from which they can send unsolicited e-mail. If there are any script kiddies, they are a fraction of a fraction of the percentage of the traffic.

My systems are constantly under probe attacks and port scans. The majority of these attacks originate from rogue IP space in China, Korea, and other areas that appear to be more liberal in doing business with the spammer organized crime contingent.

At this point, I don't see technology making much difference. This is a political and enforcement issue.

My advice is to contact your local District Attorney and demand that they start prosecuting computer tampering cases. We know these people are ultimately in the U.S. and can be caught even if they route from around the globe. We know they're breaking laws and can be prosecuted. We have laws in effect right now - we don't need more laws. We need enforcement and government authorities who WILL ENFORCE THE LAW AND STOP THESE PEOPLE. You can't count on ISPs to help since they profit from bandwidth consumption; you can't count on corporations to help, they are scared of any attempt to curtail cyber marketing of any sort. You must start on a local level and demand that the judicial and enforcement branches go after these criminals.

Re:These are not script-kiddies by Anonymous Coward · 2005-06-15 09:40 · Score: 0

Wow. Great point; excellently put.

Do you teach critical thinking classes, by chance?
Re:These are not script-kiddies by mabu · 2005-06-15 09:42 · Score: 1

Next time back up your brain-dead claims with something.

Anonymous COWARD. You must be a spammer, and that's why you're so offended by my message. Why don't you show your identity?

There's plenty of stats and information to back up these claims. Most domestic spam is originating from compromised computers being used as unauthorized SMTP relays.

You want evidence? Check your e-mail you stupid moron. Look at the headers of the spam you receive. Notice how a significant chunk of it comes from comcast, verizon, cox cable, TDE, and other broadband IP space. These are end users who have been infected with worms that have turned their boxes into proxies. These dumbass ISPs refuse to filter port 25 on their networks so they're ripe for being taken over by spammers, and the spammers, in an effort to thwart relay blacklists (which are THE ONLY current anti-spam solution which is affecting their efforts) must continually compromise third-party computers to send out their junk mail.

You don't see much spam from AOL any more. Know why? They filter port 25. If more ISPs did this, then you'd also see a significant reduction in port scanning on popular backbone networks because the reason they portscan is to find machines to zombie spam.

Keep spamming... you're going to get caught eventually.. provided people demand their District Attorneys start prosecuting scumbags like you who willfully break the law and steal other peoples' resources.
Re:These are not script-kiddies by jonadab · 2005-06-15 14:19 · Score: 2, Insightful

> We know these people are ultimately in the U.S.

The honeynet people seem to think most of them are in eastern Europe. I am also fairly certain that there are a lot of them in China, though this is much harder to confirm. My best evidence is the enormous volume of Chinese-language spam, which I do not suppose would be authored by Americans or Europeans, mostly.

But anyway, we certainly do not *know* that they are all ultimately in the U.S. There are good solid reasons to believe otherwise. *Some* of them are in the U.S., of course; the U.S. is a big country with a lot of people, so of course it has computer criminals, but there is no reason to believe it has more than its fair share of them.

--
Cut that out, or I will ship you to Norilsk in a box.
Re:These are not script-kiddies by jonadab · 2005-06-15 15:04 · Score: 2, Interesting

> You want evidence? Check your e-mail you stupid moron. Look at the headers
> of the spam you receive. Notice how a significant chunk of it comes from
> comcast, verizon, cox cable, TDE, and other broadband IP space.

I haven't checked this in the last few months, so maybe it's changed, but the last time I did check, virtually 100% of the spam I get came from the APNIC block, and roughly 0% of it came from IP addresses with a corresponding PTR record in DNS for reverse lookup.

I think it depends somewhat on *which* spammers have your email address in their database. As near as I can tell, there are only a few major spamming organizations in the world (perhaps as many as twenty or so) and very few people are on more than one or two of their lists, because they don't share. (They share *within* each organization, but not between, as near as I can tell. As far as why, I could only speculate, but my first guess would be language barriers, and my second guess would be that they can't track eachother down any more easily than we can track them down, so they don't know eachother at all except within each organization. But these are guesses.)

There's at least one major spamming organization in Eastern Europe; they use IRC to communicate, and they use worms to harvest zombies, and this latter activity has exposed them to the honeynets. They have a hierarchical organization like in cheesy mafia movies, with small circles of trust, where the one or two "innermost" members of each small group/circle also are part of the next most central circle. They mostly send English-language spam but also other European languages, notably Russian and German. If you get spam in Cyrillic characters, it comes from these guys. They probably get most of their addresses from Outlook Express address books, but possibly also from other sources. My home address has only gotten on their list in the last year or so.

There's at least one *enormous* spamming organization operating out of Asia (with subnets in China, Korea, and several other Asian countries). They send huge amounts of Chinese-language spam, also lots in English, quite a bit in Korean (with Hangul characters), and some in Spanish and a handful of other languages. There is no evidence that they use IRC. They migrate their SMTP servers (or relays, or something) across entire Class-B subnets, but they don't appear to use zombies, because everything they send comes out of the APNIC block. If you report them to abuse@, you end up in their "special" database, which causes you to receive a lot more spam, some of it with totally blank bodies, just for spite. My home address has been on these guys' list since circa 1999, probably because they harvest addresses from usenet, but they also appear to harvest from mailto: links on the web, among other sources.

We know from previous high-profile news stories on slashdot that there are spammers operating out of the U.S., some of which are fairly big-time, but they use relays elsewhere, including in Asia. I suspect that these guys are mixed up with some of the shadier adware. They're also much more poorly organized than the Asian group or the eastern European group. Some of them actually *buy* their lists of addresses, from other spammers (one another, mostly), but they also harvest addresses from the web. All or nearly all of the spam they send is English-language. These guys are responsible for most of the spam that advertises pharmaceuticals, but they also advertise other things, including websites, software, and financial services. My work address has been on their list for a couple of years now.

Then there's the African spam. This is where the 419s come from, but they send other stuff too, mostly in English, but also in French. They are not organized at all and appear to operate in small autonomous groups or as individuals, but they do have contact with one another (probably in a very loose web, perhaps largely by virtue of living mostly in the same few large cities, nota

--
Cut that out, or I will ship you to Norilsk in a box.
Re:These are not script-kiddies by Anonymous Coward · 2005-06-16 04:48 · Score: 0

It's very easy to "follow the money" and find out where they are. I have plenty of evidence relating to a case some associates filed with the authorities that indicate major players are in the United States. My associates gathered plenty of evidence and then the feds presented a rock solid case to the DA for prosecution and the DAs in multiple jurisdictions refused to prosecute.

One of two things are likely happening as a result. Either law enforcement doesn't give a damn, or the feds are actually engaged in a more involved operation where they're infiltrating the rings or recruiting these people for other purposes.

Tarpit... by wolf31o2 · 2005-06-15 09:00 · Score: 2, Informative

Seriously, dump that Linksys or other SOHO box and spring for a small *nix-based machine. Personally, I use a slimmed-down Linux box running iptables. I also use the TARPIT target. The TARPIT target is designed to keep the connection open until it times out. This slows port scans and worms to a crawl. While it takes slightly more resources on the firewall machine itself, it doesn't eat up any more bandwidth than the port scan itself would, except that now the bandwidth is spread over a longer period of time. It also helps to block other packet types that can cause issues, such as ICMP echo. It is definitely not a good idea to block all ICMP traffic, though. Also, try setting up QoS or some other form of traffic shaping to give priority to your packets, specifically ACK packets, as this will improve responsiveness and will keep you from being locked out of your connection, even when under a high bandwidth load.

Re:Tarpit... by farble1670 · 2005-06-15 11:30 · Score: 5, Insightful

so, the fellow posting the question is probably not the unix guru type, or he wouldn't have posted the question. to suggest that someone of low level or even moderate technical level start maintaining a unix box with firewall software is overkill to say the least. consider the power you're sucking for two boxes vs. one. consider the complexity of configuring rules. consider the space required for another box in your house (a lot of us live in apts or condos). consider the cost of aquiring the physical box (okay, pretty cheap, but probably not free).
as long as you do not need to do anything fancy, the simplified firewalls on consumer-level routers work fine. i have ICMP echo turned off, and a few well-know ports open for apps. no problems.

if this doesn't fix it for him, clearly this guy has some larger problem than port scanning. let's no mislead him.
Re:Tarpit... by mink · 2005-06-17 08:14 · Score: 1

Software like IPCOP is quite user friendly. There are solutions other then loding slackware and hand editing your setup for iptables.

--
Well I've wrestled with reality for thirty five years doctor, and I'm happy to say I finally won out over it.

Found the source of the interference. by Spy+der+Mann · 2005-06-15 09:11 · Score: 1

Apparently it's a zombie PC located at...

(let me jot down)

one two seven... dot zero... dot zero... dot one. There! Hit it guys.

drops still give information by JimmytheGeek · 2005-06-15 09:21 · Score: 2, Interesting

If you have a fw inside a router, the router will send a "destination host unreachable" ICMP message in response to traffic to non-existant hosts.

A drop will generally indicate:
1) firewalling
2) an inverse map - "I didn't get the ICMP 'dest. host unreachable', ergo something is there"

blocking that outbound ICMP message is possibly a mistake if you have public net resources.

As others pointed out, a drop vs. the icmp error slows the scan down nicely, though.

Re:drops still give information by BridgeBum · 2005-06-15 10:00 · Score: 1

You don't get a dest host unreachable for hosts that don't exist. If the routing is correct to the network but the host doesn't exist, the echo-requests disappear into the void. Dropping icmp echo-request is simulating that behavior, the non-existant host.

The router will only send a dest host unreachable if it has an ACL that blocks the traffic or if its next hop in the routing table is unreachable.

--
My UID is the product of 2 primes.
Re:drops still give information by Anonymous Coward · 2005-06-15 11:55 · Score: 0

Depends on the network. If you ping a non-existent host on a remote ethernet, the router will usually answer with an ICMP unreachable message because it doesn't know the ethernet address that goes with the IP address. It sends an ARP request, doesn't get an answer, so it doesn't know how to reach the target IP and tells you about it. DSL routers on the other hand are often configured not to return ICMP unreachable. Sometimes you can still tell what is an unused IP and what is a hidden system by looking at routing differences.
Re:drops still give information by JimmytheGeek · 2005-06-15 11:59 · Score: 2, Informative

Your router may block the unreachables - that's a common lockdown step. But it is also correct behavior for the router on the destination net to send an ARP, determine that nobody is listening at that IP address, and reply to sender with the icmp dest unreachable (ICMP Type 3, Code 1). There's also a net unreachable that I haven't run into, Type 3, code 0.

http://www.faqs.org/rfcs/rfc792.html
"Gateways in these networks may send destination unreachable messages to the source host when the
destination host is unreachable."

If an ACL blocks the traffic with a reject (vs. drop) then typically it's an ICMP destination host administratively prohibited (Type 3, Code 10)

How stealthy are your ports? by Tandoori+Haggis · 2005-06-15 09:26 · Score: 1

I use online port scanning tools to check my home network. I don't know about your Linskys device but but some router/modem's allow you to configure a DMZ and to specify a private IP address you don't actually use. Basically, inbound portscans might see the DMZ but nothing else. Since the DMZ doesn't lead anywhere, your ports are stealthed and the scanner gets bored and tries elsewhere. This may not work on some Linskys router modems due to a software bug...

Make sure that you disable inbound http and ftp. After all, why would you want to remotely configure your router/modem from outside your home network? ICMP echo requests should also be prohibited. If the hardware manual is not helpful, try searching for info on the web.

http://www.grc.com "Shields up"
http://scan.sygatetech.com/prestealthscan.htm l

You may find this article of interest: http://techupdate.zdnet.com/techupdate/stories/mai n/Linksys_routers_and_DDoS.html

--
My hyperlinks aren't worth the paper they're printed on.

Re:How stealthy are your ports? by Intron · 2005-06-15 10:32 · Score: 1
Good post, but...
- automated scan tools don't get bored.
- turning off ping and stealthing ports may break some applications, see here
--
Intron: the portion of DNA which expresses nothing useful.

Unlikely by thalakan · 2005-06-15 09:29 · Score: 3, Informative

It is very unlikely that scans are eating up all of your incoming bandwidth. I just checked, since I was curious:

# tethereal -w scan.cap host <myserver> & # nmap -A -T5 -o scan.cap <myserver> # killall tethereal # tethereal -z io,stat,5 -r scan.cap > scan.sum # cat scan.sum IO Statistics Interval: 5.000 secs Column #0: | Column #0 Time |frames| bytes 000.000-005.000 1925 107376 <-- peak bandwidth 005.000-010.000 315 17952 010.000-015.000 492 28032 015.000-020.000 669 38118 020.000-025.000 655 37290 025.000-030.000 186 12153 030.000-035.000 72 9665 035.000-040.000 61 4648 ... # bc 107376 * 8 <- convert to bits per second last/5 <- account for 5 second sampling 171801 4000000/last <- how many fit into 4 Mbps? 23

So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.

But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.

The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.

The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.

--
-- thalakan

My biggest fear... by Anonymous Coward · 2005-06-15 09:36 · Score: 0

...is that I DO setup a Linux/BSD box as a firewall as lots have suggested, and I do something stupid and THAT box gets owned. Is/are there bulletproof packages, say like a knoppix (run from CD) distro, that is hardened by default and easy (not necessarily for a newbie, but not requiring a CCNE/CISSP/CCSE either)? It could perhaps keep it's config. on a locked floppy disk, or you could change the config. and burn that onto the CD.

Re:My biggest fear... by DrSkwid · 2005-06-15 10:13 · Score: 1

yes there are

but if you have to ask, your fears are justified

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:My biggest fear... by Anonymous Coward · 2005-06-15 11:07 · Score: 0

Well that was helpful. Thanks! My subtle point was that with the off the shelf Linksys etc. routers there is very little that can be misconfigured and make the router itself vulnerable. For Linux/BSD I could be running an open mail relay, an unpatched Apache, allow remote logins, etc.
Re:My biggest fear... by DrSkwid · 2005-06-15 11:40 · Score: 1

yes, all of those things

If you don't know how to know then my point is even more valid.

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:My biggest fear... by Anonymous Coward · 2005-06-16 00:47 · Score: 0

Yet another example of the helpful and friendly nature of the Linux community, that will ensure its continued dominance of the desktop market.

Seriously, elitists like you piss me off. The guy asked a reasonable question, which you flamed him for.
Re:My biggest fear... by DrSkwid · 2005-06-16 01:52 · Score: 1

I haven't flamed anyone

if you cant type "livecd firewall" into a search engine what chance do you stand installing and maintaining many of them, hence my suggestion that if one needs to ask the question then one might not be prepared for the answer.

Yeah, I'm a fully representative of the Linux community please attribute anything I say that you don't like to the penguinistas! 7|\|>< 4|\||> 8y3

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter

Err.... by Anonymous Coward · 2005-06-15 09:40 · Score: 0

If I recall my reading of the so-called CanSpam act, only ISPs can bring suits against spammers.

Re:Err.... by mabu · 2005-06-15 09:59 · Score: 3, Informative
If I recall my reading of the so-called CanSpam act, only ISPs can bring suits against spammers.

You're wrong. And this isn't about spam. It's about computer tampering, which has been a crime since before the Internet. People who break into other peoples' computers and compromise them are breaking laws. (Port scanning may or may not be criminal, but it's the precursor to criminal activity) I'm just pointing out that the most significant group doing this are obviously the spammers. Anyone who is paying attention can see that, and they are clearly breaking the law. If you break in and take over someone else's computer, that's a felony.

Unfortunately, we probably won't see law enforcement do anything about it until a spammer accidently breaks into the computer that contains the formula for McDonald's special sauce.

Every state has laws like this:

Breaking into someone's computer may seem like fun, but the consequences are not: Under the Arizona Computer Crime Act of 2000, computer tampering is a felony. Offenders can face up to 12½ years in prison and fines of up to $150,000.

Here's a list of computer crime laws by state

Here's info on Federal computer crime laws

Also see:

Change your MAC address by theinfobox · 2005-06-15 09:49 · Score: 1

In your router settings see if you can manually set the MAC address that Comcast sees. Once you change it, reboot your cable modem and router. Comcast will issue you a new IP address. If someone is targetting your IP, then it will be problem solved. If the attacks don't stop then either your PC or your router is 0wned.

Portscanning is not an attack. by Medievalist · 2005-06-15 10:30 · Score: 2, Insightful

Allow me to make a couple of points before I answer your specific questions...

Don't confuse a portscan with a DOS attack. There is a difference, both in method and intent. Portscans are diagnostics or exploratory probes and are necessary for many benign purposes.

I have been a comcast customer for many years at several locations. Their service is unreliable; the internet is sometimes unreachable and like all the big-name ISPs they let worms that could easily be stopped run rampant in their network. Their DNS infrastructure is also well below par. Since they have a regional monopoly, it is not necessary for them to provide a clean feed, there simply is no competition in their market sector.

My comcast-connected systems are, like yours, portscanned constantly. So are my systems at work (where I have far less bandwidth in both directions) but I don't ever have connectivity problems on the non-comcast links.

First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack?

Again, if it's really a portscan, it's not an attack. But let's say it's a DOS over multiple ports so it looks like a portscan... you can reverse-resolve the addresses, figure out Comcast's IP-to-physical location mapping (easier than it sounds) and go burn down those people's houses. Other than that, probably not.

Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?

In theory, yes, absolutely. That's why you keep it up to date on patches and always change the default password. Here in the Real World [tm] you haven't supplied the type of router or patchlevel you are using so I can't go look it up on Google or astalavista. Some cable interface boxes are pretty secure due to hardware limitations, others make very good bots.

Finally... most people on comcast that have major problems are infected with viruses or worms, usually propagated by email. Those that are not are sometimes suffering from bad grounds - check that your cable system and the electrical outlets that feed your computer and televison systems are all properly grounded.

HTH, I'm off to dinner.

there's this guy.... by zogger · 2005-06-15 10:38 · Score: 1

....here, live cd router/firewall

Never used it, just aware of it. Something like this?

Use a good packet filter by mnmn · 2005-06-15 11:29 · Score: 2, Informative

Use it to block all ports and keep connection states.

See in a portscan, they send a SYN, and you send back an ACK... and back and forth. They try to connect to a port, your tcpip stack replies with a drop connection and the increment the port and repeat. The amount of data going in each direction is roughly equal when the ports are closed.

The amount of bandwidth you have is not symmetrical. The best ADSL can do is 4/.8 mbps for download/upload, and the best a docsis modem can do is similar. It is more likely that your upload bandwidth is chocked, since 4mbps of download bandwidth is plenty of room. Unless you have a 'lite' internet speed which is rediculously slow.

So a packet filter simply doesnt take the packet. No replies, either TCP or ICMP. That also means they will give up trying to keep their bandwidth efficient, and start portscanning another IP that actually replies. And since TCPIP is several back and forth packets to connect, you'll save on some download bandwidth, and you'll save ALL of your precious upload bandwidth.

Its even better if you have NO ports open at all from the outside, like ssh or http or smtp. That way intruders cannot know at all if you exist, and its just a waste to portscan all 4 billion IPs, all their TCP and UDP ports rather than just the IPs which actually reply.

My favorite packetfilter is OpenBSD for obvious reasons, they clearly had the best packet filter until recently. Now the competition is close, since everyone seems to be copying them. I dont have much experience with iptables and it confuses me, but it has a much greater install base, and commercial companies to back it.

I've tried the WRT56GX Linksys (latest wireless) router, and havent been impressed with its firewall options. I wonder if I can grab a linksys and replace the firmware with a much simpler OpenBSD embedded system (is there an Openbsd for ARM?). For serious outfits, I'd use OpenBSD on a pentium III-ish with two good nics and low power consumption for stability.

--
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky

i dont' think so.. by Halvy · 2005-06-15 14:18 · Score: 1

The mac/usb addy on the modem is the id that comcast uses to let you have internet service..ie, it is the ONLY one *they see* (if i'm not mistaken, they wouldn't care what you have beyond their modem/gateway (mac addy).

The Motorola Surfboard 5100 (one of the brands they suport/lease) DOESN'T have a firewall, just dhcp (if you want).

If you *change* your modem (or mac address), you have to tell them so they can make a note of it-- so you don't loose syncing w/ their network.

Then again, this might piss them off (asking them).. and they may just-say-no to the idea, especially if you are 'renting' their modem (gateway).

or were you talking about *spoofing* your own mac addy? :)

--
I will gladly loose all of life's battles.. in order to win the war..

New mac addresses by maxwells_deamon · 2005-06-15 16:42 · Score: 1

Be very carefull changing your mac addresses.

Some cable companies use MAC address filtering as a way of stopping pirateing.

Write down your old mac address first. We got a new cable modem and they had to wait until there cisco guy got in before cox could get us back online once.

BTW: Don't things get routed by IP address once the cache (arp?) tables upstream get updated?

Re:New mac addresses by packetl0ss · 2005-06-16 18:26 · Score: 1

Well, RoadRunner uses only the MAC address of the cable modem as to whether to allow it on the local node or not and not the MAC address of any machine connected to the cable modem. So far, I have had no problem changing my MAC address of either of my NICs or using different routers with different default MAC addresses behind my cable modem without having to make a single phone call to my cable company get online. All I had to do, though, was power down the cable modem and power it back up each time I changed my MAC address since the cable modem is set (in the settings the cable co pushes, I guess) to allow only one MAC address at a time to get an IP via DHCP.

If it hasn't already been said... by moorley · 2005-06-16 02:44 · Score: 3, Interesting

Turn off WIFI and check your bandwidth...

Chances are someone's pulling your bandwidth via WIFI or its creating some problem.

I haven't quite nailed it down yet but in the last few months both my personal network and a friend of mine's have been bogged down whenever the WiFi is turned on. I like to think I'm security savvy but I just started digging into it yesterday.

I'll reconfigure the netgear so it only accepts the MAC addresses I have but it's still quite annoying. I didn't broadcast the SSID and I used WEP/WPA but my surfing lags horribly whenever WiFi is turned on. Even in rural Idaho there be issues.

who'd thunk it?

Good luck!

--
"Don't fear death... fear not living..." -me :)

Re:If it hasn't already been said... by Hoover,L+Ron · 2005-06-16 05:22 · Score: 1

AHEM, MAC filtering is trivally easy to work around with a two minute capture from SNORT or whatever. I emulate therefore I am you! WPA ain't that great either.
Re:If it hasn't already been said... by Anonymous Coward · 2005-06-17 01:45 · Score: 0

It's only trivially easy to work around for someone who knows how to change their MAC address, which is not likely to be neighboor/etc. that's just casually looking for WiFi access. There are WiFi hackers that come to steal your bandwidth for spam. But there are a lot more lusers that just want to check their email, and they would be stopped cold by MAC address filtering.

Certainly additional security is nice, but if you consider MAC filters + WPA + non-broadcast SSID to be "trivial" then you're going to need a security *staff*.

Re:Yes Possibly The Portscans by g-san · 2005-06-16 05:09 · Score: 2, Insightful

Whoa down there buckeroo. Bandwith is not the only resource at stake here. Depending on the vendor of the router upstream, a port scan will consume route cache entries that may make it very hard to open new outbound connections. I know of a major university with the wrong vendor that was routinely getting taken down by a handful people scanning their /16. Yes it was a poor router design in that version, but it was happening. Considering you only get maybe 64k route cache entries that is only 1 or 2 near simultaneous port scans of 1 port across a whole /16 or 1 or 2 scans on all ports on 1 ip address. It *is* possible for port scans to cause problems.

Re:Yes Possibly The Portscans by asc4 · 2005-06-16 05:14 · Score: 1

In theory, yes. But that just doesn't wash with this particular situation. *If* Comcast had that kind of problem it would affect many more than just this one user, and we'd no doubt have heard about it through the NOG grapevines by now.

Andrew

Delayed ICMP echo reply by KJSwartz · 2005-06-16 06:21 · Score: 1

Gotta do a deep think on this topic.

Why attempt an ICMP echo reply in the FASTEST TIME possible? I have no interest in running the quickest server possible; I want to make my internet experience the most pleasant FOR ME.

Anyone have any method of delaying the ICMP echo reply by up to the maximum limit, plus 1K ms?

Great question... by chrysrobyn · 2005-06-16 14:32 · Score: 0, Offtopic

How do you handle port scanning attacks?

I think the right question is "how should I handle my bandwidth being eaten up?" and a lot of people have responded in a good manner. Verify the source, send logs. Additionally, cut down on promiscuous activity (IRC on some servers, or some channels), some multiplayer games, etc. Generally, if you're smart enough to be doing that kind of stuff, you recognize that it's promiscuous.

One of my favorite stories was how I dealt with port scanners in college in 1996. I had an unswitched 10baseT in my dorms. Password sniffers and hackers were everywhere. I was getting constantly scanned. So, I set up an entry in init.d which launched a counter-offensive if someone went after my finger or name service ports. Everyone who knew me knew that I didn't run either service, so that left the ignorant masses with less than honorable intentions. I'd picked out some effective attacks, mostly against Windows machines. The scans slowed down a great deal after I put in my countermeasures.

When I got to grad school, I moved into an apartment with a cable modem (one of the first markets in the US). Without thinking, I left my countermeasures up. Our sysadmin ran some automated portscans to verify that his customers weren't running open mail relays, IRC servers or name servers (upload hungry services). One day, the cable modem lost its signal. My system logs showed three port scan attempts. Each of them stopped after the first countermeasure enabled port was hit, and after the third countermeasure we lost our cable modem. I had to discuss the situation with the admin before being allowed to use the cable modem again. He was irked, but audibly amused.

So I simplified my countermeasure to just respond to every finger attempt with a finger against the opponent. Shortly after that, I learned our admin was paged every time his scanner computer was fingered...

Over the last week to ssh port by Anonymous Coward · 2005-06-17 02:14 · Score: 0

Jun 12 00:29:55 homeplate sshd[40051]: refused connect from 211.147.228.74 (211.147.228.74) Jun 12 06:58:33 homeplate sshd[40674]: refused connect from ie55129.ie.nthu.edu.tw (140.114.55.129) Jun 12 07:02:35 homeplate sshd[40683]: refused connect from ie55129.ie.nthu.edu.tw (140.114.55.129) Jun 12 11:47:50 homeplate sshd[40937]: refused connect from 202.76.92.199 (202.76.92.199) Jun 12 17:44:07 homeplate sshd[5028]: refused connect from ie55129.ie.nthu.edu.tw (140.114.55.129) Jun 12 17:48:09 homeplate sshd[5033]: refused connect from ie55129.ie.nthu.edu.tw (140.114.55.129) Jun 12 23:22:06 homeplate sshd[5802]: refused connect from 142.179.212.215 (142.179.212.215) Jun 12 23:26:12 homeplate sshd[5897]: refused connect from 142.179.212.215 (142.179.212.215) Jun 13 05:35:45 homeplate sshd[7342]: refused connect from 202.96.245.204 (202.96.245.204) Jun 14 04:29:21 homeplate sshd[12730]: refused connect from 218.1.14.68 (218.1.14.68) Jun 14 04:33:22 homeplate sshd[12737]: refused connect from 218.1.14.68 (218.1.14.68) Jun 14 05:09:16 homeplate sshd[13038]: refused connect from 211.239.129.105 (211.239.129.105) Jun 14 05:13:22 homeplate sshd[13051]: refused connect from 211.239.129.105 (211.239.129.105) Jun 14 05:53:05 homeplate sshd[13252]: refused connect from 211.239.129.105 (211.239.129.105) Jun 14 05:57:13 homeplate sshd[13256]: refused connect from 211.239.129.105 (211.239.129.105) Jun 14 06:08:17 homeplate sshd[13306]: refused connect from ds80-237-208-42.dedicated.hosteurope.de (80.237.208.42) Jun 14 06:12:08 homeplate sshd[13310]: refused connect from ds80-237-208-42.dedicated.hosteurope.de (80.237.208.42) Jun 14 23:23:34 homeplate sshd[16596]: refused connect from 221.0.193.166 (221.0.193.166) Jun 14 23:27:38 homeplate sshd[16600]: refused connect from 221.0.193.166 (221.0.193.166) Jun 15 00:33:38 homeplate sshd[17055]: refused connect from 202.76.92.199 (202.76.92.199) Jun 15 05:21:53 homeplate sshd[20383]: refused connect from 221.147.5.146 (221.147.5.146) Jun 15 05:53:49 homeplate sshd[20620]: refused connect from 202.76.92.199 (202.76.92.199) Jun 15 20:51:41 homeplate sshd[23316]: refused connect from 69.44.57.85 (69.44.57.85) Jun 15 20:55:40 homeplate sshd[23322]: refused connect from 69.44.57.85 (69.44.57.85) Jun 16 10:11:46 homeplate sshd[26993]: refused connect from massive.merukuru.org (58.4.29.84) Jun 16 16:16:02 homeplate sshd[28145]: refused connect from 222.106.22.167 (222.106.22.167) Go get 'em!

Cox did the same, but always from the same 2 IPs by HighOrbit · 2005-06-17 03:23 · Score: 1

So if you want to run a server on the sly, just observe which IPs the ISP uses to scan. Then drop connections from those IPs or that block.

Re:Cox did the same, but always from the same 2 IP by Anonymous Coward · 2005-06-17 03:52 · Score: 0

I just host on a different port and use a full web redirect from no-ip.com.

portsentry. by Anonymous Coward · 2005-06-18 09:00 · Score: 0

http://sf.net/projects/sentrytools/

I wrote my own, but I lost it in a disk crash. Basically, it listened on N random ports, and added a firewall rule to drop packets from the host that connected. After however many seconds you told it, it'd remove it (assuming you didn't tell it to just leave the rule). It's not hard to write, though.

Incidentally, I agree with some of the other posters; I doubt it's just portscans doing this.

DO NOT REACT TO PORTSCANS. by Alex+Belits · 2005-06-18 20:07 · Score: 1

Really.

--
Contrary to the popular belief, there indeed is no God.

Check Their Hardware by Cycloid+Torus · 2005-06-19 00:24 · Score: 0

Had very similar and it was issue with ISP hardware. I'm at the end of a loop and the repeater serving the loop had a slight crack - allowing moisture inside - which effectively dropped my 6Mbit to 50Kbit - every morning if dew - every rainstorm. Took me 2 1/2 months to figure it out and talk ISP into doing proper tests and finally into fixing it.

Been cool for 2 years - wow, what a difference.

--
Lost in space at an early age. Survived the vacuum. Now rebuilding castle in air.

I hate screwing up a moderation by Mononoke · 2005-06-20 00:38 · Score: 1

Just negating an erroneous moderation. Sorry folks.

--
NetInfo connection failed for server 127.0.0.1/local

Blame Canad^H^H^H^H^HKorea! by B747SP · 2005-06-20 10:27 · Score: 1

At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)

One way of dealing with that problem is to block China and Korea altogether. All the l33+ h4x0r5 who try to password guess on my ssh daemons come from educational institutions in Korea. Block them at the border router, problem goes away!

--
I find your ideas intriguing and I wish to subscribe to your newsletter.

Slashdot Mirror

How Do You Handle Portscanning Attacks?

140 comments