Slashdot Mirror
How Do You Handle Portscanning Attacks?
Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"
I would suggest you contact Comcast. They might be able to help you out, especially if you think it's a problem on your end. I've never heard of a Linksys router being made into a bot, though.
On a side note, I've also go Comcast, and I've never run into anything like this. They do tend to have a lot of problems with their DNS servers, though.
"Extremism in the pursuit of liberty is no vice. Moderation in the pursuit of justice is no virtue." --Barry Goldwater
In my expereience, when somebody's saying that `X is using up all my bandwidth', where `X' is things like virii, `hackers', ARP requests or something else, what that really means is that somebody doesn't really understand what's going on.
Most cable modems have a lot of downstream bandwith and not so much upstream bandwidth -- but even the upstream bandwidth is far far more than is used by a standard port scan where somebody hits all your ports to see if they're open.
And even that's unusual -- usually people seem to scan entire networks to see if one port is open, so a single scanner would only send a few packets at your box. It would take several thousand people hitting your box _at once_ like this to make things as bad as you make it sound.
Your box may actually be under attack (a DoS attack.) I get a lot of trouble like this when people want the nick I use on IRC -- they packet my box incessantly. I've got 5 Mb/s downstream on my cable modem, so as long as my packet filtering isn't responding to each packet, it takes a pretty signifigant attack to kick me off of IRC. But if my system does respond to every packet with packets of approximately the same size, an attack of about 0.3 Mb/s is enough to bring everything down to a crawl. It's all a matter of configuring my filters properly ...
Ultimately, what you should do is log all the packets being sent at your IP address with a tool like tcpdump, then send those logs to the abuse department of the ISP where they're coming from. If it's a DDoS attack, the odds are that the IPs are spoofed, but if it's really a portscan it's probably not (becuase they need to see the returning packets to see which ports are open.)
You could also contact Comcat and see if they could filter the traffic out, though I'd reserve that option for an attack that lasts days and doesn't give up, because if they're anything like RR, getting to somebody who can actually do that will be very difficult.
Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.
Better yet, use PFSense which is a fork of m0n0wall, but with a goal of higher level functionality.
After you use the latest installer, go to http://www.pfsense.com/updates/ and grab the latest version, then update via the 'firmware' tab on the web interface.
.sig
Seen as none of the comments so far has answered your question, let me just offer my 2:
Rather than using a Broadband NAT router, set up a firewall running Linux, *BSD, or similar. This way, you can send "irrelevant" traffic (e.g. ICMP ping requests, or TCP/UDP packets to ports on which you do not provide services) to the bit bucket ("DROP" in the language of Linux IPTables).
This slows down port scanning of your machine (e.g. using "nmap") to near a grinding halt, and thereby reduces the bandwith consumed by such port scans to near zero.
It is not bulletproof - someone could still direct DoS attacks against you - but it would nearly eliminate the traffic caused by causal port scanning of your machine.
Seriously, dump that Linksys or other SOHO box and spring for a small *nix-based machine. Personally, I use a slimmed-down Linux box running iptables. I also use the TARPIT target. The TARPIT target is designed to keep the connection open until it times out. This slows port scans and worms to a crawl. While it takes slightly more resources on the firewall machine itself, it doesn't eat up any more bandwidth than the port scan itself would, except that now the bandwidth is spread over a longer period of time. It also helps to block other packet types that can cause issues, such as ICMP echo. It is definitely not a good idea to block all ICMP traffic, though. Also, try setting up QoS or some other form of traffic shaping to give priority to your packets, specifically ACK packets, as this will improve responsiveness and will keep you from being locked out of your connection, even when under a high bandwidth load.
Congratulations! You're violating RFC 1122 - Requirements for Internet Hosts and as such should not expect anything to necessarily work correctly!
3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.
Have a wonderful day.
So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.
But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.
The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.
The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.
-- thalakan
OP has a linksys router. Showing a new MAC to Comcast involves nothing more than going to the linksys box web admin page and typing in something new.
You're wrong. And this isn't about spam. It's about computer tampering, which has been a crime since before the Internet. People who break into other peoples' computers and compromise them are breaking laws. (Port scanning may or may not be criminal, but it's the precursor to criminal activity) I'm just pointing out that the most significant group doing this are obviously the spammers. Anyone who is paying attention can see that, and they are clearly breaking the law. If you break in and take over someone else's computer, that's a felony.
Unfortunately, we probably won't see law enforcement do anything about it until a spammer accidently breaks into the computer that contains the formula for McDonald's special sauce.
Every state has laws like this:
Here's a list of computer crime laws by state
Here's info on Federal computer crime laws
Also see:
Actually, if you have done some reading and used tools like nmap, you might be a little shocked to know that this tool can still tell if your online unless you really know what your doing. Turns out that certain "illegal" TCP flags can trigger the OS to reveal information about the ports they are scanning. So even if you think your blocking outgoing info, chance are your only blocking "legit" outgoing stuff, and your still in fact giving out tons of information to people that know TCP well enough to scan you.
Use it to block all ports and keep connection states.
See in a portscan, they send a SYN, and you send back an ACK... and back and forth. They try to connect to a port, your tcpip stack replies with a drop connection and the increment the port and repeat. The amount of data going in each direction is roughly equal when the ports are closed.
The amount of bandwidth you have is not symmetrical. The best ADSL can do is 4/.8 mbps for download/upload, and the best a docsis modem can do is similar. It is more likely that your upload bandwidth is chocked, since 4mbps of download bandwidth is plenty of room. Unless you have a 'lite' internet speed which is rediculously slow.
So a packet filter simply doesnt take the packet. No replies, either TCP or ICMP. That also means they will give up trying to keep their bandwidth efficient, and start portscanning another IP that actually replies. And since TCPIP is several back and forth packets to connect, you'll save on some download bandwidth, and you'll save ALL of your precious upload bandwidth.
Its even better if you have NO ports open at all from the outside, like ssh or http or smtp. That way intruders cannot know at all if you exist, and its just a waste to portscan all 4 billion IPs, all their TCP and UDP ports rather than just the IPs which actually reply.
My favorite packetfilter is OpenBSD for obvious reasons, they clearly had the best packet filter until recently. Now the competition is close, since everyone seems to be copying them. I dont have much experience with iptables and it confuses me, but it has a much greater install base, and commercial companies to back it.
I've tried the WRT56GX Linksys (latest wireless) router, and havent been impressed with its firewall options. I wonder if I can grab a linksys and replace the firmware with a much simpler OpenBSD embedded system (is there an Openbsd for ARM?). For serious outfits, I'd use OpenBSD on a pentium III-ish with two good nics and low power consumption for stability.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Your router may block the unreachables - that's a common lockdown step. But it is also correct behavior for the router on the destination net to send an ARP, determine that nobody is listening at that IP address, and reply to sender with the icmp dest unreachable (ICMP Type 3, Code 1). There's also a net unreachable that I haven't run into, Type 3, code 0.
http://www.faqs.org/rfcs/rfc792.html
"Gateways in these networks may send destination unreachable messages to the source host when the
destination host is unreachable."
If an ACL blocks the traffic with a reject (vs. drop) then typically it's an ICMP destination host administratively prohibited (Type 3, Code 10)