Slashdot Mirror
How Do You Handle Portscanning Attacks?
Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"
You definitely wouldn't want to do a default install of any distro I know of (except Debian, that doesn't install much of anything except what you ask for).
And you don't allow access to it from un-trusted machines (i.e., the Internet), right?
Otherwise, in theory, it could get pwned. It is running Linux and tools such as busybox.
You are being MICROattacked, from various angles, in a SOFT manner.
Well, try a firewall specific distro then, such as m0n0wall. It's excellent, basically FreeBSD with everything cut out but the firewall. Link is http://m0n0.ch/wall, and I'm sure there are plenty of other hardened distros.
~~~~~ BigLig2? You mean there's another one of me?
Umm... Comcast doesn't, at least not on my subnet.
I actually had some discussions with the installers and local sales people for Comcast. Their attitude was a don't ask/don't tell policy for running services over their cable modem connections. As long as you aren't soaking up an extreme amount of bandwidth they don't really care if you are running a web server, ftp server, whatever.
Besides, I could run ssh over any port I want.
Find coupons in Greeley
If you have a fw inside a router, the router will send a "destination host unreachable" ICMP message in response to traffic to non-existant hosts.
A drop will generally indicate:
1) firewalling
2) an inverse map - "I didn't get the ICMP 'dest. host unreachable', ergo something is there"
blocking that outbound ICMP message is possibly a mistake if you have public net resources.
As others pointed out, a drop vs. the icmp error slows the scan down nicely, though.
Some cable modems will let you `reset' them by various means (holding down the rest button at power up, holding it down for a long time, leaving the modem off for a long time) and in fact may require that before they'll work with another MAC address (because you're limited to one IP address, and it'll think you still have the old one.)
And then you need to make sure your DHCP client doesn't request the same IP address again -- many do this by default.
All in all, getting a new IP address from your cable modem network is often a PITA -- but it's nothing compared to the PITA it is to actually get somebody on the phone at their support organziation who understands what a DoS attack is and can actually help you with it.
nothing compared to the PITA it is to actually get somebody on the phone at their support organziation who understands what a DoS attack is
I work for a cable provider in New Zealand. We have all been shown logs of a typical DoS attack and logs of typical filesharing and how to tell the difference. (We don't ban filesharing, but we do charge for extra traffic after a set amount (1GB, 5GB or 10GB depending on the plan)).
I'm not sure what our techies do about DoS attacks.
We don't ban running servers or anything. It's the customer's bandwidth - they've paid for it and they can use it for anything that's legal. I don't understand ISPs banning customers from sshing into their box or putting up a personal web page.
Heck, we even give them a static IP to make it easier (and can change it if required but it takes a few days to provision).
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
found the `Insane' setting -- it's not really about flooding a host, it's about assuming that the latency is almost zero, so a scan will happen quickly.
That's true to an extent, except that the Insane setting generally does not wait for a reply to packets before sending the next. It lets you flood the host, and if their connection is slower than yours and you run it enough times they end up with quite a backlog of packets they need to download from their ISP.
My point was that it is possible to DoS someone using just a portscan if your connection is significantly faster than theirs and you feel like running a few thousand portscans on their IP address. Whether it is smart, easy or generally useful remains to be seen, but it is possible.
Then you're not really port scanning him anymore -- your DoS'ing him
Well, technically I am still portscanning. The side effect is that I'm DoS'ing him. Alas, he won't know that. All he'll see is a bunch of port scans in his firewall logs.
but there's little point in doing it more than once per port, unless you think his system will respond randomly or something.
There is point if all I want to do is cause him grief. It doesn't matter how the remote system responds - whether there's closed or open ports, or even if I get a reply at all. If I was seriously interested in finding open ports I'd use scans that are less likely to be noticed, not just bombard him with zillions of packets.
I drink to make other people interesting!
> You want evidence? Check your e-mail you stupid moron. Look at the headers
> of the spam you receive. Notice how a significant chunk of it comes from
> comcast, verizon, cox cable, TDE, and other broadband IP space.
I haven't checked this in the last few months, so maybe it's changed, but the last time I did check, virtually 100% of the spam I get came from the APNIC block, and roughly 0% of it came from IP addresses with a corresponding PTR record in DNS for reverse lookup.
I think it depends somewhat on *which* spammers have your email address in their database. As near as I can tell, there are only a few major spamming organizations in the world (perhaps as many as twenty or so) and very few people are on more than one or two of their lists, because they don't share. (They share *within* each organization, but not between, as near as I can tell. As far as why, I could only speculate, but my first guess would be language barriers, and my second guess would be that they can't track eachother down any more easily than we can track them down, so they don't know eachother at all except within each organization. But these are guesses.)
There's at least one major spamming organization in Eastern Europe; they use IRC to communicate, and they use worms to harvest zombies, and this latter activity has exposed them to the honeynets. They have a hierarchical organization like in cheesy mafia movies, with small circles of trust, where the one or two "innermost" members of each small group/circle also are part of the next most central circle. They mostly send English-language spam but also other European languages, notably Russian and German. If you get spam in Cyrillic characters, it comes from these guys. They probably get most of their addresses from Outlook Express address books, but possibly also from other sources. My home address has only gotten on their list in the last year or so.
There's at least one *enormous* spamming organization operating out of Asia (with subnets in China, Korea, and several other Asian countries). They send huge amounts of Chinese-language spam, also lots in English, quite a bit in Korean (with Hangul characters), and some in Spanish and a handful of other languages. There is no evidence that they use IRC. They migrate their SMTP servers (or relays, or something) across entire Class-B subnets, but they don't appear to use zombies, because everything they send comes out of the APNIC block. If you report them to abuse@, you end up in their "special" database, which causes you to receive a lot more spam, some of it with totally blank bodies, just for spite. My home address has been on these guys' list since circa 1999, probably because they harvest addresses from usenet, but they also appear to harvest from mailto: links on the web, among other sources.
We know from previous high-profile news stories on slashdot that there are spammers operating out of the U.S., some of which are fairly big-time, but they use relays elsewhere, including in Asia. I suspect that these guys are mixed up with some of the shadier adware. They're also much more poorly organized than the Asian group or the eastern European group. Some of them actually *buy* their lists of addresses, from other spammers (one another, mostly), but they also harvest addresses from the web. All or nearly all of the spam they send is English-language. These guys are responsible for most of the spam that advertises pharmaceuticals, but they also advertise other things, including websites, software, and financial services. My work address has been on their list for a couple of years now.
Then there's the African spam. This is where the 419s come from, but they send other stuff too, mostly in English, but also in French. They are not organized at all and appear to operate in small autonomous groups or as individuals, but they do have contact with one another (probably in a very loose web, perhaps largely by virtue of living mostly in the same few large cities, nota
Cut that out, or I will ship you to Norilsk in a box.
I did once see a similar device nearly crushed when configured in a particularly unusual way. It was set to redirect traffic directed at any port over to a tarpit sitting behind it. After a few minutes of exposure on the wild internet several portscans and worms happened by. The device response slowed a bit, even though very little bandwidth was being used. These devices don't have much CPU and memory, and they are really not designed to front a tarpit on all ports like that. Poor little thing!
Of course, this is unlikely to be the source of the problem experienced by Kainaw. An infested PC is much more likely.
If you mod me down, I shall become more powerful than you could possibly imagine.
Turn off WIFI and check your bandwidth...
Chances are someone's pulling your bandwidth via WIFI or its creating some problem.
I haven't quite nailed it down yet but in the last few months both my personal network and a friend of mine's have been bogged down whenever the WiFi is turned on. I like to think I'm security savvy but I just started digging into it yesterday.
I'll reconfigure the netgear so it only accepts the MAC addresses I have but it's still quite annoying. I didn't broadcast the SSID and I used WEP/WPA but my surfing lags horribly whenever WiFi is turned on. Even in rural Idaho there be issues.
who'd thunk it?
Good luck!
"Don't fear death... fear not living..." -me