Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle Portscanning Attacks?

Posted by Cliff on from the online-hassles dept.

Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"

2 of 140 comments (clear)

  1. Re:Contact Comcast by robertjw · · Score: 0, Offtopic

    Unfortunatly, I'm at work, so I have no clue what the IP address is.

    You mean you can't ssh into your home box from the office.
    Loser.

    --
    Find coupons in Greeley
  2. Great question... by chrysrobyn · · Score: 0, Offtopic
    How do you handle port scanning attacks?

    I think the right question is "how should I handle my bandwidth being eaten up?" and a lot of people have responded in a good manner. Verify the source, send logs. Additionally, cut down on promiscuous activity (IRC on some servers, or some channels), some multiplayer games, etc. Generally, if you're smart enough to be doing that kind of stuff, you recognize that it's promiscuous.

    One of my favorite stories was how I dealt with port scanners in college in 1996. I had an unswitched 10baseT in my dorms. Password sniffers and hackers were everywhere. I was getting constantly scanned. So, I set up an entry in init.d which launched a counter-offensive if someone went after my finger or name service ports. Everyone who knew me knew that I didn't run either service, so that left the ignorant masses with less than honorable intentions. I'd picked out some effective attacks, mostly against Windows machines. The scans slowed down a great deal after I put in my countermeasures.

    When I got to grad school, I moved into an apartment with a cable modem (one of the first markets in the US). Without thinking, I left my countermeasures up. Our sysadmin ran some automated portscans to verify that his customers weren't running open mail relays, IRC servers or name servers (upload hungry services). One day, the cable modem lost its signal. My system logs showed three port scan attempts. Each of them stopped after the first countermeasure enabled port was hit, and after the third countermeasure we lost our cable modem. I had to discuss the situation with the admin before being allowed to use the cable modem again. He was irked, but audibly amused.

    So I simplified my countermeasure to just respond to every finger attempt with a finger against the opponent. Shortly after that, I learned our admin was paged every time his scanner computer was fingered...