Slashdot Mirror
How Do You Handle Portscanning Attacks?
Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"
I would suggest you contact Comcast. They might be able to help you out, especially if you think it's a problem on your end. I've never heard of a Linksys router being made into a bot, though.
On a side note, I've also go Comcast, and I've never run into anything like this. They do tend to have a lot of problems with their DNS servers, though.
"Extremism in the pursuit of liberty is no vice. Moderation in the pursuit of justice is no virtue." --Barry Goldwater
Sounds to me like you have bigger problems than the portscanning. Even hundreds of simultaneous port scans are unlikely to chew through all your bandwidth on a cable line. Sounds to me like your computer(s) may be zombied and *that's* what's eating up your bandwidth.
Got the IP addys of your tormentors?
Post them here!
I'm sure some of us could persuade these kids that port scanning is bad for your health...
^_^
____
~ |rip/\/\aster /\/\onkey
Mere portscanning doesn't intentionally clog all bandwidth.
IANA network security expert, but I'd say put a more capable firewall behind the router (read: a Linux or BSD box) and make it the DMZ.
At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)
Comment removed based on user account deletion
Basicly, no. End users are the scum of the internet, no ISP really cares what happens to you as long as you pay the bill. If you don't, they don't care because others will.
Your best bet would be to detect the port scan (eg, >5 sequential connections from the same host, or >15 nonsequential ones) and nullroute it so they get no response at all.
Of course they can get around that, but if you're avoiding the common drones it doesnt matter.
Second off, its not an attack, its just trying to get more information on you. Calling it an attack makes it sound bad, which furthers scare away the masses(who then get to vote on this stuff). If your isp didnt limit your upstream so much you wouldn't even notice it. nmap running in standard mode doesnt use nearly as much packets or bandwidth as my isp flooding me with arp who-has packets to see whos on.
sidenote, be careful with whatever you do. Last time I found out a friend of mine ran a stupid windows firewall that would automaticly firewall anything that portscanned him, I spoofed a scan from his dns, then after I had fun watching him wonder why he couldnt resolve anything, I spoofed one from his gateway.
Automated dropping is dangerous.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
One thing that I did was to disable ICMP echo reply. (I allowed it from IP ranges that I'm likely to be at, but in general, it's turned off.) That means if someone tries to ping me, they don't get a response, so many script kiddies will assume that there is no computer at my IP address and move on.
I've also set it up to drop incoming TCP requests for dead ports (actually, it blocks the outgoing connection refused packets). So if they scan ports that aren't open, they never get a single packet back.
Essentially, unless they're connecting to something I intentionally have open, they can't tell that my system exists.
And you don't allow access to it from un-trusted machines (i.e., the Internet), right?
Otherwise, in theory, it could get pwned. It is running Linux and tools such as busybox.
You are being MICROattacked, from various angles, in a SOFT manner.
Seen as none of the comments so far has answered your question, let me just offer my 2:
Rather than using a Broadband NAT router, set up a firewall running Linux, *BSD, or similar. This way, you can send "irrelevant" traffic (e.g. ICMP ping requests, or TCP/UDP packets to ports on which you do not provide services) to the bit bucket ("DROP" in the language of Linux IPTables).
This slows down port scanning of your machine (e.g. using "nmap") to near a grinding halt, and thereby reduces the bandwith consumed by such port scans to near zero.
It is not bulletproof - someone could still direct DoS attacks against you - but it would nearly eliminate the traffic caused by causal port scanning of your machine.
It's a fallacy that ignorant kids are behind the port scanning.
It's spammers. It's professional organized crime. I believe the majority of these port scanning and worm/virus propagation is going on by organized groups looking to take over peoples' computers for the purpose of finding new IP space from which they can send unsolicited e-mail. If there are any script kiddies, they are a fraction of a fraction of the percentage of the traffic.
My systems are constantly under probe attacks and port scans. The majority of these attacks originate from rogue IP space in China, Korea, and other areas that appear to be more liberal in doing business with the spammer organized crime contingent.
At this point, I don't see technology making much difference. This is a political and enforcement issue.
My advice is to contact your local District Attorney and demand that they start prosecuting computer tampering cases. We know these people are ultimately in the U.S. and can be caught even if they route from around the globe. We know they're breaking laws and can be prosecuted. We have laws in effect right now - we don't need more laws. We need enforcement and government authorities who WILL ENFORCE THE LAW AND STOP THESE PEOPLE. You can't count on ISPs to help since they profit from bandwidth consumption; you can't count on corporations to help, they are scared of any attempt to curtail cyber marketing of any sort. You must start on a local level and demand that the judicial and enforcement branches go after these criminals.
Seriously, dump that Linksys or other SOHO box and spring for a small *nix-based machine. Personally, I use a slimmed-down Linux box running iptables. I also use the TARPIT target. The TARPIT target is designed to keep the connection open until it times out. This slows port scans and worms to a crawl. While it takes slightly more resources on the firewall machine itself, it doesn't eat up any more bandwidth than the port scan itself would, except that now the bandwidth is spread over a longer period of time. It also helps to block other packet types that can cause issues, such as ICMP echo. It is definitely not a good idea to block all ICMP traffic, though. Also, try setting up QoS or some other form of traffic shaping to give priority to your packets, specifically ACK packets, as this will improve responsiveness and will keep you from being locked out of your connection, even when under a high bandwidth load.
If you have a fw inside a router, the router will send a "destination host unreachable" ICMP message in response to traffic to non-existant hosts.
A drop will generally indicate:
1) firewalling
2) an inverse map - "I didn't get the ICMP 'dest. host unreachable', ergo something is there"
blocking that outbound ICMP message is possibly a mistake if you have public net resources.
As others pointed out, a drop vs. the icmp error slows the scan down nicely, though.
One question... (Score:0) by Anonymous Coward on Wednesday June 15, @01:24PM (#12826733) If your computer is connected to the internet through a Linksys/whatever router, how do you know you're being portscanned? it's like a horror movie : The ISP said that there were no outside connections. The Zombie is in the house with you! Get out, do you hear me? Get out now.
The rock, the vulture, and the chain
So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.
But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.
The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.
The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.
-- thalakan
You're wrong. And this isn't about spam. It's about computer tampering, which has been a crime since before the Internet. People who break into other peoples' computers and compromise them are breaking laws. (Port scanning may or may not be criminal, but it's the precursor to criminal activity) I'm just pointing out that the most significant group doing this are obviously the spammers. Anyone who is paying attention can see that, and they are clearly breaking the law. If you break in and take over someone else's computer, that's a felony.
Unfortunately, we probably won't see law enforcement do anything about it until a spammer accidently breaks into the computer that contains the formula for McDonald's special sauce.
Every state has laws like this:
Here's a list of computer crime laws by state
Here's info on Federal computer crime laws
Also see:
Don't confuse a portscan with a DOS attack. There is a difference, both in method and intent. Portscans are diagnostics or exploratory probes and are necessary for many benign purposes.
I have been a comcast customer for many years at several locations. Their service is unreliable; the internet is sometimes unreachable and like all the big-name ISPs they let worms that could easily be stopped run rampant in their network. Their DNS infrastructure is also well below par. Since they have a regional monopoly, it is not necessary for them to provide a clean feed, there simply is no competition in their market sector.
My comcast-connected systems are, like yours, portscanned constantly. So are my systems at work (where I have far less bandwidth in both directions) but I don't ever have connectivity problems on the non-comcast links.
Again, if it's really a portscan, it's not an attack. But let's say it's a DOS over multiple ports so it looks like a portscan... you can reverse-resolve the addresses, figure out Comcast's IP-to-physical location mapping (easier than it sounds) and go burn down those people's houses. Other than that, probably not. In theory, yes, absolutely. That's why you keep it up to date on patches and always change the default password. Here in the Real World [tm] you haven't supplied the type of router or patchlevel you are using so I can't go look it up on Google or astalavista. Some cable interface boxes are pretty secure due to hardware limitations, others make very good bots.
Finally... most people on comcast that have major problems are infected with viruses or worms, usually propagated by email. Those that are not are sometimes suffering from bad grounds - check that your cable system and the electrical outlets that feed your computer and televison systems are all properly grounded.
HTH, I'm off to dinner.
Use it to block all ports and keep connection states.
See in a portscan, they send a SYN, and you send back an ACK... and back and forth. They try to connect to a port, your tcpip stack replies with a drop connection and the increment the port and repeat. The amount of data going in each direction is roughly equal when the ports are closed.
The amount of bandwidth you have is not symmetrical. The best ADSL can do is 4/.8 mbps for download/upload, and the best a docsis modem can do is similar. It is more likely that your upload bandwidth is chocked, since 4mbps of download bandwidth is plenty of room. Unless you have a 'lite' internet speed which is rediculously slow.
So a packet filter simply doesnt take the packet. No replies, either TCP or ICMP. That also means they will give up trying to keep their bandwidth efficient, and start portscanning another IP that actually replies. And since TCPIP is several back and forth packets to connect, you'll save on some download bandwidth, and you'll save ALL of your precious upload bandwidth.
Its even better if you have NO ports open at all from the outside, like ssh or http or smtp. That way intruders cannot know at all if you exist, and its just a waste to portscan all 4 billion IPs, all their TCP and UDP ports rather than just the IPs which actually reply.
My favorite packetfilter is OpenBSD for obvious reasons, they clearly had the best packet filter until recently. Now the competition is close, since everyone seems to be copying them. I dont have much experience with iptables and it confuses me, but it has a much greater install base, and commercial companies to back it.
I've tried the WRT56GX Linksys (latest wireless) router, and havent been impressed with its firewall options. I wonder if I can grab a linksys and replace the firmware with a much simpler OpenBSD embedded system (is there an Openbsd for ARM?). For serious outfits, I'd use OpenBSD on a pentium III-ish with two good nics and low power consumption for stability.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Turn off WIFI and check your bandwidth...
Chances are someone's pulling your bandwidth via WIFI or its creating some problem.
I haven't quite nailed it down yet but in the last few months both my personal network and a friend of mine's have been bogged down whenever the WiFi is turned on. I like to think I'm security savvy but I just started digging into it yesterday.
I'll reconfigure the netgear so it only accepts the MAC addresses I have but it's still quite annoying. I didn't broadcast the SSID and I used WEP/WPA but my surfing lags horribly whenever WiFi is turned on. Even in rural Idaho there be issues.
who'd thunk it?
Good luck!
"Don't fear death... fear not living..." -me
Whoa down there buckeroo. Bandwith is not the only resource at stake here. Depending on the vendor of the router upstream, a port scan will consume route cache entries that may make it very hard to open new outbound connections. I know of a major university with the wrong vendor that was routinely getting taken down by a handful people scanning their /16. Yes it was a poor router design in that version, but it was happening. Considering you only get maybe 64k route cache entries that is only 1 or 2 near simultaneous port scans of 1 port across a whole /16 or 1 or 2 scans on all ports on 1 ip address. It *is* possible for port scans to cause problems.