Slashdot Mirror
How Do You Handle Portscanning Attacks?
Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"
Sounds to me like you have bigger problems than the portscanning. Even hundreds of simultaneous port scans are unlikely to chew through all your bandwidth on a cable line. Sounds to me like your computer(s) may be zombied and *that's* what's eating up your bandwidth.
Got the IP addys of your tormentors?
Post them here!
I'm sure some of us could persuade these kids that port scanning is bad for your health...
^_^
____
~ |rip/\/\aster /\/\onkey
Basicly, no. End users are the scum of the internet, no ISP really cares what happens to you as long as you pay the bill. If you don't, they don't care because others will.
Your best bet would be to detect the port scan (eg, >5 sequential connections from the same host, or >15 nonsequential ones) and nullroute it so they get no response at all.
Of course they can get around that, but if you're avoiding the common drones it doesnt matter.
Second off, its not an attack, its just trying to get more information on you. Calling it an attack makes it sound bad, which furthers scare away the masses(who then get to vote on this stuff). If your isp didnt limit your upstream so much you wouldn't even notice it. nmap running in standard mode doesnt use nearly as much packets or bandwidth as my isp flooding me with arp who-has packets to see whos on.
sidenote, be careful with whatever you do. Last time I found out a friend of mine ran a stupid windows firewall that would automaticly firewall anything that portscanned him, I spoofed a scan from his dns, then after I had fun watching him wonder why he couldnt resolve anything, I spoofed one from his gateway.
Automated dropping is dangerous.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
One thing that I did was to disable ICMP echo reply. (I allowed it from IP ranges that I'm likely to be at, but in general, it's turned off.) That means if someone tries to ping me, they don't get a response, so many script kiddies will assume that there is no computer at my IP address and move on.
I've also set it up to drop incoming TCP requests for dead ports (actually, it blocks the outgoing connection refused packets). So if they scan ports that aren't open, they never get a single packet back.
Essentially, unless they're connecting to something I intentionally have open, they can't tell that my system exists.
And you don't allow access to it from un-trusted machines (i.e., the Internet), right?
Otherwise, in theory, it could get pwned. It is running Linux and tools such as busybox.
You are being MICROattacked, from various angles, in a SOFT manner.
In my expereience, when somebody's saying that `X is using up all my bandwidth', where `X' is things like virii, `hackers', ARP requests or something else, what that really means is that somebody doesn't really understand what's going on.
Most cable modems have a lot of downstream bandwith and not so much upstream bandwidth -- but even the upstream bandwidth is far far more than is used by a standard port scan where somebody hits all your ports to see if they're open.
And even that's unusual -- usually people seem to scan entire networks to see if one port is open, so a single scanner would only send a few packets at your box. It would take several thousand people hitting your box _at once_ like this to make things as bad as you make it sound.
Your box may actually be under attack (a DoS attack.) I get a lot of trouble like this when people want the nick I use on IRC -- they packet my box incessantly. I've got 5 Mb/s downstream on my cable modem, so as long as my packet filtering isn't responding to each packet, it takes a pretty signifigant attack to kick me off of IRC. But if my system does respond to every packet with packets of approximately the same size, an attack of about 0.3 Mb/s is enough to bring everything down to a crawl. It's all a matter of configuring my filters properly ...
Ultimately, what you should do is log all the packets being sent at your IP address with a tool like tcpdump, then send those logs to the abuse department of the ISP where they're coming from. If it's a DDoS attack, the odds are that the IPs are spoofed, but if it's really a portscan it's probably not (becuase they need to see the returning packets to see which ports are open.)
You could also contact Comcat and see if they could filter the traffic out, though I'd reserve that option for an attack that lasts days and doesn't give up, because if they're anything like RR, getting to somebody who can actually do that will be very difficult.
Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.
It's a fallacy that ignorant kids are behind the port scanning.
It's spammers. It's professional organized crime. I believe the majority of these port scanning and worm/virus propagation is going on by organized groups looking to take over peoples' computers for the purpose of finding new IP space from which they can send unsolicited e-mail. If there are any script kiddies, they are a fraction of a fraction of the percentage of the traffic.
My systems are constantly under probe attacks and port scans. The majority of these attacks originate from rogue IP space in China, Korea, and other areas that appear to be more liberal in doing business with the spammer organized crime contingent.
At this point, I don't see technology making much difference. This is a political and enforcement issue.
My advice is to contact your local District Attorney and demand that they start prosecuting computer tampering cases. We know these people are ultimately in the U.S. and can be caught even if they route from around the globe. We know they're breaking laws and can be prosecuted. We have laws in effect right now - we don't need more laws. We need enforcement and government authorities who WILL ENFORCE THE LAW AND STOP THESE PEOPLE. You can't count on ISPs to help since they profit from bandwidth consumption; you can't count on corporations to help, they are scared of any attempt to curtail cyber marketing of any sort. You must start on a local level and demand that the judicial and enforcement branches go after these criminals.
One question... (Score:0) by Anonymous Coward on Wednesday June 15, @01:24PM (#12826733) If your computer is connected to the internet through a Linksys/whatever router, how do you know you're being portscanned? it's like a horror movie : The ISP said that there were no outside connections. The Zombie is in the house with you! Get out, do you hear me? Get out now.
The rock, the vulture, and the chain
So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.
But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.
The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.
The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.
-- thalakan
You're wrong. And this isn't about spam. It's about computer tampering, which has been a crime since before the Internet. People who break into other peoples' computers and compromise them are breaking laws. (Port scanning may or may not be criminal, but it's the precursor to criminal activity) I'm just pointing out that the most significant group doing this are obviously the spammers. Anyone who is paying attention can see that, and they are clearly breaking the law. If you break in and take over someone else's computer, that's a felony.
Unfortunately, we probably won't see law enforcement do anything about it until a spammer accidently breaks into the computer that contains the formula for McDonald's special sauce.
Every state has laws like this:
Here's a list of computer crime laws by state
Here's info on Federal computer crime laws
Also see:
as long as you do not need to do anything fancy, the simplified firewalls on consumer-level routers work fine. i have ICMP echo turned off, and a few well-know ports open for apps. no problems.
if this doesn't fix it for him, clearly this guy has some larger problem than port scanning. let's no mislead him.
Turn off WIFI and check your bandwidth...
Chances are someone's pulling your bandwidth via WIFI or its creating some problem.
I haven't quite nailed it down yet but in the last few months both my personal network and a friend of mine's have been bogged down whenever the WiFi is turned on. I like to think I'm security savvy but I just started digging into it yesterday.
I'll reconfigure the netgear so it only accepts the MAC addresses I have but it's still quite annoying. I didn't broadcast the SSID and I used WEP/WPA but my surfing lags horribly whenever WiFi is turned on. Even in rural Idaho there be issues.
who'd thunk it?
Good luck!
"Don't fear death... fear not living..." -me