Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle Portscanning Attacks?

Posted by Cliff on from the online-hassles dept.

Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"

7 of 140 comments (clear)

  1. Not The Portscans by asc4 · · Score: 4, Insightful

    Sounds to me like you have bigger problems than the portscanning. Even hundreds of simultaneous port scans are unlikely to chew through all your bandwidth on a cable line. Sounds to me like your computer(s) may be zombied and *that's* what's eating up your bandwidth.

  2. Here's a suggestion... by TripMaster+Monkey · · Score: 4, Funny


    Got the IP addys of your tormentors?

    Post them here!

    I'm sure some of us could persuade these kids that port scanning is bad for your health...

    ^_^

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  3. Disable ICMP echo reply by crow · · Score: 4, Insightful

    One thing that I did was to disable ICMP echo reply. (I allowed it from IP ranges that I'm likely to be at, but in general, it's turned off.) That means if someone tries to ping me, they don't get a response, so many script kiddies will assume that there is no computer at my IP address and move on.

    I've also set it up to drop incoming TCP requests for dead ports (actually, it blocks the outgoing connection refused packets). So if they scan ports that aren't open, they never get a single packet back.

    Essentially, unless they're connecting to something I intentionally have open, they can't tell that my system exists.

  4. Re:Sounds more like a DoS to me by dougmc · · Score: 5, Informative
    Mere portscanning doesn't intentionally clog all bandwidth.
    Mod that statement up!

    In my expereience, when somebody's saying that `X is using up all my bandwidth', where `X' is things like virii, `hackers', ARP requests or something else, what that really means is that somebody doesn't really understand what's going on.

    Most cable modems have a lot of downstream bandwith and not so much upstream bandwidth -- but even the upstream bandwidth is far far more than is used by a standard port scan where somebody hits all your ports to see if they're open.

    And even that's unusual -- usually people seem to scan entire networks to see if one port is open, so a single scanner would only send a few packets at your box. It would take several thousand people hitting your box _at once_ like this to make things as bad as you make it sound.

    Your box may actually be under attack (a DoS attack.) I get a lot of trouble like this when people want the nick I use on IRC -- they packet my box incessantly. I've got 5 Mb/s downstream on my cable modem, so as long as my packet filtering isn't responding to each packet, it takes a pretty signifigant attack to kick me off of IRC. But if my system does respond to every packet with packets of approximately the same size, an attack of about 0.3 Mb/s is enough to bring everything down to a crawl. It's all a matter of configuring my filters properly ...

    Ultimately, what you should do is log all the packets being sent at your IP address with a tool like tcpdump, then send those logs to the abuse department of the ISP where they're coming from. If it's a DDoS attack, the odds are that the IPs are spoofed, but if it's really a portscan it's probably not (becuase they need to see the returning packets to see which ports are open.)

    You could also contact Comcat and see if they could filter the traffic out, though I'd reserve that option for an attack that lasts days and doesn't give up, because if they're anything like RR, getting to somebody who can actually do that will be very difficult.

    Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.

  5. These are not script-kiddies by mabu · · Score: 4, Insightful

    It's a fallacy that ignorant kids are behind the port scanning.

    It's spammers. It's professional organized crime. I believe the majority of these port scanning and worm/virus propagation is going on by organized groups looking to take over peoples' computers for the purpose of finding new IP space from which they can send unsolicited e-mail. If there are any script kiddies, they are a fraction of a fraction of the percentage of the traffic.

    My systems are constantly under probe attacks and port scans. The majority of these attacks originate from rogue IP space in China, Korea, and other areas that appear to be more liberal in doing business with the spammer organized crime contingent.

    At this point, I don't see technology making much difference. This is a political and enforcement issue.

    My advice is to contact your local District Attorney and demand that they start prosecuting computer tampering cases. We know these people are ultimately in the U.S. and can be caught even if they route from around the globe. We know they're breaking laws and can be prosecuted. We have laws in effect right now - we don't need more laws. We need enforcement and government authorities who WILL ENFORCE THE LAW AND STOP THESE PEOPLE. You can't count on ISPs to help since they profit from bandwidth consumption; you can't count on corporations to help, they are scared of any attempt to curtail cyber marketing of any sort. You must start on a local level and demand that the judicial and enforcement branches go after these criminals.

  6. Re:One question... by Fox_1 · · Score: 4, Funny

    One question... (Score:0) by Anonymous Coward on Wednesday June 15, @01:24PM (#12826733) If your computer is connected to the internet through a Linksys/whatever router, how do you know you're being portscanned? it's like a horror movie : The ISP said that there were no outside connections. The Zombie is in the house with you! Get out, do you hear me? Get out now.

    --
    The rock, the vulture, and the chain
  7. Re:Tarpit... by farble1670 · · Score: 5, Insightful
    so, the fellow posting the question is probably not the unix guru type, or he wouldn't have posted the question. to suggest that someone of low level or even moderate technical level start maintaining a unix box with firewall software is overkill to say the least. consider the power you're sucking for two boxes vs. one. consider the complexity of configuring rules. consider the space required for another box in your house (a lot of us live in apts or condos). consider the cost of aquiring the physical box (okay, pretty cheap, but probably not free).

    as long as you do not need to do anything fancy, the simplified firewalls on consumer-level routers work fine. i have ICMP echo turned off, and a few well-know ports open for apps. no problems.

    if this doesn't fix it for him, clearly this guy has some larger problem than port scanning. let's no mislead him.