How Do You Handle Portscanning Attacks?

Kainaw asks: "I tried to submit this earlier, but I couldn't because I had no bandwidth available. The reason is simple: I use Comcast for cable Internet. My modem/router is portscanned constantly. Nothing makes it past the router, so everyone tells me that it isn't an issue. Well, it is when I can't access any webpages, get email, or even submit a simple article to Ask Slashdot because my entire bandwidth is eaten up by script kiddies with a new portscanner toy. This is a two-part question: First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack? Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?"

Re:Sounds more like a DoS to me

[dougmc]

Mere portscanning doesn't intentionally clog all bandwidth.

Mod that statement up!

In my expereience, when somebody's saying that `X is using up all my bandwidth', where `X' is things like virii, `hackers', ARP requests or something else, what that really means is that somebody doesn't really understand what's going on.

Most cable modems have a lot of downstream bandwith and not so much upstream bandwidth -- but even the upstream bandwidth is far far more than is used by a standard port scan where somebody hits all your ports to see if they're open.

And even that's unusual -- usually people seem to scan entire networks to see if one port is open, so a single scanner would only send a few packets at your box. It would take several thousand people hitting your box _at once_ like this to make things as bad as you make it sound.

Your box may actually be under attack (a DoS attack.) I get a lot of trouble like this when people want the nick I use on IRC -- they packet my box incessantly. I've got 5 Mb/s downstream on my cable modem, so as long as my packet filtering isn't responding to each packet, it takes a pretty signifigant attack to kick me off of IRC. But if my system does respond to every packet with packets of approximately the same size, an attack of about 0.3 Mb/s is enough to bring everything down to a crawl. It's all a matter of configuring my filters properly ...

Ultimately, what you should do is log all the packets being sent at your IP address with a tool like tcpdump, then send those logs to the abuse department of the ISP where they're coming from. If it's a DDoS attack, the odds are that the IPs are spoofed, but if it's really a portscan it's probably not (becuase they need to see the returning packets to see which ports are open.)

You could also contact Comcat and see if they could filter the traffic out, though I'd reserve that option for an attack that lasts days and doesn't give up, because if they're anything like RR, getting to somebody who can actually do that will be very difficult.

Another way of dealing with an attack is to turn off your cable modem long enough for your DHCP lease to expire, and then come back and get a new IP address, one that's hopefully not being attacked.

Re:Tarpit...

[farble1670]

so, the fellow posting the question is probably not the unix guru type, or he wouldn't have posted the question. to suggest that someone of low level or even moderate technical level start maintaining a unix box with firewall software is overkill to say the least. consider the power you're sucking for two boxes vs. one. consider the complexity of configuring rules. consider the space required for another box in your house (a lot of us live in apts or condos). consider the cost of aquiring the physical box (okay, pretty cheap, but probably not free).

as long as you do not need to do anything fancy, the simplified firewalls on consumer-level routers work fine. i have ICMP echo turned off, and a few well-know ports open for apps. no problems.

if this doesn't fix it for him, clearly this guy has some larger problem than port scanning. let's no mislead him.