Slashdot Mirror
Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?
jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).
So this time report it to appropriate authorities and if they don't take your case make a public letter into their local newspaper asking them what they are up to.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
...those banging at your doors don't give a damn about laws. You could deny ALL from the attackers address range, but best bet is just shut down the targeted ports.
Time is what keeps everything from happening all at once.
Lets hear who it is.
Only the State obtains its revenue by coercion. - Murray Rothbard
Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.
If you listen to the Security Now podcast, this sort of thing is all over the internet. It's a nasty place out there and actors from anywhere and everywhere are always checking addresses for vulnerabilities, etc. I suspect we all get that sort of thing.
Unless it is DDOS'ing you, why is it an issue?
If they are consuming your bandwidth isn't that illegal and something you can sue over?
Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.
Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.
https://www.applianceshop.eu/s...
(no commercial interest, just a satisfied customer)
Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.
Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!
And don't suck up other peoples resources by whinging about it!
If you want them to stop, simply name and shame them right here. I'm sure there's someone reading this article with more technical skills and free time on their hands than you or me ;-)
Ring up the police or fbi and inform them that someone is trying to hack into your network.
It would be great if you could somehow find a way to link their continued port scanning to terrorist activity.
Comment removed based on user account deletion
I had a similar situation once at home.
i didn't detect port scans, but someone was scanning my little website at home for vulnerabilities.
One of the files they asked for, I made sure they got a web server response: an endless stream of 4k blocks of random data. The scan stopped within 2 weeks.
And see what they do with it.
Honestly, I wouldn't worry about it. If your firewall is halfway decent (and it sounds like it is), you shouldn't have anything to worry about as far as the security of your network. Unless, of course, you do something really dumb like open a port you shouldn't and have it refer to a port on a machine on your net (I'm presuming you're using NAT).
Also, since it's highly likely you're network link is DHCP, your IP address might change periodically when your router goes to renew the DHCP lease. If your IP address hasn't changed in a while, you might try shutting your router down for a while (like an hour), turn it back on and see if it gives you a new IP address. That might stop them from scanning your network (unless they're going after an entire range if IP addresses on the RoadRunner network).
I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action.
They're too busy enforcing their own arbitrary network rules on their subscribers to worry about things like port scanners coming into their network. Also, it's RoadRunner (Time Warner Cable if I'm not mistaken), and they have among the worst customer service anyway. Unless the attack is coming from someone else on RoadRunner, you're wasting your time reporting the incident to them. Besides, there's really not much they can do anyway if the attack is coming from outside their network. That's why everyone is supposed to have their own firewall. ;-)
https://en.wikipedia.org/wiki/...
Something with a nice-sized ruleset that works on ASICs and you're done. Most companies sell them, and if you're just selectively passing traffic by IP range (or in fancier devices by port) why not offload the hard rules before wasting cycles on traffic you just want to drop? Or just another software device if you're not wanting to buy hardware.
We do this for selective parts of the network where dropping attackers on one machine keeps them from running through an entire block of IPs. A lot of it's even scripted: more than 3 IPs getting brute forced? That's a 24 hour ban and email to the associated ARIN/APNIC/RIPE contact. Granted APNIC/RIPE tends to stay on that list a lot longer than 24 hours...
--- Need web hosting?
Today it's a company from your country. Tomorrow it's a guy from Kazachstan. What are you going to do then? Same thing: nothing.
It's not harmful. Your problem are the time lost by silly notifications. Turn them off.
Focus on intrusion detection. Detection attempts is good and the correct response is blocking. In case of ddos work with your upstream and maybe police.
The submitter's problem is that he keeps trying ELECTRONIC solutions to stop the port scanning. How about writing a letter on paper? This is how lawyers do it. That might scare the people doing the scanning enough to stop it.
A lot of good technical suggestions here, didn't see anything that covered a formal, legal cease-and-desist request though. If you're genuinely concerned that they're harrassing or attacking you, talk to a lawyer. Cyber-bullying is actually a crime in some jurisdictions as I understand it, and if not, you may still accuse them of corporate esponiage, etc.
At the very least, they will be seriously annoyed by the legalese and frown mightily in the direction of the responsible employee.
Forget it and find a real problem to worry about.
Let them in and let them waste all their resources.
http://www.gigenn.net/Tarpits/
Its not illegal and should require minimum time and effort and frankly I think it would be fun!
This little device will solve your problems for ever, if you just can attach it to the offending network.
Do you know whether it is half-opening ports or fully opening them? If it opens connections, maybe you could set up a honey pot that does something as simple as listen on ports with netcat. This could bog down resources on the attacker's end, and gain you intelligence.
Your problem is UTM; but if you really care... pay Amazon a couple hundred $, spin up 100,000 instances for a really short time, and push them a couple of million dollars into bandwidth debt, and they won't bother you again.
Alternately, buy something other than UTM, which filters before the alerts, instead of after.
I had one of the earliest live commercial IP connections in the UK in the early '90s (and had a letter from the NSF allowing such traffic across the backbone!) and from the moment we went live we had attack/probe traffic at least in every minute since then when I've looked. (And I've had something like 10,000 SPAM delivery attempts per day for many years now too.)
(In those days the malicious traffic was from South America, FWIW!)
No it shouldn't happen, and if it causes you real annoyance and/or harm then you should consider the usual non-technical remedies eg as against someone repeatedly fly-tipping on your property, or robo-calling you, etc. In the UK there might be scope for action for "unauthorised use" of your computer systems and network.
I think that thoughtless, anti-social, resource-wasting activities should be discouraged rather than shrugged off as inevitable.
Rgds
Damon
http://m.earth.org.uk/
Bam done
Probably some Windoze botnet. If all unnecessary ports are closed, all security precautions are in place, then why bother?
Actually in a number of European countries IT IS illegal and soon will be in all of the EU. Aggressive port scanning is considered an attempt to violate a system's security and can get you heavily fined or jailed.
I have a gigaset voip phone, I had port 5060 forwarded from my router to my phone. Everything worked fine for a couple of years until some **#W*# started doing sip scans so my phone would ring several times a day at every imaginable time, including in the middle of the night. Now, that's a nuisance.
Turn port scan detection off, its not on by defualt for a reason ! I look after several UTM 9's if I left portscan detection on I'd have thousands of emails a day. Its a fact of life today that you get scanned, make sure you do not open more ports than you need to and the backend servers are secure. Then forget about it.
What company is this that's doing this / what might be their motivation?
You have the name of the chief executive? Write to him on paper with a stamp and tell him that his company is causing yours a nuisance. Say that under the provisions of statute X (whatever that may be in your country) you are entitled to claim compensation under the civil tort of harassment, or equivalent in your country. Enclose a copy of the relevant page of the legislation. There's sure to be plenty of legislation to choose from, take your pick. Enclose some printouts of the firewall warning messages.
That CEO will have to cancel his game of golf. He will be furious about that. He doesn't want to think about tiresome technology matters. He wants to think about golf. Above all, he must avoid the electric fence and not have any silly legal troubles. He will bang some heads together and the port scans will stop.
Someone asked me about receiving automated renewal reminders by email for an antivirus program he had ordered in error and then cancelled. He had asked not to receive such reminders anymore but they kept coming. The above steps worked for me.
The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.
The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.
In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.
Fix problems that you can solve. The others are not worth your time fretting about.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
The internet is full of background noise, not a lot you can do about it..
Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.
Having a router constantly notifying you about internet background noise is pointless and will only waste your time.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If you need to choose between alarms and protection, then protection goes first.
Then if you want, make the proper investigation and go the legal way: persistent port scanning is a ostile action, indeed.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
I think with these tools a person can become too paranoid about port scans. I used to run a test called Shields Up and it would test all the ports. As long as they were all protected it really does not matter. The internet is filled with this traffic and I went through a similar experience with Comcast. Although Comcast did seem to react better then Road Runner surprisingly.
Post about it and publicly ask them to stop on one of their public streams.
Make a youtube video calling them out showing the portscan activity.
Twenty whole alerts? How did you ever manage to post to slashdot through such a HUGE torrent of traffic?
To me this sounds like the main problem is the "security" device that's generating a lot of noise.
My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.
With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Just from the last two weeks of my home server which is not running any open service, web page, incomming mail server nor ssh at port 22:
$ grep " DPT=22 " /var/log/pf.log* | wc -l /var/log/pf.log* | wc -l /var/log/pf.log* | wc -l
1229
$ grep "SRC=219\.92\.55\.219.*DPT=25 "
579
$ grep "SRC=150\.70\.173\..*DPT=80 "
440
There are literally thousands of probes daily targeting all the common service ports and beyond... for years now.
As someone that manages ~100 ASAs, I see this every single day and really there's nothing you can do. Your firewall will do it's job. Having other mechanisms in place like IPS and other inspection tools ups the ante.
It is the only way to be sure,
Forward All Scan/Attacks alerts to you ISP..
add their support/abuse/other email addresses to the Notification list. Then flood the shit out of them
with warnings until they do something about it..
Ignore.
Filter the alert emails from that ISP if necessary.
Get on with life.
(P.S. Just double-check you put it on the block list).
Run any internet server in any datacenter in the world and you get this times a thousand. You can't trace them all. Hell, you can't even spend the time to trace all those spam email attempts you would get either.
What, precisely, do you think is being done to your connection that's worth the time and effort to even follow-up on it? A few packets hitting a firewall that is set to block and deny them any further access anyway?
Get a life, honestly. And turn off alert emails for port-scans. Turn on proper IDS/IPS, but turn off that particular alert because - well - it happens all the time anyway and it isn't going to stop just because you stop one IP range.
Spend the time you save on double-checking that people can't get into even the open services that you do offer to the net (SMTP, NTP, etc. if relevant). Whether you respond open or close, or whether the firewall rejects or allows, the requests still means that the packet was send, received, acted on, and replied to (or not, as the case may be). And in terms of your overall connection it's going to be like 0.001% of your traffic, if that.
Then go and work in any static-IP, Internet-facing network department that runs in-house services like webservers, VPN, email, etc. And notice that they just wouldn't care and don't have the time to do anything about such trivial shite.
if the problem is greater than blocking their IP range, could you not setup a passive system that only allowed requests on a specific port, by a specific application, and the other requests ttl before leaving your home network?
Install gentoo.
long time ago in a PC now far away I once installed Black Ice...... for a few days I was overwhelmed by the amount of attacks I was seeing. It can give you sleepless nights but thats exactly what the software seller wants you to see, background noise raised up to make you think it is a serious threat. Treat it as a mataphore for everything else you percieve as a threat and move on. Lock your front door, put your wallet and phone safely in your pocket and get on with your life. Oh, and don't forget to line your hat with foil....SHINY SIDE OUT.
Sounds like you're having the similar problem of ignorance that I have when reporting shodan's port scans. All I get is bleating about doing god's work to save the Internet. I don't care about that, I just want them to stop accessing my services. I expect the same from their upstream as well, but will report to them anyway just in case of a Christmas miracle ;-)
Three things:
#1. You are not going to stop people port-scanning. Asking an ISP, which doesn't give a rat's ass what their customers do unless it is an IP violation, will just be ignored. Learned that the hard way with a ISP allowing a small DDoS and the CEO replying, "Sue me, or blow me."
This is especially true in other countries. China can tell a US ISP what to do, but if an American firm asks a Chinese place to stop their shit, they will just get back the same "sue me, or blow me" message in their choice of Mandarin or Cantonese. Same with India... you get your choice of Hindi or Urdu.
So, what can you do?
Two things:
Demand Sophos fixes their shit because port scanning is an everyday happening these days. If they can't fix it, get another tool. Hell, a PFSense appliance running Snort will be a lot more useful for a home user because it can deal with scans... and ball-gag them, as well as do passive blocking. I personally block or honeypot all incoming shit unless it is from a certain VPN. IPv6 gets completely discarded, since it is all too easy for an attacker to grab your entire network topology.
Get a better firewall that has dynamic blocking. If a site port-scans, they go sit in time-out for an hour/day/week. For the shitty site that keeps triggering your IDS? Block them for good, call it done. Hell it isn't about selecting incoming traffic to -block-... but what to -allow-.
If they are scanning for ports then give them something to play with. :)
Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.
Once you have that information you can act accordingly - contact ISP, law enforcement, etc.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Why are you worried about port scans for your own machine that you control in every detail? Unless you've got some busted-ass daemon on some port, assuming you are not being DOSed or your bandwidth getting used up (which is very very unlikely), what do you think is going to happen? It's not like you have users on your machine who have kindergarten passwords which you can't control, is it?
Fleabag lightweights are hitting ssh on my VPS all day every day. Let them knock themselves out. They ain't never gonna bust in. Forget that shit. Because my security is competently set up.
Stopping port scans does not address security shortcomings.
Don't forward the scan reports to their abuse address. Spend a couple of cents to forward it through a mail-to-fax gateway to their fax number.
I think it will stop much sooner this way.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I'm not sure about where you are, but here (UK) we have the ISPA which is a quasi regulatory body for ISPs. If you have a complaint with an ISP and can't get satisfactory resolution, then you can escalate the matter to the ISPA who can put pressure on them.
While other commenters have mentioned your alerting system should be disabled as its essentially worthless, theres a pretty simple fix if the IP's are known. Add their public ips to your router as additional WAN's or secondary IP's. Their traffic should now become unroutable and dropped before the appliance even tries to examine them. Or you could add a managed switch in front of your WAN which drops/blocks traffic from those IP's.
Problem with doing these sorts of things is that over time your systems become a confusing mess of strange kludges and workarounds. Port scans really are super normal, and the true issue is your appliance not behaving as you'd desire.
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
if by number you mean 2 (britain and germany), then yes. possession of nmap is illegal, although not enforced. it's basically a law to give them ammunition when they nab you and have nothing on you.
if they choose to "knock" on your door, instead of having an alert tell you, have it trigger a very loud response, such as flooding their network with traffic. Since it is in direct response to them, they have triggered there own DOS attack.
So, you're smart enough to have a firewall with port detection and know how to block a subnet, but you're not smart enough to write a filter that takes that port scan notification from that subnet and throw it in the trash? I've got buddies that work for banks, they do this crap all day long. They can't turn off port scan, because company policy, but they need to filter out stuff that doesn't matter. They do it at the monitoring software but most home users get email notifications. Use a mail client that has decent filtering. It's not like this is going to be the only time somebody scans you, you'll get better at writing your filters.
I once set up a scripted pentesting system to scan all my employers public IP ranges and alert us when anything unexpected appeared, such as unauthorised FTP servers in distant offices, firewall changes accidentally exposing things, etc. A few months later we started getting alerts about all sorts of insecure services cropping up in this tiny office in the middle of nowhere. Took us several days to get the local IT team to investigate. Eventually it transpired that the ISP had changed our public IP range without telling us, and had re-allocated our old range to a new army HQ building (this in a region and country where you /really/ don't want to provoke the authorities). I can't fully express how very very quickly I reconfigured the scanner....
You know who they are.
Have your home system generate a "helpful" email to them for every port scan. If you have to read it, they should have to read it, too.
Maybe a silly question on my part, but...
Do you have your firewall set to discard unwanted packets silently? In other words, unless someone from the outside is hitting an IP and a port that you want open to the outside, there should be *no response* to outside queries (including port scans). If the firewall acknowledges the ping of the port *in any way* with a return packet, then the outside party knows there's something attached to that IP/port.
It's always best to give the appearance that there's nothing residing at that IP/port....
Welcome to the internet! It can be rough at times, but you'll get used to it.
Set up a honeypot. Put a machine inside your network, and open some of the ports they're scanning on it. See what they're trying to do.
As a bonus, /if/ they do anything, they have now actually broken the law and you can get law enforcement to actually do something.
In the land of the blind, the one-eyed man is kinky.
...You said "Sic anonymous on them"
Too bad, thought you were smart.
Get a real firewall that you have better control over.
Personally, I recommend/ use an old PC with a relatively recent OpenBSD distribution installed on it. These guys really have great network capabilities.
I have no answer but I ran into this same thing with am outfit that claimed to be scanning ports for a known problem. I can't remember the exact vulnerability but it was the proper port after searching the Internet.
I had to give up on it and ignore them. I was not alerting myself of issues so I guess that I'm lucky to be able to ignore them as I had sent a message to the .or and they responded same as you, and same as you they stopped for a while and started up again. It has been over a year since I last looked fir the scans and I probably should turn on my logging again.
Remember when Slashdot was full of techies talking tech, before the 10 yr. olds came?
Is ask slashdot now a replacement for people too lazy to google? jesus christ.
What's your source on nmap being illegal in UK and Germany? First I've heard of it. Given David Cameron's technological illiteracy I wouldn't put it past his govt to do something stupid like this though.
send a polite email informing them that they will be charged a nominal fee of $1 per port per scan attempt as of DATE (30 days from email). Company agrees to pay for all legal fees incurred that are related to this matter, including any court costs and attorneys fees. Regardless of any further communication, ANY PORT SCAN ON OR AFTER DATE CONSTITUTES ACCEPTANCE OF THESE TERMS, AN APPROVAL TO BE BILLED, AND AN AGREEMENT TO PAY THE AMOUNT BILLED PLUS ALL LEGAL COSTS.
"[T]he UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing"
You're using a crap firewall.
... so I won't do that.
.
A case in point, I once bought an HP/WinME (pls don't ask) machine that came with some undocumented extra software that I didn't ask for, no surprise. The actual purpose of this "keyboard driver" system service was to keep any dialup session active, by pinging a particular IP address. That address was assigned to a company (not the Mfg or even software author) and that company had necessarily black-holed that particular IP address, which could not be changed. My firewall would light up every so often because of probing packets and ICMP coming back from that domain in response to this software on my machine doing really stupid things. I could not turn this feature off without hacking my own machine to remove this system service. Funny how removing a system service keyboard driver has absolutely no effect on using the machine, who would have guessed. In hind sight, I can not blame that company for scanning me because in their eyes I was the intruder, constantly pinging them.
If you are sure that none of that is the case, and you really don't want to disable your fw scan detection then this is what I would do. Make a copy of one of their scans and print it. Write a letter for a cease and desist and address it to their legal department, and sent it via certified USPS mail. If that does not get action then I would seriously consider turning that feature off.
Could you please elaborate on that ?
It doesn't sound like there is much you can do. But.. you could just filter your email so that this particular error report, when their particular ip is attached goes straight to trash.
Your network bandwidth costs you money. They're using your network bandwidth without permission. Send them a registered letter explaining this and stating that on X date, you will begin charging them $X/bit of scanning activity they send to your network.
THEN FOLLOW-UP AND ACTUALLY DO IT IF THEY DON'T CHANGE THEIR PRACTICES.
Just filter the messages out of your email.
Post the IP addresses of the offending parties. Perhaps someone here will recognize themselves or check into it for some late night fun.
This is useless traffic on the web and needs to be stopped. It is the same as someone jiggling your door handles. The cops might not want to check it out, but it indicates some asshole is looking for a way to cause trouble. The sooner the asshole is put out of his misery, the better for us all.
It's not young people that are ruining this place: the young people don't hang out here, and instead spend their time elsewhere besides a washed-up tech site. This place is mostly populated by angry old farts who just sit around in their Depends and complain about new technologies and changing society. The above is probably one of them.
If you're confident your system is secure against intrusions and you're monitoring things this closely, a port scan is ... nothing. Who cares? It's intrusions you care about, not probes. Just be sure anything you have open is secured. Monitor attempts to attack anything opened to the world.
I personally don't monitor for port scans, I really don't care. Anything open on my servers is either secured, monitored, or if it's a legacy service I'm unsure about, sandboxed (chrooted, unprivileged, etc) to minimize any intrusion into it from causing any damage to the rest of the system.
Just put another linux or freebsd based firewall in the chain and turn on reverse proxy to the primary firewall. Use an IPS that can scan for signatures and set the port scans on the secondary firewall so you are alerted to real threats. All you need is a cheap Pentium 3,4 (that's what is in most commercial firewalls, juniper, cisco asa, mcafee etc), 2g of RAM will do but 4 is better, and 2 E1000 NICs so you can route traffic correctly.
You probably have a faster processor sitting around doing nothing. Plug the primary firewall directly into the secondary device and and the other NIC goes to your switch. Make sure the unix fw is completely setup in a chrooted environment. All this except the hardware itself (unless you have a brother/sister/friend that doesn't mind parting with old hardware!) is free and tons of how-to's on the interwebs to accomplish this task. You can also now set the unix box to attack back, the comapny won't like you doing the same thing in return.You could also offer to help them to get rid of the problem completely when they contact you for attacking back. If you know as much as you have stated so far, then you know someone that could help them fix the issue.
Do some speed tests after it is in place to make sure you didn't lose too much speed with the overhead.
There are a lot of answers here from people that are not network engineers... and this isn't a tin foil hat, it is proper security.
no, but pepperidge farms remembers
http://portspoof.org/
http://www.saltwaterc.eu/ports...
Now whenever anyone scans you all ports show as open. pretty cool huh?
Also great if you are trying to find out what ports your isp is blocking.
Minimum threshold fixed. Thanks!
In the UTM, under "Interfaces & Routing" > "Static Routing" > "Standard Static Routes" click "New Static Route", change the type to "Blackhole route" and then create and add an object of the offending network range. This blocks any accidental replies or outgoing traffic.
Add a dummy RFC 1918 gateway address that you don't use, like 172.16.99.1 or 10.99.99.1, to a Blackhole route rule as well.
Now under the "Policy Routes" tab, hit "New Policy Route" and make the type "Gateway Route". Set the Source Network to the offending external network, leave Service and Destination as "Any", and set the Gateway to your blackholed dummy gateway as set above.
Routing decisions are made before anything else on the UTM (like IPS, Portscan detection...) so now that you have a blackhole route, the traffic will be blackholed before it consumes any other resources and you won't have any events logged or notifications sent.
Check out the Sophos UTM forums, they're a friendly and knowledgeable bunch of folks over there!
There should be a way to have the firewall ignore these port scans, especially if they are already blocked!
I've never worked with this software, but glancing at the manual at https://www.sophos.com/en-us/m... (assuming it's the correct one) suggests some things for you to check. Is your notification level currently set to "info"? Try changing it to "warning". Look for the "limit notifications" setting as well.
TCP Tarpit. See LaBrea, for example.
Unfortunately, if you're behind a firewall appliance you're at the mercy of whatever capabilities the vendor has decided to provide, and tarpitting is probably not on that list.
Turning off any alerts goes against the grain, but as y'all have pointed out, as long as the defenses are in place then stuff bouncing off the walls doesn't really warrant concern.
To those that suggested filtering the alert messages, I have considered that, but I don't currently have any means of filtering based on anything but the mail headers, and the originating address only appears in the body. Still, I may look a little further if I start to twitch because I'm "missing" alerts.
To those that pointed out that the UTM ought to be filtering before detecting, yeah, I get that too, and in fact I have raised it with Sophos, but unfortunately as a non-paying Home Use customer, my voice doesn't carry a lot of weight. I do get that I could probably cobble something together using Open Source and a bunch of cryptic incantations, but frankly, I do enough low-level stuff in my day job - when I get home, I just want to enjoy my internet connection, not spend hours maintaining it. But thanks for the suggestions.
So in summary, I guess it's time to turn off the notifications, stick my virtual fingers in my ears, and start chanting Merry Christmas. Cheers!
while i was still at the university, our networking professor warned us about Germany and mentioned that similar laws were about to be passed in the UK. and then i read it in nmap's faq or in /usr/share/docs/nmap a few years later. i think it predates cameron.
having nmap on your computer is treated the same way as if you walked around with lock picking tools. presumption of guilt.
He could be paying for a static IP through and through but most ISPs roll them from time to time. So, why not ask to be rolled to another?
Before you complain to their ISP, check whether anyone is using filesharing software. Off the top of my head Gnutella and some bittorrent clients will initiate portscans to get around filtering.
Start automatically bouncing every report to their abuse address?
Yep. As it stands now, you're the one being inconvenienced.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
With IPv4 one typically runs NAT so only one IP address is exposed to the Internet. With IPv6 NAT is not used. Each host has a unique globally identifiable IPv6 address. The ISP typically offers a /64 address where the last 64 bits are assigned to each host. With IPv6 each host is directly addressable from the Internet. With NAT, only the firewall is visible.
One problem I have with my ISP is I want a /56 so I can subnet it on my business account. You can't subnet a /64.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
OP, you need to do a traceroute and figure out who the ISP is of the scanner. Then email a copy of your firewall logs / alerts to the abuse dept. of the ISP. CC the abuse dept. of your ISP. If they ignore you, report to abuse at the ISP of the ISP. The scans will stop because the ISP does not want to be blacklisted for ignoring abuse complaints and they will disconnect their customer if they continue. The only exception to this is if the offenders are in China. They ignore everything but cash money.
I know this because I have worked the abuse desk at several ISPs.
Write a program called "guess the password". When the remote connects to the TCP port, allow it through to this program. It sends the "shrink-wrapped" text that says, "Welcome to the guess a name game that costs only $1. By continuing on and entering data, you at IP address ... consent to this charge. If not, disconnect now without sending any further data.". THe program should accept a response (or a disconnect). If it gets a response, it should log the transaction.
Take the list of game plays and send a bill to the contact. If they don't pay, send it to a collection agency.
Get a hobby. Seriously. Port scans are nothing. It's a waste of time trying to track them or stop them.
Anyone who looks at their ports, will see port scans. It is common, normal and often is sourced from identifiable locations.
So.....don't look?
Part of being on the Internet means your going to get port scanned and communicated with. It's like the postal system. Try getting them to stop delivering junk mail. If you want service, if you want to be on the Internet, you're going to have to suck it up and accept it. This isn't a private network. You are not the owner. You are not in control. You have to take whatever is sent your way even if that is a DDoS, spam, whatever.
What you should do is disable the feature. It's a pointless feature you and the majority have zero understanding of. Real security is obtained by fixing the bugs, applying patches, etc. Ultimately your probably just shit out of luck like the rest of us cause the software we're running is piss poor- and in large part can't be fixed. Even where we have a “100%” libre system we're largely at the mercy of other companies because there is micro code in various components still. That is we don't really have any 100% libre system. The closest thing we have to it would be a router or possibly one of a handful of mini boards (ie Banana Pi, CubieBoard, etc. most all others are dependant on non-free pieces of code).
Put a dumb router *outside* your smart router, that does nothing but block any packets arriving from the offending subnet.
Well there is a third option I employed once against idiots that kept trying something not so nice in the same category. Turns out that a couple of 1 Gbps lines and a few seconds are more than enough to get the message across to certain Chinese idiots...
Find the power switch, use it. Go outside and breathe :)
Comment removed based on user account deletion
1) set up a paved box on an isolated vlan.
2) forward all traffic from your scanners to that box.
3) log every packet.
4) send traces of hacking attempts to the FBI.
Your ISP isn't going to do anything about it. The sender's ISP might, if you bug them enough (try contacting their security people, because you're presumably not the only address that sender is port-scanning. Also, it's possible that the address is being spoofed by some third party to DDoS the "sender".) But if the packets are really coming from the sender, and you've contacted their Whois and abuse contacts without success, go for the "Contact Us" on their web page and contact everybody, CEO, sales, marketing, HR, webmaster, and any other @ you can find there. And if that doesn't work, start with phone calls. (I thought about suggesting that you send their IP people a copy of each scan packet, but you need to be really really really sure it's from them, because if they're being spoofed or otherwise attacked, you're helping do a serious DoS/DDoS on them.)
And sometimes it's not the apparent sender, and sometimes it's weirder than that. Many years ago, one of my lab machines was virused and sending a ping every second to a bot-controller address at MIT. MIT's web page didn't have useful help desk contacts that you could access if you weren't a student, but I knew the security director so I emailed him. Turns out the bot-controller was on a Sun machine in Japan, whose IP address was a byte-swapped version of an MIT address. (Yes, my machine was running Linux, one of the very early Red Hat versions, and it would get attacked every week or so. Nobody ever bothered the Win95 machine next to it, because what use would that have been to an attacker?)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sure, the kernel gets the packet. A trivial annoyance. If you put the drop rule in the prerouting table of a linux kernel you should be able to drop the packets before they trigger any alerts.
If you have nftables support in a 4.x kernel you can get the packet dropped long before it can reach any sort of analyzer.
The port scan alert is the complaint, not an incipient load from the packets themselves, so an early filter will stop the annoyance.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Show them scans avidence and ask your is to block it
It's the only way to be sure....
Your ISP sucks. They should be handing out /48's to all business accounts.
Also, the great thing about having a /64 on each segment for host addressing is there is no practical way to scan it.
I'd install http://wiki.debian.org/iptable...
Casteism
Hopefully stopping the alerts, then port forward all packers originating from them back to them.
1) Vote for Bernie. Then get him to make federal agencies (FCC, FBI, ...) do their job in a timely manner.
2) Meanwhile, pestering all the ISPs involved, as well as the company housing the culprit offending venue, to halt or face legal action, usually has an effect.
3) Be sure to remove the actual offenders, once positively identified, from the gene pool!
Back a long time ago, Tsutomu Shimomura (the engineer who ID'd Kevin Mitnick's famous sequence-number attacks), got pissed about Microsoft's FTP server trying to connect on the identd port after he FTP'd into them for any reason. To get back at Microsoft, Tsutomu setup the chargen service on the identd port (port 113) with a rate-limit. When he FTP'd to Microsoft after that, any connections to port 113 would stay open as his computer would stream all ASCII characters out. Seeing as you are likely having ports scanned like 80/443 and so on - why not chargen those? The scans will get stuck, and the data will keep flowing until they die. Even better, if they're collecting all the returns - chargen will ensure they get all the ASCII their disks can hold. Cheers.