Slashdot Mirror
Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?
jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).
Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.
Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!
And don't suck up other peoples resources by whinging about it!
One solution to such actions is to instead of blocking send them to a tar-pit server. That may look like a valid server but with very slow responses.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
The internet is full of background noise, not a lot you can do about it..
Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.
Having a router constantly notifying you about internet background noise is pointless and will only waste your time.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If they are scanning for ports then give them something to play with. :)
Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.
Once you have that information you can act accordingly - contact ISP, law enforcement, etc.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
And see what they do with it.
Exactly. If someone has screwed up then nothing will happen. If someone uses it, that's different and then you also have your misuse case as the basis for legal action if required (make sure to have misuse messages and warnings in place). Not that you want to take legal action, it's just being in the position to take that action if you can or need to.
My ism, it's full of beliefs.
UTM 9 IS open source excep for the gui and FAR better and FAR more features than pfsense.
Not even close to being in the same leuage.
(no commercial interest, just a satisfied UTM 9 user (not customer))
Amusingly, I dealt with this very scenario just this week, except in reverse.
I installed the Sophos UTM on a Vista-vintage Optiplex. It was fine and responsive, and yes, the UI was beautiful, with lots of enterprise-grade features. The problem I had was that Sophos seemed to have a default 'deny any any' sort of rule in place that allowed HTTP, DNS, and...basically nothing else. I couldn't RDP out via nonstandard ports, I couldn't access IMAP mail, I couldn't get new Usenet articles in Agent, and that damn 'yellow triangle of limited connectivity' was proudly shown on all the Windows boxen on my LAN. I spent about two hours trying to get it to let SOMETHING through, Googled around, and...apparently there's some sort of voodoo that everyone else 'just knows' to make Sophos be a bit less strict, but for me it was like debating with the great-grandson of HAL9000: "Open the port 3389 doors, HAL." "I'm sorry Joey, I can't do that." Between that and the fact that Sophos went to the Sonicwall school of port forwarding hell, I installed pfSense.
pfSense allows traffic to flow the way one would expect a router to work; all the things that didn't work in Sophos worked just fine on pfSense. Port forwards can be as simple as a Linksys router (source port, destination port, IP address), or as complex as a Sonicwall. It's UI isn't nearly as pretty, but it's highly functional. The transparent proxy helps speed up HTTP traffic, which is helpful as I'm stuck with 2mbit/768k DSL for the immediate term.
I'm sure this is all a PEBKAC situation, and I do understand that Sophos's "assume the worst" stance has its place, but especially for being labeled for home users, I would have at least expected some sort of option in the initial config wizard to have the option between 'paranoid mode' and 'actual router' mode.
Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.
Port Address Translation breaks the end-to-end model of TCP/IP. IPv6 is designed to remove the need for NAT entirely. The network admin is supposed to actually know how to build a proper firewalling router to keep other networks out or to limit what resources they can reach.
Good firewalls deny incoming connections by default, and only allow them when they're solicited by a machine on the local side, and even then, only when the return traffic from the untrusted network conforms to expectations based on the trusted machine's initial outgoing request. This can get a little tricker with protocols that use more than one port or semirandomly chose ports from a range, but it seems to work pretty well even with public IPs on devices.
Do not look into laser with remaining eye.