Slashdot Mirror


Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?

jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.

But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.

I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.

2 of 265 comments (clear)

  1. Turn it off by Xenna · · Score: 5, Insightful

    Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.

    Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.

    https://www.applianceshop.eu/s...

    (no commercial interest, just a satisfied customer)

  2. Re:The first time didn't help. by mysidia · · Score: 5, Insightful

    So this time report it to appropriate authorities and if they don't take your case

    OR push the block on the IP range into the Firewall's routing table as a route to Null0, or to an access-list on the Firewall's upstream router

    Most providers summarily shove complaints about portscans and firewall alerts into the trash bin. The OP needs something material to base a legitimate abuse complaint on, such as logs showing an actual SSH brute force access attempt, that demonstrates the activity is a malicious attempted intrusion and not merely some reconnaissance effort, possible false alarm, or "background noise" such as W32/Blaster traffic from some host still running infected XP.

    The authorities DON'T CARE about portscans either, unless the OP has something much more material to investigate, or can prove a crime was committed with serious damage, they generally will not get involved... It doesn't hurt to report it to the civil authorities, but it's not going to do anything to alleviate OP's situation, either, which is an "overly chatty" firewall device.

    The real issue there is the Firewall and the lack of options to suppress spurious alerts, that should get taken up with the firewall vendor as a software issue.