Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?

jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.

But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.

I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.

So name them already

[ArchieBunker]

Lets hear who it is.

Re:Not a surprise

[wierd_w]

Indeed, I routinely get portscans en-mass from china.

Sometimes 5x a day or more. Really aggressive scans that last for hours.

Not a lot you can do about it. Scanning for open ports is a legitimate activity on networks you own, so naturally, a big internetwork like the internet is going to be drowning in automated portscans, and automated blocking of them would break many legitimate services, if they make too many queries too quickly. (say for instance, metacrawlers and pals.)

Just accept that the internet is not a cozy nice place. Bad things lie in wait for the unwary. Use modern protection, and be sensible in how you use it.

really, that's all you can do unless you have actual DDoS style attacks leveled at you. THEN you call the feds.

Just set up a honeypot

[Z80a]

And see what they do with it.

Re:Simple.

[mysidia]

The OP has been more than patient with them.... Assuming they are full TCP connects (non-spoofable); After complaining 3 times about ongoing abuse... I would definitely consider some internet routing table inspection, Identify their upstream providers, and start contacting the upstreams', after continued persistent scans of one IP. Don't stop politely contacting them to ask for help, until you get permanent resolution.

9 times out of 10.... upstream providers will not turn off their customer, probably 10 times out of 10 for simple port scans, which are considered trivial. The industry does NOT consider a simple port scan equivalent to a DoS or hacking attempt, and Most providers will simply disqualify complaints about portscans.

It's partly the OP's folly in having a security device generating excessive noise, especially about blocked IP addresses. I understand the OP may be constrained by product selection; However, Null-routing the offending range SHOULD be an option, and if not..... get a proper packet-filtering firewall to put in front of your UTM, or set an access-list entry on the router in front of it.

However, if contacted, the abusing providers' upstream provider will likely forward the abuse reports to their customer.

After you've done your homework in thoroughly documenting and verifiably reporting, and they have failed to resolve, then a few more iterations, and a seriously-harmed party would be getting their lawyers involved anyways. Probably NOT for a simple portscan however, the offending entities' upstreams might be concerned about it from a risk management perspective and pressure their customer to shape up.

Re:No NAT???

[Bert64]

I have many boxes directly on the internet, NAT would only add an extra layer of headaches... I only open the services i actually want to offer, so if i used port forwarding i would have exactly the same services listening but with added overhead.

Put a filter box in front of full firewall

[Morgaine]

The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.

The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.

In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.

Fix problems that you can solve. The others are not worth your time fretting about.

Re:Simple.

[rapiddescent]

maybe - but the question is *why* are they doing this. I would be tempted to open a port and see if they attempt to access - then depending on the OP's locality there could be a computer misuse claim.

Re:Simple.

[u-235-sentinel]

upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.

That is fine. By forwarding, they will have proven they received the message, AND the network in question will be more apt to respond in many cases.

At a later stage of the game when you get your lawyers involved their upstream providers will likely respond, for example, it's not worth their while to fight a lawsuit you can file against the upstream provider about their customer's activities.

Years ago I took a new position at a company when I received a phone call from an ISP stating that my servers were port scanning someone who complained. They were going to turn off our network access. Surprised, I looked into it. I discovered they were right. Someone had allowed malware to get installed on several of our systems. After some cleanup work we were good but it left an impression on me. Besides asking a new employer more in depth questions about their security (or lack of it), that ISP's would be a good place to file a complaint when you are port scanned over and over again.

Might be time to contact THEIR ISP and yours. Ask them to block or disconnect them. If anything, once THEY get a phone call about the complaint, it will wake them up a bit :D