Slashdot Mirror
Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?
jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).
So this time report it to appropriate authorities and if they don't take your case make a public letter into their local newspaper asking them what they are up to.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
...those banging at your doors don't give a damn about laws. You could deny ALL from the attackers address range, but best bet is just shut down the targeted ports.
Time is what keeps everything from happening all at once.
Lets hear who it is.
Only the State obtains its revenue by coercion. - Murray Rothbard
If you listen to the Security Now podcast, this sort of thing is all over the internet. It's a nasty place out there and actors from anywhere and everywhere are always checking addresses for vulnerabilities, etc. I suspect we all get that sort of thing.
Unless it is DDOS'ing you, why is it an issue?
Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.
Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.
https://www.applianceshop.eu/s...
(no commercial interest, just a satisfied customer)
Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.
Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!
And don't suck up other peoples resources by whinging about it!
Yes, many advantages to a unique IP for your machine. Especially if you're running terminal services. Even if you're going through an SSH tunnel (and you should) it still prevents many issues. And you can also bind a hostname easily then, which is somewhat more difficult with NAT around.
Comment removed based on user account deletion
I had a similar situation once at home.
i didn't detect port scans, but someone was scanning my little website at home for vulnerabilities.
One of the files they asked for, I made sure they got a web server response: an endless stream of 4k blocks of random data. The scan stopped within 2 weeks.
And see what they do with it.
Honestly, I wouldn't worry about it. If your firewall is halfway decent (and it sounds like it is), you shouldn't have anything to worry about as far as the security of your network. Unless, of course, you do something really dumb like open a port you shouldn't and have it refer to a port on a machine on your net (I'm presuming you're using NAT).
Also, since it's highly likely you're network link is DHCP, your IP address might change periodically when your router goes to renew the DHCP lease. If your IP address hasn't changed in a while, you might try shutting your router down for a while (like an hour), turn it back on and see if it gives you a new IP address. That might stop them from scanning your network (unless they're going after an entire range if IP addresses on the RoadRunner network).
I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action.
They're too busy enforcing their own arbitrary network rules on their subscribers to worry about things like port scanners coming into their network. Also, it's RoadRunner (Time Warner Cable if I'm not mistaken), and they have among the worst customer service anyway. Unless the attack is coming from someone else on RoadRunner, you're wasting your time reporting the incident to them. Besides, there's really not much they can do anyway if the attack is coming from outside their network. That's why everyone is supposed to have their own firewall. ;-)
https://en.wikipedia.org/wiki/...
Something with a nice-sized ruleset that works on ASICs and you're done. Most companies sell them, and if you're just selectively passing traffic by IP range (or in fancier devices by port) why not offload the hard rules before wasting cycles on traffic you just want to drop? Or just another software device if you're not wanting to buy hardware.
We do this for selective parts of the network where dropping attackers on one machine keeps them from running through an entire block of IPs. A lot of it's even scripted: more than 3 IPs getting brute forced? That's a 24 hour ban and email to the associated ARIN/APNIC/RIPE contact. Granted APNIC/RIPE tends to stay on that list a lot longer than 24 hours...
--- Need web hosting?
The submitter's problem is that he keeps trying ELECTRONIC solutions to stop the port scanning. How about writing a letter on paper? This is how lawyers do it. That might scare the people doing the scanning enough to stop it.
Forget it and find a real problem to worry about.
you are totally insane. VPN to a VPS, and port forward what is needed. NEVER EVER EVER EVER go directly onto the internet.
This isn:t 1985, it:s 2015.
This little device will solve your problems for ever, if you just can attach it to the offending network.
Your problem is UTM; but if you really care... pay Amazon a couple hundred $, spin up 100,000 instances for a really short time, and push them a couple of million dollars into bandwidth debt, and they won't bother you again.
Alternately, buy something other than UTM, which filters before the alerts, instead of after.
Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.
Seriously, did you research before posting ? UTM 9 IS a router and does NAT it is not a "PC"
Turn port scan detection off, its not on by defualt for a reason ! I look after several UTM 9's if I left portscan detection on I'd have thousands of emails a day. Its a fact of life today that you get scanned, make sure you do not open more ports than you need to and the backend servers are secure. Then forget about it.
I have many boxes directly on the internet, NAT would only add an extra layer of headaches... I only open the services i actually want to offer, so if i used port forwarding i would have exactly the same services listening but with added overhead.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You have the name of the chief executive? Write to him on paper with a stamp and tell him that his company is causing yours a nuisance. Say that under the provisions of statute X (whatever that may be in your country) you are entitled to claim compensation under the civil tort of harassment, or equivalent in your country. Enclose a copy of the relevant page of the legislation. There's sure to be plenty of legislation to choose from, take your pick. Enclose some printouts of the firewall warning messages.
That CEO will have to cancel his game of golf. He will be furious about that. He doesn't want to think about tiresome technology matters. He wants to think about golf. Above all, he must avoid the electric fence and not have any silly legal troubles. He will bang some heads together and the port scans will stop.
Someone asked me about receiving automated renewal reminders by email for an antivirus program he had ordered in error and then cancelled. He had asked not to receive such reminders anymore but they kept coming. The above steps worked for me.
The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.
The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.
In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.
Fix problems that you can solve. The others are not worth your time fretting about.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
The internet is full of background noise, not a lot you can do about it..
Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.
Having a router constantly notifying you about internet background noise is pointless and will only waste your time.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If you need to choose between alarms and protection, then protection goes first.
Then if you want, make the proper investigation and go the legal way: persistent port scanning is a ostile action, indeed.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
To me this sounds like the main problem is the "security" device that's generating a lot of noise.
My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.
With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Ignore.
Filter the alert emails from that ISP if necessary.
Get on with life.
(P.S. Just double-check you put it on the block list).
Run any internet server in any datacenter in the world and you get this times a thousand. You can't trace them all. Hell, you can't even spend the time to trace all those spam email attempts you would get either.
What, precisely, do you think is being done to your connection that's worth the time and effort to even follow-up on it? A few packets hitting a firewall that is set to block and deny them any further access anyway?
Get a life, honestly. And turn off alert emails for port-scans. Turn on proper IDS/IPS, but turn off that particular alert because - well - it happens all the time anyway and it isn't going to stop just because you stop one IP range.
Spend the time you save on double-checking that people can't get into even the open services that you do offer to the net (SMTP, NTP, etc. if relevant). Whether you respond open or close, or whether the firewall rejects or allows, the requests still means that the packet was send, received, acted on, and replied to (or not, as the case may be). And in terms of your overall connection it's going to be like 0.001% of your traffic, if that.
Then go and work in any static-IP, Internet-facing network department that runs in-house services like webservers, VPN, email, etc. And notice that they just wouldn't care and don't have the time to do anything about such trivial shite.
if the problem is greater than blocking their IP range, could you not setup a passive system that only allowed requests on a specific port, by a specific application, and the other requests ttl before leaving your home network?
long time ago in a PC now far away I once installed Black Ice...... for a few days I was overwhelmed by the amount of attacks I was seeing. It can give you sleepless nights but thats exactly what the software seller wants you to see, background noise raised up to make you think it is a serious threat. Treat it as a mataphore for everything else you percieve as a threat and move on. Lock your front door, put your wallet and phone safely in your pocket and get on with your life. Oh, and don't forget to line your hat with foil....SHINY SIDE OUT.
What intelligence? That the attacker fires off every known OpenSSL exploit when it finds something listening on 22?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Sounds like you're having the similar problem of ignorance that I have when reporting shodan's port scans. All I get is bleating about doing god's work to save the Internet. I don't care about that, I just want them to stop accessing my services. I expect the same from their upstream as well, but will report to them anyway just in case of a Christmas miracle ;-)
If they are scanning for ports then give them something to play with. :)
Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.
Once you have that information you can act accordingly - contact ISP, law enforcement, etc.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Why are you worried about port scans for your own machine that you control in every detail? Unless you've got some busted-ass daemon on some port, assuming you are not being DOSed or your bandwidth getting used up (which is very very unlikely), what do you think is going to happen? It's not like you have users on your machine who have kindergarten passwords which you can't control, is it?
Fleabag lightweights are hitting ssh on my VPS all day every day. Let them knock themselves out. They ain't never gonna bust in. Forget that shit. Because my security is competently set up.
Stopping port scans does not address security shortcomings.
Don't forward the scan reports to their abuse address. Spend a couple of cents to forward it through a mail-to-fax gateway to their fax number.
I think it will stop much sooner this way.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I'm not sure about where you are, but here (UK) we have the ISPA which is a quasi regulatory body for ISPs. If you have a complaint with an ISP and can't get satisfactory resolution, then you can escalate the matter to the ISPA who can put pressure on them.
While other commenters have mentioned your alerting system should be disabled as its essentially worthless, theres a pretty simple fix if the IP's are known. Add their public ips to your router as additional WAN's or secondary IP's. Their traffic should now become unroutable and dropped before the appliance even tries to examine them. Or you could add a managed switch in front of your WAN which drops/blocks traffic from those IP's.
Problem with doing these sorts of things is that over time your systems become a confusing mess of strange kludges and workarounds. Port scans really are super normal, and the true issue is your appliance not behaving as you'd desire.
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
if by number you mean 2 (britain and germany), then yes. possession of nmap is illegal, although not enforced. it's basically a law to give them ammunition when they nab you and have nothing on you.
So, you're smart enough to have a firewall with port detection and know how to block a subnet, but you're not smart enough to write a filter that takes that port scan notification from that subnet and throw it in the trash? I've got buddies that work for banks, they do this crap all day long. They can't turn off port scan, because company policy, but they need to filter out stuff that doesn't matter. They do it at the monitoring software but most home users get email notifications. Use a mail client that has decent filtering. It's not like this is going to be the only time somebody scans you, you'll get better at writing your filters.
Maybe a silly question on my part, but...
Do you have your firewall set to discard unwanted packets silently? In other words, unless someone from the outside is hitting an IP and a port that you want open to the outside, there should be *no response* to outside queries (including port scans). If the firewall acknowledges the ping of the port *in any way* with a return packet, then the outside party knows there's something attached to that IP/port.
It's always best to give the appearance that there's nothing residing at that IP/port....
Set up a honeypot. Put a machine inside your network, and open some of the ports they're scanning on it. See what they're trying to do.
As a bonus, /if/ they do anything, they have now actually broken the law and you can get law enforcement to actually do something.
In the land of the blind, the one-eyed man is kinky.
That's like saying ringing someone's doorbell is going to use up all their electricity.
Doesn't mean it's okay for someone to keep ringing it all day...
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
"[T]he UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing"
You're using a crap firewall.
.
A case in point, I once bought an HP/WinME (pls don't ask) machine that came with some undocumented extra software that I didn't ask for, no surprise. The actual purpose of this "keyboard driver" system service was to keep any dialup session active, by pinging a particular IP address. That address was assigned to a company (not the Mfg or even software author) and that company had necessarily black-holed that particular IP address, which could not be changed. My firewall would light up every so often because of probing packets and ICMP coming back from that domain in response to this software on my machine doing really stupid things. I could not turn this feature off without hacking my own machine to remove this system service. Funny how removing a system service keyboard driver has absolutely no effect on using the machine, who would have guessed. In hind sight, I can not blame that company for scanning me because in their eyes I was the intruder, constantly pinging them.
If you are sure that none of that is the case, and you really don't want to disable your fw scan detection then this is what I would do. Make a copy of one of their scans and print it. Write a letter for a cease and desist and address it to their legal department, and sent it via certified USPS mail. If that does not get action then I would seriously consider turning that feature off.
Could you please elaborate on that ?
It doesn't sound like there is much you can do. But.. you could just filter your email so that this particular error report, when their particular ip is attached goes straight to trash.
It's not young people that are ruining this place: the young people don't hang out here, and instead spend their time elsewhere besides a washed-up tech site. This place is mostly populated by angry old farts who just sit around in their Depends and complain about new technologies and changing society. The above is probably one of them.
If you're confident your system is secure against intrusions and you're monitoring things this closely, a port scan is ... nothing. Who cares? It's intrusions you care about, not probes. Just be sure anything you have open is secured. Monitor attempts to attack anything opened to the world.
I personally don't monitor for port scans, I really don't care. Anything open on my servers is either secured, monitored, or if it's a legacy service I'm unsure about, sandboxed (chrooted, unprivileged, etc) to minimize any intrusion into it from causing any damage to the rest of the system.
Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.
Port Address Translation breaks the end-to-end model of TCP/IP. IPv6 is designed to remove the need for NAT entirely. The network admin is supposed to actually know how to build a proper firewalling router to keep other networks out or to limit what resources they can reach.
Good firewalls deny incoming connections by default, and only allow them when they're solicited by a machine on the local side, and even then, only when the return traffic from the untrusted network conforms to expectations based on the trusted machine's initial outgoing request. This can get a little tricker with protocols that use more than one port or semirandomly chose ports from a range, but it seems to work pretty well even with public IPs on devices.
Do not look into laser with remaining eye.
http://portspoof.org/
http://www.saltwaterc.eu/ports...
Now whenever anyone scans you all ports show as open. pretty cool huh?
Also great if you are trying to find out what ports your isp is blocking.
Minimum threshold fixed. Thanks!
Doesn't mean it's okay for someone to keep ringing it all day...
Thank you - my point precisely.
There should be a way to have the firewall ignore these port scans, especially if they are already blocked!
I've never worked with this software, but glancing at the manual at https://www.sophos.com/en-us/m... (assuming it's the correct one) suggests some things for you to check. Is your notification level currently set to "info"? Try changing it to "warning". Look for the "limit notifications" setting as well.
Turning off any alerts goes against the grain, but as y'all have pointed out, as long as the defenses are in place then stuff bouncing off the walls doesn't really warrant concern.
To those that suggested filtering the alert messages, I have considered that, but I don't currently have any means of filtering based on anything but the mail headers, and the originating address only appears in the body. Still, I may look a little further if I start to twitch because I'm "missing" alerts.
To those that pointed out that the UTM ought to be filtering before detecting, yeah, I get that too, and in fact I have raised it with Sophos, but unfortunately as a non-paying Home Use customer, my voice doesn't carry a lot of weight. I do get that I could probably cobble something together using Open Source and a bunch of cryptic incantations, but frankly, I do enough low-level stuff in my day job - when I get home, I just want to enjoy my internet connection, not spend hours maintaining it. But thanks for the suggestions.
So in summary, I guess it's time to turn off the notifications, stick my virtual fingers in my ears, and start chanting Merry Christmas. Cheers!
while i was still at the university, our networking professor warned us about Germany and mentioned that similar laws were about to be passed in the UK. and then i read it in nmap's faq or in /usr/share/docs/nmap a few years later. i think it predates cameron.
having nmap on your computer is treated the same way as if you walked around with lock picking tools. presumption of guilt.
Before you complain to their ISP, check whether anyone is using filesharing software. Off the top of my head Gnutella and some bittorrent clients will initiate portscans to get around filtering.
Start automatically bouncing every report to their abuse address?
Yep. As it stands now, you're the one being inconvenienced.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Write a program called "guess the password". When the remote connects to the TCP port, allow it through to this program. It sends the "shrink-wrapped" text that says, "Welcome to the guess a name game that costs only $1. By continuing on and entering data, you at IP address ... consent to this charge. If not, disconnect now without sending any further data.". THe program should accept a response (or a disconnect). If it gets a response, it should log the transaction.
Take the list of game plays and send a bill to the contact. If they don't pay, send it to a collection agency.
Get a hobby. Seriously. Port scans are nothing. It's a waste of time trying to track them or stop them.
There are also many advantages to leaving the doors to your dwelling unlocked as well, but we don't do that anymore either.
Oh dear, you have much to learn about how to get computers to actually work without convoluted setups that break constantly. There is a fine line between usability and going far over the top in security. I'm exposed to both systems, the one at my desktop at work you only need to SSH tunnel to your computer. This is fine 90% of the cases, though many times that's already near impossible on hotel internet due to extensive blocking of "non-standard" things. The other system I'm commonly exposed to runs several levels of firewalls and requires a VPN client on top of that, it's a nightmare to login to and requires all sorts of specific browser plugins that only work on MSIE, not to mention using it through hotel internet is a no-go. And anyway, if you aren't prepared to leave a service open to the world you probably shouldn't be running it in the first place. Additionally ever tried interfacing to lab instruments over a network filled with firewalls? I can tell you right now simplicity is often a better choice in the long run.
Please line up with the folks who want convoluted security systems that break constantly and don't actually work when you're on the move. In the meanwhile I'll try to get some work done.
Put a dumb router *outside* your smart router, that does nothing but block any packets arriving from the offending subnet.
Comment removed based on user account deletion
1) set up a paved box on an isolated vlan.
2) forward all traffic from your scanners to that box.
3) log every packet.
4) send traces of hacking attempts to the FBI.
Your ISP isn't going to do anything about it. The sender's ISP might, if you bug them enough (try contacting their security people, because you're presumably not the only address that sender is port-scanning. Also, it's possible that the address is being spoofed by some third party to DDoS the "sender".) But if the packets are really coming from the sender, and you've contacted their Whois and abuse contacts without success, go for the "Contact Us" on their web page and contact everybody, CEO, sales, marketing, HR, webmaster, and any other @ you can find there. And if that doesn't work, start with phone calls. (I thought about suggesting that you send their IP people a copy of each scan packet, but you need to be really really really sure it's from them, because if they're being spoofed or otherwise attacked, you're helping do a serious DoS/DDoS on them.)
And sometimes it's not the apparent sender, and sometimes it's weirder than that. Many years ago, one of my lab machines was virused and sending a ping every second to a bot-controller address at MIT. MIT's web page didn't have useful help desk contacts that you could access if you weren't a student, but I knew the security director so I emailed him. Turns out the bot-controller was on a Sun machine in Japan, whose IP address was a byte-swapped version of an MIT address. (Yes, my machine was running Linux, one of the very early Red Hat versions, and it would get attacked every week or so. Nobody ever bothered the Win95 machine next to it, because what use would that have been to an attacker?)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sure, the kernel gets the packet. A trivial annoyance. If you put the drop rule in the prerouting table of a linux kernel you should be able to drop the packets before they trigger any alerts.
If you have nftables support in a 4.x kernel you can get the packet dropped long before it can reach any sort of analyzer.
The port scan alert is the complaint, not an incipient load from the packets themselves, so an early filter will stop the annoyance.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Your ISP sucks. They should be handing out /48's to all business accounts.
Also, the great thing about having a /64 on each segment for host addressing is there is no practical way to scan it.
I'd install http://wiki.debian.org/iptable...
Casteism
And how does a firewall help in that instance? It's just an additional routing device between you and the outside, so there is a good likelihood that such an attack will still reach you via whatever services you do have opened.
Plus you now have the added risk of such a kernel vulnerability existing on the firewall device itself too.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Back a long time ago, Tsutomu Shimomura (the engineer who ID'd Kevin Mitnick's famous sequence-number attacks), got pissed about Microsoft's FTP server trying to connect on the identd port after he FTP'd into them for any reason. To get back at Microsoft, Tsutomu setup the chargen service on the identd port (port 113) with a rate-limit. When he FTP'd to Microsoft after that, any connections to port 113 would stay open as his computer would stream all ASCII characters out. Seeing as you are likely having ports scanned like 80/443 and so on - why not chargen those? The scans will get stuck, and the data will keep flowing until they die. Even better, if they're collecting all the returns - chargen will ensure they get all the ASCII their disks can hold. Cheers.