Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?

Posted by Soulskill on from the become-a-squeaky-wheel dept.

jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.

But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.

I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.

53 of 265 comments (clear)

  1. Simple. by Zedrick · · Score: 3, Informative

    Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).

    1. Re:Simple. by tlhIngan · · Score: 3, Informative

      Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).

      The problem is the IP range IS blocked. But the router does their port scan detection prior to the IP blacklist and will still notify him of the attack despite the packets being dropped.

    2. Re:Simple. by Zedrick · · Score: 3, Informative

      I missed that (but, 1st post...). Still, that's just a problem with a bad router. The packets should be blocked (dropped) right away, otherwise there's no point in blocking.

    3. Re:Simple. by gl4ss · · Score: 4, Insightful

      obvious answer is obvious, report a feature request to sophos.
      or buy a different firewall.
      or do attack detection after it.
      or just don't bother with doing anything with it(proper).

      really this is a problem with his firewall device/software in it. I have no idea why this passed through to slashdot since he already tried contacting the offender and his isp.

      --
      world was created 5 seconds before this post as it is.
    4. Re:Simple. by mysidia · · Score: 5, Interesting

      The OP has been more than patient with them.... Assuming they are full TCP connects (non-spoofable); After complaining 3 times about ongoing abuse... I would definitely consider some internet routing table inspection, Identify their upstream providers, and start contacting the upstreams', after continued persistent scans of one IP. Don't stop politely contacting them to ask for help, until you get permanent resolution.

      9 times out of 10.... upstream providers will not turn off their customer, probably 10 times out of 10 for simple port scans, which are considered trivial. The industry does NOT consider a simple port scan equivalent to a DoS or hacking attempt, and Most providers will simply disqualify complaints about portscans.

      It's partly the OP's folly in having a security device generating excessive noise, especially about blocked IP addresses. I understand the OP may be constrained by product selection; However, Null-routing the offending range SHOULD be an option, and if not..... get a proper packet-filtering firewall to put in front of your UTM, or set an access-list entry on the router in front of it.

      However, if contacted, the abusing providers' upstream provider will likely forward the abuse reports to their customer.

      After you've done your homework in thoroughly documenting and verifiably reporting, and they have failed to resolve, then a few more iterations, and a seriously-harmed party would be getting their lawyers involved anyways. Probably NOT for a simple portscan however, the offending entities' upstreams might be concerned about it from a risk management perspective and pressure their customer to shape up.

    5. Re:Simple. by rapiddescent · · Score: 3, Interesting

      maybe - but the question is *why* are they doing this. I would be tempted to open a port and see if they attempt to access - then depending on the OP's locality there could be a computer misuse claim.

    6. Re:Simple. by WarJolt · · Score: 5, Informative

      If it's a choice between all or nothing, then I'd pick nothing.

      Port scan alerts are a bad idea for three reasons.
      1. These attacks are very common and excess noise of the alerts may distract you from real threats.
      2, Port scans that get caught by these filters are usually benign. NMAP is the first tool that every little kid who thinks they are a hacker plays with before they learn some common sense.
      3. Any sophisticated attack that actually stands a chance of working won't be detected by these simple mechanisms.

      Hopefully, your firewall will detect the real threats using more sophisticated methods. If I were you I wouldn't count on it catching everything. Those alerts might be giving you a false sense of security. The only thing that alert is satisfying is the author's curiosity. It's not really protecting him.

    7. Re:Simple. by phishybongwaters · · Score: 2

      Turn of the notify and only check it when you are really really bored. First, this guy is running Sophos for a home network? WTF is the point to that other than tinfoil hat paranoia? Second and most importantly...... If you have something connected to this series of tubes some call the interwebs, you WILL GET SCANNED. That's how this shit works. Now in this case, it appears to be coming from a specific source he's already blocked. And....... then I call bullshit because every ISP puts a "no port scanning" clause into their terms, and if it's not blocked outright, they will knock your modem offline until they have a chat on the phone about all the port scanning you have been doing (speaking from experience here). But, even if this is the 1 ISP that openly allows port scanning and hacking with no repercussions..... It's the alerts that are bothering this guy, and he has 100% control over the alerts.

    8. Re:Simple. by budgenator · · Score: 2

      He should scan them back, then forward his umused ports to a tarpit.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
    9. Re:Simple. by buchner.johannes · · Score: 2

      Port scans are not attacks though, they are a survey tool to get information about the device.
      It is a bit strange that the scans are persistent -- what can repeated port scans tell you?

      Anyways, another option is to set up a honeypot, expose some ports and see what the source does.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    10. Re:Simple. by u-235-sentinel · · Score: 4, Interesting

      upstream providers don't care, they will just forward your email to their abuse contact and call it a day, if they do anything at all.

      That is fine. By forwarding, they will have proven they received the message, AND the network in question will be more apt to respond in many cases.

      At a later stage of the game when you get your lawyers involved their upstream providers will likely respond, for example, it's not worth their while to fight a lawsuit you can file against the upstream provider about their customer's activities.

      Years ago I took a new position at a company when I received a phone call from an ISP stating that my servers were port scanning someone who complained. They were going to turn off our network access. Surprised, I looked into it. I discovered they were right. Someone had allowed malware to get installed on several of our systems. After some cleanup work we were good but it left an impression on me. Besides asking a new employer more in depth questions about their security (or lack of it), that ISP's would be a good place to file a complaint when you are port scanned over and over again.

      Might be time to contact THEIR ISP and yours. Ask them to block or disconnect them. If anything, once THEY get a phone call about the complaint, it will wake them up a bit :D

      --
      Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
    11. Re:Simple. by LifesABeach · · Score: 2

      A possible movie and game idea, "After being ignored by the folks who think its your problem, deal with it. Introduce them to port scanning with an AR15." Move over cat videos on YouTube.

    12. Re: Simple. by shitzu · · Score: 2

      Then stop plugging some sophos bullshit here and install something free and open that lets you block things. For example pfsense or m0n0wall. I am sure there are others, but these are the ones that i use.

      If you have a decent firewall you dont actually care about portscans. You have a couple of ports open and you need to make sure that services running on these are safe. Alerting you with portscans will not improve your security one bit. The only useful thing you could do is automatically drop packets after n different port accesses in a given time - but alerts? Why bother?

      If in real life someone touches your doorhandle, are you gonna sue? If he tries to pick or break the lock, sure. But portscan is an equivalent of rattling your doorhandle.

    13. Re:Simple. by TWX · · Score: 2

      Heh. Sounds like it's time to dig out the old Centris 660AV and mkLinux, statically compile everything, include no libraries, and redirect all unsolicited traffic to it.

      --
      Do not look into laser with remaining eye.
    14. Re:Simple. by Coren22 · · Score: 2

      Sprint will contact their business customers about things like this. They threatened to disconnect a T3 on a company I worked at because of a malware infection that was doing just this. When Sprint is willing to let go of $4500/mo worth of revenue over this, most ISPs should be willing to look into it. The apathy is what allows this behavior.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    15. Re:Simple. by KGIII · · Score: 2

      ^ ^ ^ Along with my prior post, that's an effective solution in my personal experience. I can not, of course, give anything other than an anecdote. Go upstream on their end and the problem gets resolved - in my experience. It may be unintentional, it may not be. Either way, it's possible to dig and find out who the bandwidth provider is (it's not always the name on the company, in our case it was not) and work your way up from there.

      Have some documentation ready though, probably, they can see it or view their own logs. Work your way up the stream until you find out who it is. It was a regional ISP that was actually reselling bandwidth from someone else in the case mentioned above. Some work revealed who to contact, contact was made, and the problem was resolved.

      --
      "So long and thanks for all the fish."
  2. The first time didn't help. by Z00L00K · · Score: 4, Insightful

    So this time report it to appropriate authorities and if they don't take your case make a public letter into their local newspaper asking them what they are up to.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:The first time didn't help. by freeze128 · · Score: 4, Funny

      ...and then, post it to 4chan.

    2. Re:The first time didn't help. by mysidia · · Score: 5, Insightful

      So this time report it to appropriate authorities and if they don't take your case

      OR push the block on the IP range into the Firewall's routing table as a route to Null0, or to an access-list on the Firewall's upstream router

      Most providers summarily shove complaints about portscans and firewall alerts into the trash bin. The OP needs something material to base a legitimate abuse complaint on, such as logs showing an actual SSH brute force access attempt, that demonstrates the activity is a malicious attempted intrusion and not merely some reconnaissance effort, possible false alarm, or "background noise" such as W32/Blaster traffic from some host still running infected XP.

      The authorities DON'T CARE about portscans either, unless the OP has something much more material to investigate, or can prove a crime was committed with serious damage, they generally will not get involved... It doesn't hurt to report it to the civil authorities, but it's not going to do anything to alleviate OP's situation, either, which is an "overly chatty" firewall device.

      The real issue there is the Firewall and the lack of options to suppress spurious alerts, that should get taken up with the firewall vendor as a software issue.

    3. Re:The first time didn't help. by Pharmboy · · Score: 2

      Expect the CEO to send it to IT because he doesn't understand it, and for it to simply disappear. CEOs are about making money, they don't like being the complaint dept. unless it is a complaint from a huge customer that is threatening to not give them money. They don't make the big bucks because they can deal with port scans.

      --
      Tequila: It's not just for breakfast anymore!
  3. Chances are... by EzInKy · · Score: 2

    ...those banging at your doors don't give a damn about laws. You could deny ALL from the attackers address range, but best bet is just shut down the targeted ports.

    --
    Time is what keeps everything from happening all at once.
    1. Re:Chances are... by Z00L00K · · Score: 4, Informative

      One solution to such actions is to instead of blocking send them to a tar-pit server. That may look like a valid server but with very slow responses.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  4. So name them already by ArchieBunker · · Score: 4, Interesting

    Lets hear who it is.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:So name them already by s_p_oneil · · Score: 2

      I see your side, but I see the other as well. Since he reported it to the company once and the company "fixed it" temporarily, it doesn't sound like a false positive. If he posts the company's web site on Slashdot and that company's web site happens to get slashdotted (especially if they have a forum or mailbox where visitors can post complaints/issues), it might wake them up to the fact that someone in their IT/dev department is doing something they really should not be (whether it was ordered by the company's leaders or not).

  5. Not a surprise by surfdaddy · · Score: 2

    If you listen to the Security Now podcast, this sort of thing is all over the internet. It's a nasty place out there and actors from anywhere and everywhere are always checking addresses for vulnerabilities, etc. I suspect we all get that sort of thing.

    Unless it is DDOS'ing you, why is it an issue?

    1. Re:Not a surprise by wierd_w · · Score: 5, Interesting

      Indeed, I routinely get portscans en-mass from china.

      Sometimes 5x a day or more. Really aggressive scans that last for hours.

      Not a lot you can do about it. Scanning for open ports is a legitimate activity on networks you own, so naturally, a big internetwork like the internet is going to be drowning in automated portscans, and automated blocking of them would break many legitimate services, if they make too many queries too quickly. (say for instance, metacrawlers and pals.)

      Just accept that the internet is not a cozy nice place. Bad things lie in wait for the unwary. Use modern protection, and be sensible in how you use it.

      really, that's all you can do unless you have actual DDoS style attacks leveled at you. THEN you call the feds.

    2. Re:Not a surprise by BenFranske · · Score: 4, Insightful

      This. There was a time that ISPs and people on the Internet cared about port scans, that time is long gone (by at least 15 years). If you have a public IP you should assume it's being scanned all the time. Once you assume that these types of alerts have little additional meaning. If it really bothers you then you should implement some kind of pre-filter to block the IP range. I understand that your particular device doesn't allow that so put another router with proper access control list support in front of it if it bothers you so much. TLDR, unless you live in the past it's time to get over port scanning.

    3. Re:Not a surprise by Comen · · Score: 2

      Exactly, welcome to the World Wide Web people!
      10-15 years ago when every company was getting their first firewall, I used to manage 100's of firewall for many companies. First thing that people would do is call me complain about the firewall logs showing all the port scans (mostly from Asia), this stuff goes on all the time, nothing you can really do about it, block on subnet they will use another. Unless you are getting DDOS'ed then you are fine. I good firewall will not send back a reject, but instead drop the packet so they can no detect you are there at all.

  6. Turn it off by Xenna · · Score: 5, Insightful

    Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.

    Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.

    https://www.applianceshop.eu/s...

    (no commercial interest, just a satisfied customer)

    1. Re:Turn it off by Xenna · · Score: 2

      Share the wealth, that's my motto ;-)

      Anyway, Lim asked me to say he prefers the Sophos stuff. He's also really fond of the McAfee stuff!

    2. Re:Turn it off by Voyager529 · · Score: 4, Informative

      UTM 9 IS open source excep for the gui and FAR better and FAR more features than pfsense.
      Not even close to being in the same leuage.
      (no commercial interest, just a satisfied UTM 9 user (not customer))

      Amusingly, I dealt with this very scenario just this week, except in reverse.

      I installed the Sophos UTM on a Vista-vintage Optiplex. It was fine and responsive, and yes, the UI was beautiful, with lots of enterprise-grade features. The problem I had was that Sophos seemed to have a default 'deny any any' sort of rule in place that allowed HTTP, DNS, and...basically nothing else. I couldn't RDP out via nonstandard ports, I couldn't access IMAP mail, I couldn't get new Usenet articles in Agent, and that damn 'yellow triangle of limited connectivity' was proudly shown on all the Windows boxen on my LAN. I spent about two hours trying to get it to let SOMETHING through, Googled around, and...apparently there's some sort of voodoo that everyone else 'just knows' to make Sophos be a bit less strict, but for me it was like debating with the great-grandson of HAL9000: "Open the port 3389 doors, HAL." "I'm sorry Joey, I can't do that." Between that and the fact that Sophos went to the Sonicwall school of port forwarding hell, I installed pfSense.

      pfSense allows traffic to flow the way one would expect a router to work; all the things that didn't work in Sophos worked just fine on pfSense. Port forwards can be as simple as a Linksys router (source port, destination port, IP address), or as complex as a Sonicwall. It's UI isn't nearly as pretty, but it's highly functional. The transparent proxy helps speed up HTTP traffic, which is helpful as I'm stuck with 2mbit/768k DSL for the immediate term.

      I'm sure this is all a PEBKAC situation, and I do understand that Sophos's "assume the worst" stance has its place, but especially for being labeled for home users, I would have at least expected some sort of option in the initial config wizard to have the option between 'paranoid mode' and 'actual router' mode.

  7. Port Scans are normal, stop whining! by marco.tedaldi · · Score: 4, Informative

    Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.

    Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
    Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!

    And don't suck up other peoples resources by whinging about it!

  8. Just set up a honeypot by Z80a · · Score: 4, Interesting

    And see what they do with it.

    1. Re:Just set up a honeypot by MrKaos · · Score: 3, Informative

      And see what they do with it.

      Exactly. If someone has screwed up then nothing will happen. If someone uses it, that's different and then you also have your misuse case as the basis for legal action if required (make sure to have misuse messages and warnings in place). Not that you want to take legal action, it's just being in the position to take that action if you can or need to.

      --
      My ism, it's full of beliefs.
  9. I wouldn't worry about it by rcase5 · · Score: 2

    Honestly, I wouldn't worry about it. If your firewall is halfway decent (and it sounds like it is), you shouldn't have anything to worry about as far as the security of your network. Unless, of course, you do something really dumb like open a port you shouldn't and have it refer to a port on a machine on your net (I'm presuming you're using NAT).

    Also, since it's highly likely you're network link is DHCP, your IP address might change periodically when your router goes to renew the DHCP lease. If your IP address hasn't changed in a while, you might try shutting your router down for a while (like an hour), turn it back on and see if it gives you a new IP address. That might stop them from scanning your network (unless they're going after an entire range if IP addresses on the RoadRunner network).

    I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action.

    They're too busy enforcing their own arbitrary network rules on their subscribers to worry about things like port scanners coming into their network. Also, it's RoadRunner (Time Warner Cable if I'm not mistaken), and they have among the worst customer service anyway. Unless the attack is coming from someone else on RoadRunner, you're wasting your time reporting the incident to them. Besides, there's really not much they can do anyway if the attack is coming from outside their network. That's why everyone is supposed to have their own firewall. ;-)

  10. Get a switch that can block before your device? by Wrexs0ul · · Score: 3

    Something with a nice-sized ruleset that works on ASICs and you're done. Most companies sell them, and if you're just selectively passing traffic by IP range (or in fancier devices by port) why not offload the hard rules before wasting cycles on traffic you just want to drop? Or just another software device if you're not wanting to buy hardware.

    We do this for selective parts of the network where dropping attackers on one machine keeps them from running through an entire block of IPs. A lot of it's even scripted: more than 3 IPs getting brute forced? That's a 24 hour ban and email to the associated ARIN/APNIC/RIPE contact. Granted APNIC/RIPE tends to stay on that list a lot longer than 24 hours...

    --
    --- Need web hosting?
  11. Easy solution by Rumagent · · Score: 2

    Forget it and find a real problem to worry about.

  12. Your problem is UTM; but if you really care... by tlambert · · Score: 2, Insightful

    Your problem is UTM; but if you really care... pay Amazon a couple hundred $, spin up 100,000 instances for a really short time, and push them a couple of million dollars into bandwidth debt, and they won't bother you again.

    Alternately, buy something other than UTM, which filters before the alerts, instead of after.

  13. Re:No NAT??? by Bert64 · · Score: 4, Interesting

    I have many boxes directly on the internet, NAT would only add an extra layer of headaches... I only open the services i actually want to offer, so if i used port forwarding i would have exactly the same services listening but with added overhead.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. Civil tort of harassment by paj1234 · · Score: 2

    You have the name of the chief executive? Write to him on paper with a stamp and tell him that his company is causing yours a nuisance. Say that under the provisions of statute X (whatever that may be in your country) you are entitled to claim compensation under the civil tort of harassment, or equivalent in your country. Enclose a copy of the relevant page of the legislation. There's sure to be plenty of legislation to choose from, take your pick. Enclose some printouts of the firewall warning messages.

    That CEO will have to cancel his game of golf. He will be furious about that. He doesn't want to think about tiresome technology matters. He wants to think about golf. Above all, he must avoid the electric fence and not have any silly legal troubles. He will bang some heads together and the port scans will stop.

    Someone asked me about receiving automated renewal reminders by email for an antivirus program he had ordered in error and then cancelled. He had asked not to receive such reminders anymore but they kept coming. The above steps worked for me.

  15. Put a filter box in front of full firewall by Morgaine · · Score: 5, Interesting

    The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.

    The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.

    In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.

    Fix problems that you can solve. The others are not worth your time fretting about.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  16. Background noise by Bert64 · · Score: 4, Informative

    The internet is full of background noise, not a lot you can do about it..
    Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.

    Having a router constantly notifying you about internet background noise is pointless and will only waste your time.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  17. Fixable with simple PF rules by badger.foo · · Score: 2

    To me this sounds like the main problem is the "security" device that's generating a lot of noise.

    My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.

    With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.

    --
    -- That grumpy BSD guy - http://bsdly.blogspot.com/
  18. Sigh by ledow · · Score: 2

    Ignore.
    Filter the alert emails from that ISP if necessary.
    Get on with life.
    (P.S. Just double-check you put it on the block list).

    Run any internet server in any datacenter in the world and you get this times a thousand. You can't trace them all. Hell, you can't even spend the time to trace all those spam email attempts you would get either.

    What, precisely, do you think is being done to your connection that's worth the time and effort to even follow-up on it? A few packets hitting a firewall that is set to block and deny them any further access anyway?

    Get a life, honestly. And turn off alert emails for port-scans. Turn on proper IDS/IPS, but turn off that particular alert because - well - it happens all the time anyway and it isn't going to stop just because you stop one IP range.

    Spend the time you save on double-checking that people can't get into even the open services that you do offer to the net (SMTP, NTP, etc. if relevant). Whether you respond open or close, or whether the firewall rejects or allows, the requests still means that the packet was send, received, acted on, and replied to (or not, as the case may be). And in terms of your overall connection it's going to be like 0.001% of your traffic, if that.

    Then go and work in any static-IP, Internet-facing network department that runs in-house services like webservers, VPN, email, etc. And notice that they just wouldn't care and don't have the time to do anything about such trivial shite.

    1. Re:Sigh by ageoffri · · Score: 2

      This is the only answer that needs to be posted. At my previous job, someone put a bug into the CIO's ear which got filtered down to my Director and I had to pull a report on all port scans for a year. Good news is with Dell SecureWorks is that generating the report was easy. Bad thing that I knew from the get go was the sheer numbers would amaze people who don't deal with this every day. I don't recall the numbers since it has been almost two years, but the smallest number to break down was some thing like 10-15 port scans per second between all the ingress points for a medium sized company. We didn't even normally bother reporting on it because it is useless.The brute force port scans isn't what worries me, it is the sophisticated attackers willing to spend months doing slow probe of the network.

      --
      -- Slashdot, making the Left look conservative since 1997.
  19. A Honeypot? by MagickalMyst · · Score: 4, Informative

    If they are scanning for ports then give them something to play with. :)

    Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.

    Once you have that information you can act accordingly - contact ISP, law enforcement, etc.

    --
    Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
  20. Forward it to their fax by XNormal · · Score: 3, Funny

    Don't forward the scan reports to their abuse address. Spend a couple of cents to forward it through a mail-to-fax gateway to their fax number.

    I think it will stop much sooner this way.

    --
    Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
  21. use their IP's by visionsofmcskill · · Score: 2

    While other commenters have mentioned your alerting system should be disabled as its essentially worthless, theres a pretty simple fix if the IP's are known. Add their public ips to your router as additional WAN's or secondary IP's. Their traffic should now become unroutable and dropped before the appliance even tries to examine them. Or you could add a managed switch in front of your WAN which drops/blocks traffic from those IP's.

    Problem with doing these sorts of things is that over time your systems become a confusing mess of strange kludges and workarounds. Port scans really are super normal, and the true issue is your appliance not behaving as you'd desire.

    --
    --Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
  22. Late to the party, but... by Jethro · · Score: 2

    Set up a honeypot. Put a machine inside your network, and open some of the ports they're scanning on it. See what they're trying to do.

    As a bonus, /if/ they do anything, they have now actually broken the law and you can get law enforcement to actually do something.

    --


    In the land of the blind, the one-eyed man is kinky.
  23. Re:No NAT??? by TWX · · Score: 3, Informative

    Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.

    Port Address Translation breaks the end-to-end model of TCP/IP. IPv6 is designed to remove the need for NAT entirely. The network admin is supposed to actually know how to build a proper firewalling router to keep other networks out or to limit what resources they can reach.

    Good firewalls deny incoming connections by default, and only allow them when they're solicited by a machine on the local side, and even then, only when the return traffic from the untrusted network conforms to expectations based on the trusted machine's initial outgoing request. This can get a little tricker with protocols that use more than one port or semirandomly chose ports from a range, but it seems to work pretty well even with public IPs on devices.

    --
    Do not look into laser with remaining eye.
  24. Easy. Open all of the ports. by sims+2 · · Score: 2

    http://portspoof.org/
    http://www.saltwaterc.eu/ports...

    Now whenever anyone scans you all ports show as open. pretty cool huh?

    Also great if you are trying to find out what ports your isp is blocking.

    --
    Minimum threshold fixed. Thanks!
  25. Re:Simple. Toss Sophos by ahodgson · · Score: 2

    Your ISP sucks. They should be handing out /48's to all business accounts.

  26. Re:Simple. Toss Sophos by ahodgson · · Score: 2

    Also, the great thing about having a /64 on each segment for host addressing is there is no practical way to scan it.