Slashdot Mirror
Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?
jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).
So this time report it to appropriate authorities and if they don't take your case make a public letter into their local newspaper asking them what they are up to.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Lets hear who it is.
Only the State obtains its revenue by coercion. - Murray Rothbard
Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.
Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.
https://www.applianceshop.eu/s...
(no commercial interest, just a satisfied customer)
Disable the Port-Scanning warning. It is useless! It only drowns really important stuff! Port-Scanning is not an attack. Nothing breaks because of a harmless port scan and an alert does not provide you with ANY useful information. So get rid of this useless piece of software.
Your ISP is doing nothing and rightly so. It would only suck up resources that can be used elsewhere where they make a real difference!
Fighting port scans is like trying to fight people looking out of the car windows! Get over it, ignore it, it's completely normal!
And don't suck up other peoples resources by whinging about it!
Indeed, I routinely get portscans en-mass from china.
Sometimes 5x a day or more. Really aggressive scans that last for hours.
Not a lot you can do about it. Scanning for open ports is a legitimate activity on networks you own, so naturally, a big internetwork like the internet is going to be drowning in automated portscans, and automated blocking of them would break many legitimate services, if they make too many queries too quickly. (say for instance, metacrawlers and pals.)
Just accept that the internet is not a cozy nice place. Bad things lie in wait for the unwary. Use modern protection, and be sensible in how you use it.
really, that's all you can do unless you have actual DDoS style attacks leveled at you. THEN you call the feds.
And see what they do with it.
This. There was a time that ISPs and people on the Internet cared about port scans, that time is long gone (by at least 15 years). If you have a public IP you should assume it's being scanned all the time. Once you assume that these types of alerts have little additional meaning. If it really bothers you then you should implement some kind of pre-filter to block the IP range. I understand that your particular device doesn't allow that so put another router with proper access control list support in front of it if it bothers you so much. TLDR, unless you live in the past it's time to get over port scanning.
Something with a nice-sized ruleset that works on ASICs and you're done. Most companies sell them, and if you're just selectively passing traffic by IP range (or in fancier devices by port) why not offload the hard rules before wasting cycles on traffic you just want to drop? Or just another software device if you're not wanting to buy hardware.
We do this for selective parts of the network where dropping attackers on one machine keeps them from running through an entire block of IPs. A lot of it's even scripted: more than 3 IPs getting brute forced? That's a 24 hour ban and email to the associated ARIN/APNIC/RIPE contact. Granted APNIC/RIPE tends to stay on that list a lot longer than 24 hours...
--- Need web hosting?
One solution to such actions is to instead of blocking send them to a tar-pit server. That may look like a valid server but with very slow responses.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I have many boxes directly on the internet, NAT would only add an extra layer of headaches... I only open the services i actually want to offer, so if i used port forwarding i would have exactly the same services listening but with added overhead.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.
The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.
In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.
Fix problems that you can solve. The others are not worth your time fretting about.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
The internet is full of background noise, not a lot you can do about it..
Chances are this isn't even a portscan at all, because what would be the point of scanning the same thing repeatedly? Chances are they've configured the target IP wrong, or the IP you now have used to be used by someone else etc.
Having a router constantly notifying you about internet background noise is pointless and will only waste your time.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If they are scanning for ports then give them something to play with. :)
Setup a honeypot and gather intelligence about them. Find out who they are, where they are, and if possible, a motive as to why they are specifically targeting you.
Once you have that information you can act accordingly - contact ISP, law enforcement, etc.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Don't forward the scan reports to their abuse address. Spend a couple of cents to forward it through a mail-to-fax gateway to their fax number.
I think it will stop much sooner this way.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Seriously? People still assign public IP's directly to PC's? Get a router. use NAT. these "Port Scans" (which may well not be port scans at all) shouldn't be making it anywhere near a PC in the first place.
Port Address Translation breaks the end-to-end model of TCP/IP. IPv6 is designed to remove the need for NAT entirely. The network admin is supposed to actually know how to build a proper firewalling router to keep other networks out or to limit what resources they can reach.
Good firewalls deny incoming connections by default, and only allow them when they're solicited by a machine on the local side, and even then, only when the return traffic from the untrusted network conforms to expectations based on the trusted machine's initial outgoing request. This can get a little tricker with protocols that use more than one port or semirandomly chose ports from a range, but it seems to work pretty well even with public IPs on devices.
Do not look into laser with remaining eye.