Slashdot Mirror
Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?
jetkins writes: What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP's (RoadRunner's) abuse desk, on the assumption that if they're scanning me then they're probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they're a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.
I've already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn't stop the alerts. And although I *could* disable port scan alerts, it's an all-or-nothing thing and I'm not prepared to turn them off completely. This afternoon I forwarded the twenty-something alerts that I've received so far today, to their abuse@ address with an appeal for a Christmas Miracle, but frankly I'm not holding out much hope that it will have any effect. So, Slashdotters, what should I do if this continues into the new year? Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I'm open to suggestions.
Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.
Use a decent open source product like pfsense instead. I've had an appliance with pfsense for years and I forget it's even there.
https://www.applianceshop.eu/s...
(no commercial interest, just a satisfied customer)
Indeed, I routinely get portscans en-mass from china.
Sometimes 5x a day or more. Really aggressive scans that last for hours.
Not a lot you can do about it. Scanning for open ports is a legitimate activity on networks you own, so naturally, a big internetwork like the internet is going to be drowning in automated portscans, and automated blocking of them would break many legitimate services, if they make too many queries too quickly. (say for instance, metacrawlers and pals.)
Just accept that the internet is not a cozy nice place. Bad things lie in wait for the unwary. Use modern protection, and be sensible in how you use it.
really, that's all you can do unless you have actual DDoS style attacks leveled at you. THEN you call the feds.
The OP has been more than patient with them.... Assuming they are full TCP connects (non-spoofable); After complaining 3 times about ongoing abuse... I would definitely consider some internet routing table inspection, Identify their upstream providers, and start contacting the upstreams', after continued persistent scans of one IP. Don't stop politely contacting them to ask for help, until you get permanent resolution.
9 times out of 10.... upstream providers will not turn off their customer, probably 10 times out of 10 for simple port scans, which are considered trivial. The industry does NOT consider a simple port scan equivalent to a DoS or hacking attempt, and Most providers will simply disqualify complaints about portscans.
It's partly the OP's folly in having a security device generating excessive noise, especially about blocked IP addresses. I understand the OP may be constrained by product selection; However, Null-routing the offending range SHOULD be an option, and if not..... get a proper packet-filtering firewall to put in front of your UTM, or set an access-list entry on the router in front of it.
However, if contacted, the abusing providers' upstream provider will likely forward the abuse reports to their customer.
After you've done your homework in thoroughly documenting and verifiably reporting, and they have failed to resolve, then a few more iterations, and a seriously-harmed party would be getting their lawyers involved anyways. Probably NOT for a simple portscan however, the offending entities' upstreams might be concerned about it from a risk management perspective and pressure their customer to shape up.
So this time report it to appropriate authorities and if they don't take your case
OR push the block on the IP range into the Firewall's routing table as a route to Null0, or to an access-list on the Firewall's upstream router
Most providers summarily shove complaints about portscans and firewall alerts into the trash bin. The OP needs something material to base a legitimate abuse complaint on, such as logs showing an actual SSH brute force access attempt, that demonstrates the activity is a malicious attempted intrusion and not merely some reconnaissance effort, possible false alarm, or "background noise" such as W32/Blaster traffic from some host still running infected XP.
The authorities DON'T CARE about portscans either, unless the OP has something much more material to investigate, or can prove a crime was committed with serious damage, they generally will not get involved... It doesn't hurt to report it to the civil authorities, but it's not going to do anything to alleviate OP's situation, either, which is an "overly chatty" firewall device.
The real issue there is the Firewall and the lack of options to suppress spurious alerts, that should get taken up with the firewall vendor as a software issue.
The submitter has two problems, the first is an external site persistently doing something that he doesn't want, and the second is his firewall appliance that isn't doing what he wants.
The first problem is not fixable. Even if you could make them go away, tomorrow someone else will take their place. Do you really want to spend your time in courtrooms and writing letters? In any case, port scanning is not actual service abuse nor hacking but merely service discovery and it's working as intended, so you'll have a hard time convincing anyone that you are suffering actual harm. It's just an annoyance.
In contrast, your second problem *IS* fixable by you, at very little cost. Just put a low-end packet filter in front of your existing firewall, doing nothing but passively blocking all packets from the offending source. It should have no open ports of its own and should run nothing other than the firewall management software, something like pfsense or iptables. Any old PC hardware running off a thumb drive will suffice, or a new ARM board for lowest power consumption, or a repurposed router from eBay for lowest cost.
Fix problems that you can solve. The others are not worth your time fretting about.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
If it's a choice between all or nothing, then I'd pick nothing.
Port scan alerts are a bad idea for three reasons.
1. These attacks are very common and excess noise of the alerts may distract you from real threats.
2, Port scans that get caught by these filters are usually benign. NMAP is the first tool that every little kid who thinks they are a hacker plays with before they learn some common sense.
3. Any sophisticated attack that actually stands a chance of working won't be detected by these simple mechanisms.
Hopefully, your firewall will detect the real threats using more sophisticated methods. If I were you I wouldn't count on it catching everything. Those alerts might be giving you a false sense of security. The only thing that alert is satisfying is the author's curiosity. It's not really protecting him.