North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Stopping ip range scans

  • From: Chris Brenton
  • Date: Mon Dec 29 06:34:26 2003

On Mon, 2003-12-29 at 06:47, william@elan.net wrote:
>  Recently (this year...) I've noticed increasing number of ip range scans 
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially.

You're lucky. I've been watching this slowly ramp up for the last 10.
;-)

> At first I attributed all this to various 
> windows viruses, but I did some logging with callbacks soon after to 
> origin machine on ports 22 and 25) and substantial number of these scans 
> are coming from unix boxes.

Since no one (to my knowledge) has ever been arrested or sued over a
port scan, there is nothing holding back the script kiddies from doing
them at will. Heck, check the archives here and you will find a number
of posts where various people feel this is legitimate and justifiable
activity. 

>  I'm willing to tolerate some random traffic 
> like dns (although why would anybody send dns requests to ips that never 
> ever had any servers on them?)

Simplicity. Its easier to write a scanner that just hits every and/or
random IPs rather than troll to look for legitimate name servers. That
and the unadvertised ones are more likely to be vulnerable anyway.

>   So I'm wondering what are others doing on this regard? Is there any 
> router configuration or possibly intrusion detection software for linux 
> based firewall that can be used to notice as soon as this random scan 
> starts and block the ip on temporary basis?

Check out Bill Stearns Firebrick project:
http://www.stearns.org/firebricks/

Basically, these are plug-in rule sets for iptables. The three you are
interested in are ban30, checksban and catchmapper. If you want a little
less overhead, you can use catchmapreply. Also, the bogons module might
be interesting for an ISP environment. Note that the plength module
implements some of the fragment size limitations I was querying this
group about a few weeks back. :)

>  Best would be some kind of way 
> to immediatly detect the scan on the router and block it right there...
> Any people or networks tracking this down to perhaps alert each other?

Check:
http://www.dshield.org/

I *think* Johannes has even added the ability to query based on AS.

HTH,
C