Re: Ok, we've been scanned.. ..now what!

[Ben Laws <ben () ION AS UTEXAS EDU>]

"Steven M. Klass" wrote:
> I also thought about more devious things, like nmaping the
> moron and flooding his available ports..  Fight fire with fire..

Howdy Steven,

Scanning is legal, the flooding action you've suggested here (although
savory :-) is definitely illegal.  Even if the perp scanned you all
weekend, that doesn't violate any laws.  Don't let 'em push you into
committing a DoS yourself.

An nmap strobe may give you some useful information however.  I'm the
curious type..  To protect the innocent be cautious when scanning dialup
IPs.  Could be another user, not the one you're looking for.

You can [try to] file a complaint with the perp's ISP.  It's best to
include pertinant/voluminous log entries and IDS output if you've got
it.  Make sure to include what time zone the logs are in so the ISP can
cross-reference with their records.  If you complain loudly enough, and
long enough, you may be able to get the perp kicked off their ISP.

But that could take awhile.  The short term fix as you suggested is to
block the offending IP (or subnet) at the firewall or router.  There are
some problems with this tactic though... if the perp is coming from a
dialup line, their IP can change.  If you have other users coming from
that IP range, they may be affected by your new rules.  If you automate
this, there may be some trusted systems you want to exclude from the
process... otherwise that's an easy DoS, spoofing a scan from a trusted
host with which you need connectivity.

So far I stay away from the automated approach to blocking rude IPs.
Activity in the 'net backwaters is still light enough for me to stay on
top of things.  The way it's going though, it's only a matter of time
before I embrace this type of automation.  Like, maybe, next month :-)

ciao,
Ben Laws
Systems Analyst
Hobby-Eberly Telescope
UT McDonald Observatory