nanog mailing list archives

Re: Stopping ip range scans

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Mon, 29 Dec 2003 06:24:34 -0500


On Mon, 2003-12-29 at 06:47, william () elan net wrote:

 Recently (this year...) I've noticed increasing number of ip range scans 
of various types that envolve one or more ports being probed for our
entire ip blocks sequentially.


You're lucky. I've been watching this slowly ramp up for the last 10.
;-)

At first I attributed all this to various 
windows viruses, but I did some logging with callbacks soon after to 
origin machine on ports 22 and 25) and substantial number of these scans 
are coming from unix boxes.


Since no one (to my knowledge) has ever been arrested or sued over a
port scan, there is nothing holding back the script kiddies from doing
them at will. Heck, check the archives here and you will find a number
of posts where various people feel this is legitimate and justifiable
activity.

 I'm willing to tolerate some random traffic 
like dns (although why would anybody send dns requests to ips that never 
ever had any servers on them?)


Simplicity. Its easier to write a scanner that just hits every and/or
random IPs rather than troll to look for legitimate name servers. That
and the unadvertised ones are more likely to be vulnerable anyway.

  So I'm wondering what are others doing on this regard? Is there any 
router configuration or possibly intrusion detection software for linux 
based firewall that can be used to notice as soon as this random scan 
starts and block the ip on temporary basis?


Check out Bill Stearns Firebrick project:
http://www.stearns.org/firebricks/

Basically, these are plug-in rule sets for iptables. The three you are
interested in are ban30, checksban and catchmapper. If you want a little
less overhead, you can use catchmapreply. Also, the bogons module might
be interesting for an ISP environment. Note that the plength module
implements some of the fragment size limitations I was querying this
group about a few weeks back. :)

 Best would be some kind of way 
to immediatly detect the scan on the router and block it right there...
Any people or networks tracking this down to perhaps alert each other?


Check:
http://www.dshield.org/

I *think* Johannes has even added the ability to query based on AS.

HTH,
C

Current thread:

Stopping ip range scans william (Dec 29)
- Re: Stopping ip range scans Chris Brenton (Dec 29)
- Re: Stopping ip range scans william (Dec 29)
  - Re: Stopping ip range scans John R. Levine (Dec 29)
- Re: Stopping ip range scans jlewis (Dec 29)
- Re: Stopping ip range scans Perry E. Metzger (Dec 29)
- Re: Stopping ip range scans Anton L. Kapela (Dec 29)
- Re: Stopping ip range scans Phil Rosenthal (Dec 29)
- <Possible follow-ups>
- RE: Stopping ip range scans william (Dec 29)
  - Re: Stopping ip range scans haesu (Dec 29)