nanog mailing list archives

RE: Stopping ip range scans

From: william () elan net
Date: Mon, 29 Dec 2003 05:09:27 -0800 (PST)


On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote:

There are two types of network: Enterprise and Service Provider.

I kind of have both types. I call them unmanaged and managed. For certain 
ip blocks (always larger then /24) all traffic is passing through linux 
firewall with multiple vlans & ethernet ports to be able to accomodate 
multiple customers at the same time. I'd like to at least stop this scan 
for everything behind the firewall. Would be best if I stop it for entire 
network too, but that is just a wish and I did not see any easy way to do 
it using cisco configuration and modifying access lists every minute is 
probably not too interesting (here I again get reminded of the cooperative
bgp filtering draft I worked on for bogons with Michael, Rob & Joren, see
 http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt
I'll have to wait until its part of OS to try something for scan prevention...).

The job of the service provider is very simple. Just provide plain
Internet connectivity.

The above is true if you're very "plain" network provider. Some of us do 
more then just simple internet connectivity services...

if the traffic is detined to an IP which is
in my network, it is considered legitimate traffic. )

The problem is these are random scans, the traffic is going to ips that 
are not used and never were. They're clearly a random sequential scans.

But it can block your legitimate traffic as well.

I've thought about it and the way I see it - if somebody is scanning me, 
its not a legitimate traffic to me and big potential security risk. So if 
same ip hits within fraction of a sec 2 or 3 sequential ip addresses on 
some monitoring device, it seems ok for me if its blocked for next 10 minutes 
(but not permanently). I don't think any legitimate traffic would be lost
in this case. (Note: definition of "legitimate" varies from network to 
network and from one person to another).

-- 
William Leibzon
Elan Networks
william () elan net

Current thread:

Stopping ip range scans william (Dec 29)
- Re: Stopping ip range scans Chris Brenton (Dec 29)
- Re: Stopping ip range scans william (Dec 29)
  - Re: Stopping ip range scans John R. Levine (Dec 29)
- Re: Stopping ip range scans jlewis (Dec 29)
- Re: Stopping ip range scans Perry E. Metzger (Dec 29)
- Re: Stopping ip range scans Anton L. Kapela (Dec 29)
- Re: Stopping ip range scans Phil Rosenthal (Dec 29)
- <Possible follow-ups>
- RE: Stopping ip range scans william (Dec 29)
  - Re: Stopping ip range scans haesu (Dec 29)