nanog mailing list archives
Re: Stopping ip range scans
From: Phil Rosenthal <pr () isprime com>
Date: Mon, 29 Dec 2003 21:25:03 -0500
Out of curiosity..... How many of your scans come from hijacked IP space? On Dec 29, 2003, at 6:47 AM, william () elan net wrote:
Recently (this year...) I've noticed increasing number of ip range scansof various types that envolve one or more ports being probed for ourentire ip blocks sequentially. At first I attributed all this to variouswindows viruses, but I did some logging with callbacks soon after toorigin machine on ports 22 and 25) and substantial number of these scansare coming from unix boxes. I'm willing to tolerate some random trafficlike dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue and I'm getting tired of it to say the least (not to mention that its drain on resources as for examplerouters have to answer and try to route all the requests or answer back that they could not). So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scanstarts and block the ip on temporary basis? Best would be some kind of wayto immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other? -- William Leibzon Elan Networks william () elan net
--Phil Rosenthal ISPrime, Inc.
Current thread:
- Stopping ip range scans william (Dec 29)
- Re: Stopping ip range scans Chris Brenton (Dec 29)
- Re: Stopping ip range scans william (Dec 29)
- Re: Stopping ip range scans John R. Levine (Dec 29)
- Re: Stopping ip range scans jlewis (Dec 29)
- Re: Stopping ip range scans Perry E. Metzger (Dec 29)
- Re: Stopping ip range scans Anton L. Kapela (Dec 29)
- Re: Stopping ip range scans Phil Rosenthal (Dec 29)
- <Possible follow-ups>
- RE: Stopping ip range scans william (Dec 29)
- Re: Stopping ip range scans haesu (Dec 29)