Re: Stopping ip range scans

[Phil Rosenthal <pr () isprime com>]

Out of curiosity.....
How many of your scans come from hijacked IP space?
On Dec 29, 2003, at 6:47 AM, william () elan net wrote:

>  Recently (this year...) I've noticed increasing number of ip range 
> scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to 
> various
> windows viruses, but I did some logging with callbacks soon after to
> origin machine on ports 22 and 25) and substantial number of these 
> scans
> are coming from unix boxes. I'm willing to tolerate some random traffic
> like dns (although why would anybody send dns requests to ips that 
> never
> ever had any servers on them?), but scans on random port of all my ips 
> -
> that I consider to be a serious security issue and I'm getting tired 
> of it
> to say the least (not to mention that its drain on resources as for 
> example
> routers have to answer and try to route all the requests or answer back
> that they could not).
>   So I'm wondering what are others doing on this regard? Is there any
> router configuration or possibly intrusion detection software for linux
> based firewall that can be used to notice as soon as this random scan
> starts and block the ip on temporary basis? Best would be some kind of 
> way
> to immediatly detect the scan on the router and block it right there...
> Any people or networks tracking this down to perhaps alert each other?
>
> --
> William Leibzon
> Elan Networks
> william () elan net
--Phil Rosenthal
ISPrime, Inc.