[66151] in North American Network Operators' Group
Re: Stopping ip range scans
daemon@ATHENA.MIT.EDU (John R. Levine)
Mon Dec 29 12:43:11 2003
Date: 29 Dec 2003 17:42:32 -0000
From: johnl@iecc.com (John R. Levine)
To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.44.0312290514150.21468-100000@sokol.elan.net>
Cc:
Errors-To: owner-nanog-outgoing@merit.edu
My router is set up to send me daily reports of IP addresses that hit
the port 137-139 block more than 1000 times a day. The sources are
all over the place, including a lot of IANA reserved address space
that Sprint and my ISP should be filtering upstream, but a lot of the
scans are from hosts on my ISP's network that I know are consumer DSL.
My working assumption is that these are worms looking for new hosts to
attack. When I have time, I tell the ISP about the local ones so they
can tell their customer to fix it, otherwise I don't bother.
So long as you have reasonable router filters, port scans are an
annoyance but not a security issue.
--
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl,
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail