[66159] in North American Network Operators' Group
Re: Stopping ip range scans
daemon@ATHENA.MIT.EDU (Phil Rosenthal)
Mon Dec 29 21:25:52 2003
In-Reply-To: <Pine.LNX.4.44.0312290326440.21468-100000@sokol.elan.net>
Cc: nanog@nanog.org
From: Phil Rosenthal <pr@isprime.com>
Date: Mon, 29 Dec 2003 21:25:03 -0500
To: william@elan.net
Errors-To: owner-nanog-outgoing@merit.edu
Out of curiosity.....
How many of your scans come from hijacked IP space?
On Dec 29, 2003, at 6:47 AM, william@elan.net wrote:
>
>
> Recently (this year...) I've noticed increasing number of ip range
> scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to
> various
> windows viruses, but I did some logging with callbacks soon after to
> origin machine on ports 22 and 25) and substantial number of these
> scans
> are coming from unix boxes. I'm willing to tolerate some random traffic
> like dns (although why would anybody send dns requests to ips that
> never
> ever had any servers on them?), but scans on random port of all my ips
> -
> that I consider to be a serious security issue and I'm getting tired
> of it
> to say the least (not to mention that its drain on resources as for
> example
> routers have to answer and try to route all the requests or answer back
> that they could not).
> So I'm wondering what are others doing on this regard? Is there any
> router configuration or possibly intrusion detection software for linux
> based firewall that can be used to notice as soon as this random scan
> starts and block the ip on temporary basis? Best would be some kind of
> way
> to immediatly detect the scan on the router and block it right there...
> Any people or networks tracking this down to perhaps alert each other?
>
> --
> William Leibzon
> Elan Networks
> william@elan.net
>
--Phil Rosenthal
ISPrime, Inc.
