On Mon, 2003-12-29 at 06:47, william@elan.net wrote:
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially.
You're lucky. I've been watching this slowly ramp up for the last 10. ;-)
At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes.
Since no one (to my knowledge) has ever been arrested or sued over a port scan, there is nothing holding back the script kiddies from doing them at will. Heck, check the archives here and you will find a number of posts where various people feel this is legitimate and justifiable activity.
I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?)
Simplicity. Its easier to write a scanner that just hits every and/or random IPs rather than troll to look for legitimate name servers. That and the unadvertised ones are more likely to be vulnerable anyway.
So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis?
Check out Bill Stearns Firebrick project: http://www.stearns.org/firebricks/ Basically, these are plug-in rule sets for iptables. The three you are interested in are ban30, checksban and catchmapper. If you want a little less overhead, you can use catchmapreply. Also, the bogons module might be interesting for an ISP environment. Note that the plength module implements some of the fragment size limitations I was querying this group about a few weeks back. :)
Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other?
Check: http://www.dshield.org/ I *think* Johannes has even added the ability to query based on AS. HTH, C