william@elan.net writes:
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue
It isn't a serious security issue.
and I'm getting tired of it to say the least
Then turn off your logging of it. I quit paying attention to scans MANY years ago, when they started happening more than once an hour. In an era where a honeypot will be attacked minutes after being put on the net, scans are as interesting to report as litter at a landfill.
(not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not).
Drain on resources? I bet if you actually calculate the cost in dollars of answering the scans per year, it is probably smaller than the amount you are paid in a few minutes. The time you've spent thinking about it has been the biggest drain on your company's resources.
So I'm wondering what are others doing on this regard?
Most people I know are ignoring scans. There is no other rational course to take. People will twist your doorknobs, and if you pay attention every time they do, you'll go mad. You can't possibly block every host on the net trying it, and some are even doing it for perfectly legitimate purposes like mapping the network or trying to figure out if one of your users has been infected with a virus or some such. In any case, there are huge numbers of infected and compromised machines out there doing this. You'd have to black hole most of the net to stop it. I don't see what the point is. You won't make your machines more secure by pretending you could block scans. Sure, you can waste your time and money trying to stop that, but I'd suggest you simply spend that time actually making your machines more secure instead of adding Potemkin security like "blocking scans". I've seen many people complain about such things in the past, and then it turns out they don't even have all their Windows servers patched properly and they aren't doing any ingress filtering so their machines can happily send forged packets all over the net. Fix your actual security problems first -- worry about window dressing later if at all. By the way, the most sophisticated attackers are scanning using techniques that don't trigger IDS systems, like doing random walks of the port space in thousands of blocks at once from large numbers of scan hosts -- any given CIDR block only sees the occasional packet, and they don't have nice signatures like being sequential and from the same initiating address. Taken to extreme levels, you will never catch such people. Spend your time fixing security holes on your net instead. -- Perry E. Metzger perry@piermont.com