Stopping ip range scans
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue and I'm getting tired of it to say the least (not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not). So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis? Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other? -- William Leibzon Elan Networks william@elan.net
On Mon, 2003-12-29 at 06:47, william@elan.net wrote:
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially.
You're lucky. I've been watching this slowly ramp up for the last 10. ;-)
At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes.
Since no one (to my knowledge) has ever been arrested or sued over a port scan, there is nothing holding back the script kiddies from doing them at will. Heck, check the archives here and you will find a number of posts where various people feel this is legitimate and justifiable activity.
I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?)
Simplicity. Its easier to write a scanner that just hits every and/or random IPs rather than troll to look for legitimate name servers. That and the unadvertised ones are more likely to be vulnerable anyway.
So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis?
Check out Bill Stearns Firebrick project: http://www.stearns.org/firebricks/ Basically, these are plug-in rule sets for iptables. The three you are interested in are ban30, checksban and catchmapper. If you want a little less overhead, you can use catchmapreply. Also, the bogons module might be interesting for an ISP environment. Note that the plength module implements some of the fragment size limitations I was querying this group about a few weeks back. :)
Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other?
Check: http://www.dshield.org/ I *think* Johannes has even added the ability to query based on AS. HTH, C
I'm looking for a NOC or Security contact for storm.ca in Canada. One of their customer's appears to have an infected/exploited system, however the contact email addresses for their domain do not appear to be valid. Thanks in advance. Charlie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
BTW - By my tests it appears I'm being scanned by unix hosts between 500 to 1000 times per day! I don't know, maybe it seems a low number for some of you, but I'm not at all happy about it. -- William Leibzon Elan Networks william@elan.net
My router is set up to send me daily reports of IP addresses that hit the port 137-139 block more than 1000 times a day. The sources are all over the place, including a lot of IANA reserved address space that Sprint and my ISP should be filtering upstream, but a lot of the scans are from hosts on my ISP's network that I know are consumer DSL. My working assumption is that these are worms looking for new hosts to attack. When I have time, I tell the ISP about the local ones so they can tell their customer to fix it, otherwise I don't bother. So long as you have reasonable router filters, port scans are an annoyance but not a security issue. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711 johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
On Mon, 29 Dec 2003 william@elan.net wrote:
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various
What ports are being probed? SOP for script kiddies for at least 10 years has been find a box you can hack root on, install a vulnerability scanner for the remote-root vulnerability d'jour, fire it up, and come back in a day or so to see what you've found. Then hack the newly found vulnerable boxes, install the scanner on each of them, and repeat the process. Some of these packages have done things like download the .com zone (back when F allowed this) and scan all NS's for bind vulnerabilities. Others just pick a random IP and scan sequentially higher IPs. More recently, some packages have combined the scanning and hacking. If you don't want the scans, block everything you don't want at your router. Otherwise, just make sure your systems are up to date. A common OS with unpatched known remotely exploitable holes doesn't last long on an unfiltered internet connection. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
william@elan.net writes:
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue
It isn't a serious security issue.
and I'm getting tired of it to say the least
Then turn off your logging of it. I quit paying attention to scans MANY years ago, when they started happening more than once an hour. In an era where a honeypot will be attacked minutes after being put on the net, scans are as interesting to report as litter at a landfill.
(not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not).
Drain on resources? I bet if you actually calculate the cost in dollars of answering the scans per year, it is probably smaller than the amount you are paid in a few minutes. The time you've spent thinking about it has been the biggest drain on your company's resources.
So I'm wondering what are others doing on this regard?
Most people I know are ignoring scans. There is no other rational course to take. People will twist your doorknobs, and if you pay attention every time they do, you'll go mad. You can't possibly block every host on the net trying it, and some are even doing it for perfectly legitimate purposes like mapping the network or trying to figure out if one of your users has been infected with a virus or some such. In any case, there are huge numbers of infected and compromised machines out there doing this. You'd have to black hole most of the net to stop it. I don't see what the point is. You won't make your machines more secure by pretending you could block scans. Sure, you can waste your time and money trying to stop that, but I'd suggest you simply spend that time actually making your machines more secure instead of adding Potemkin security like "blocking scans". I've seen many people complain about such things in the past, and then it turns out they don't even have all their Windows servers patched properly and they aren't doing any ingress filtering so their machines can happily send forged packets all over the net. Fix your actual security problems first -- worry about window dressing later if at all. By the way, the most sophisticated attackers are scanning using techniques that don't trigger IDS systems, like doing random walks of the port space in thousands of blocks at once from large numbers of scan hosts -- any given CIDR block only sees the occasional packet, and they don't have nice signatures like being sequential and from the same initiating address. Taken to extreme levels, you will never catch such people. Spend your time fixing security holes on your net instead. -- Perry E. Metzger perry@piermont.com
Out of curiosity..... How many of your scans come from hijacked IP space? On Dec 29, 2003, at 6:47 AM, william@elan.net wrote:
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue and I'm getting tired of it to say the least (not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not). So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis? Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other?
-- William Leibzon Elan Networks william@elan.net
--Phil Rosenthal ISPrime, Inc.
participants (8)
-
Anton L. Kapela
-
Charlie Clemmer
-
Chris Brenton
-
jlewis@lewis.org
-
johnl@iecc.com
-
Perry E. Metzger
-
Phil Rosenthal
-
william@elan.net