RE: Stopping ip range scans
There are two types of network: Enterprise and Service Provider. I kind of have both types. I call them unmanaged and managed. For certain ip blocks (always larger then /24) all traffic is passing through linux firewall with multiple vlans & ethernet ports to be able to accomodate multiple customers at the same time. I'd like to at least stop this scan for everything behind the firewall. Would be best if I stop it for entire network too, but that is just a wish and I did not see any easy way to do it using cisco configuration and modifying access lists every minute is
On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote: probably not too interesting (here I again get reminded of the cooperative bgp filtering draft I worked on for bogons with Michael, Rob & Joren, see http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt I'll have to wait until its part of OS to try something for scan prevention...).
The job of the service provider is very simple. Just provide plain Internet connectivity. The above is true if you're very "plain" network provider. Some of us do more then just simple internet connectivity services...
if the traffic is detined to an IP which is in my network, it is considered legitimate traffic. ) The problem is these are random scans, the traffic is going to ips that are not used and never were. They're clearly a random sequential scans.
But it can block your legitimate traffic as well. I've thought about it and the way I see it - if somebody is scanning me, its not a legitimate traffic to me and big potential security risk. So if same ip hits within fraction of a sec 2 or 3 sequential ip addresses on some monitoring device, it seems ok for me if its blocked for next 10 minutes (but not permanently). I don't think any legitimate traffic would be lost in this case. (Note: definition of "legitimate" varies from network to network and from one person to another).
-- William Leibzon Elan Networks william@elan.net
[.. SNIP ..]
The problem is these are random scans, the traffic is going to ips that are not used and never were. They're clearly a random sequential scans.
In this particular case, null-routing your aggregate is your friend. Or get a sink hole and suck down all the !traffic to it. Please, it's the internet. Port scans are nothing out of the ordinary. -James -- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design & implementation http://www.towardex.com | james@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
participants (2)
-
haesu@towardex.com
-
william@elan.net