PDA

View Full Version : What can I do about port scan attacks?


Lzen
09-12-2007, 07:52 AM
My network has been running slow. My router's log says things like:

SYN-ACK port scan attack from WAN (ip:72.246.127.47) detected.
Sep 12 07:44:41 SYN-ACK port scan attack from WAN (ip:72.246.127.47) detected.
Sep 12 07:40:57 SYN-ACK port scan attack from WAN (ip:59.63.41.66) detected.
Sep 12 07:40:02 SYN-ACK port scan attack from WAN (ip:59.63.41.66) detected.
Sep 12 07:40:00 Drop UDP packet from LAN (src:192.168.0.1:2057, dst:239.255.255.250:1900) by MAC filter rule.

Any suggestions on what I can do about this? It has been causing my network to slow down lately. One thing I did do is close a bunch of ports that I had opened to try and play Madden 07 a few weeks ago. This is the first time I have ever noticed something like this.

unlurking
09-12-2007, 08:00 AM
If you can, look for something like "stealth mode" on your router. Most devices respond to scans with port status (even closed). It should be configurable to simply drop all incoming packets without responding. That should at least eliminate some outbound traffic. Other than that, not much you can do but make sure the attack doesn't get through.

htismaqe
09-12-2007, 08:02 AM
Well, your router should drop it, so there's very little security risk.

The issue is that in order for it to get to your router to be blocked, it's chewing up your bandwidth. If it's coming from predominantly one source address (like the 2 in the first 4 lines above), report it to your ISP and have them block it on ingress.

Also, the last line is not coming from the Internet. an address that starts with 239 is a multicast coming from inside your network. Probably not something to worry about, unless it's frequent.

Saulbadguy
09-12-2007, 08:03 AM
hax

StcChief
09-12-2007, 09:22 AM
stay off the internet :shrug:

Simplex3
09-12-2007, 09:28 AM
Odds are it's an attack from a botnet. Generally your only option is to block all the attackers, but if it's coming from a large botnet that won't be possible without interfering with actual traffic. You need to ensure you router is actually DROPPING packets that hit unopen ports, that will save you about 30-40% of your outbound bandwidth.

Sounds like it may be a really, really weak DOS attack. If it is you might trace some of those IP addresses and hope the same few come up over and over. If they do you can:

1. Have your ISP block those IPs on their side.
2. Have your ISP work with the offender's ISP to have their account blocked until the custermer gets their machine un-zombied.

Lzen
09-12-2007, 11:02 AM
Okay, thanks for all of your help. I called ATT DSL. The first person I talked to wasn't a whole lot of help. But the tech who called me back a couple hours later got it figured out.

Turns out that it was kind of silly on my part. I had Dish Network hook up HDTV a couple weeks ago. That meant replacing the dual tuner DVR that was in the living room with a new dual tuner HDTV DVR. The old dual tuner DVR went into the boys bedroom to replace their old single receiver. That way my daughter also got satellite in her bedroom.

Anyway, something about having the DVR service requires you to have a phone line hooked up to the receiver. The bozos who installed it didn't bother to do that and didn't tell me that they didn't do it. If you don't have it hooked up to a phone line, they charge you like an extra $5 a month. So, I installed a phone jack for it. However, I forgot one little important thing. I forgot that I needed a DSL filter attached to it.

Yeah, bonehead, I know. I guess I looked at my router's log and had never noticed all of the port attacks. The ATT tech insinuated that having those all the time is normal. In any case, I think I'm secure because my router log says it is not allowing those packets due to MAC filtering.

Delano
09-12-2007, 11:19 AM
Porn scat attacks?

Just clarify your search terms and that should clear up any problems.

htismaqe
09-12-2007, 12:59 PM
Okay, thanks for all of your help. I called ATT DSL. The first person I talked to wasn't a whole lot of help. But the tech who called me back a couple hours later got it figured out.

Turns out that it was kind of silly on my part. I had Dish Network hook up HDTV a couple weeks ago. That meant replacing the dual tuner DVR that was in the living room with a new dual tuner HDTV DVR. The old dual tuner DVR went into the boys bedroom to replace their old single receiver. That way my daughter also got satellite in her bedroom.

Anyway, something about having the DVR service requires you to have a phone line hooked up to the receiver. The bozos who installed it didn't bother to do that and didn't tell me that they didn't do it. If you don't have it hooked up to a phone line, they charge you like an extra $5 a month. So, I installed a phone jack for it. However, I forgot one little important thing. I forgot that I needed a DSL filter attached to it.

Yeah, bonehead, I know. I guess I looked at my router's log and had never noticed all of the port attacks. The ATT tech insinuated that having those all the time is normal. In any case, I think I'm secure because my router log says it is not allowing those packets due to MAC filtering.

So the port scans and the slowness weren't related. Makes sense.

And yes, the tech was right - those types of attacks are extremely common.

Simplex3
09-12-2007, 03:13 PM
And yes, the tech was right - those types of attacks are extremely common.
My firewall drops packets all day, every day.

SLAG
09-12-2007, 04:26 PM
www.ipcop.org

Simplex3
09-12-2007, 09:27 PM
www.ipcop.org
http://www.pfsense.org/

Lzen
09-13-2007, 09:30 AM
Okay, I have heard of ipcop but don't truly know exactly what it does. I already have a hardware (router) and a software (Zone Alarm) firewall. Is there any need for anything else?

Al Bundy
09-13-2007, 04:40 PM
Lzen, I use Zone Alarm and Spybot, and those have me completely sealed off.

Lzen
09-14-2007, 09:20 AM
Lzen, I use Zone Alarm and Spybot, and those have me completely sealed off.

Yes, I use both of them. ZA is my software firewall. I run Spybot S&D and Lavasoft Ad Aware about once a week or so.

htismaqe
09-14-2007, 09:49 AM
If you have a hardware firewall, you really don't need a desktop firewall at all.

It's nice to have something lightweight (ie. NOT ZoneAlarm) though to police outbound connections from your PC, which your hardware router/FW won't do.