Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Being scanned on a wide range of ports....

Status
Not open for further replies.
Georgi1chuikov

Georgi1chuikov

IS-IT--Management
Jun 5, 2003
51
0
0
US
My router has been recieving an unusual amount of random scans from what seem to be a partially spoofed IP address. This scanner is choosing a range of about 100 ports.Sometines in the 1500 range, sometimes in the 2000 range. today it is in the 2500 range. I get several hundred port scans a day from this source and I am pretty sure it is a spoofed address that always has the IP of 209.249.123.xxx (x is the same for 200 or so scans and then changes) Any one have any advice? Is there any action a need to take?
 
Sort by date Sort by votes
If the IP address is being spoofed, the alleged attacker wouldn't get any responses from your computer, so that is out of the question. The attacker could go through a sock/proxy server, but for port scanning, it wouldn't be worth the hastle as port scanning is legal in the United States. You can use the abuse reporting system on the attacker's ISP to resport the port scanning if it continues.

--Sapient2003 - sapient@sapient2003.com
"The worst insecurity is believing you are too secure."
 
Upvote 0 Downvote
Not much you can do. If you start legal action you're likely to be attacking the wrong person (since the IP address changes so often, you can be pretty sure it's faked).

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first
 
Upvote 0 Downvote
Sapient2003 is right, if this is a spoofed IP then the attacker will never know what is happening since the spoofed ip is not his ip. What you will want to do is take a log of what is happening and see where it is comming from. Do a WhoIs on the addresses and find out if they belong to a university. What is the address of your ISP, they might be scanning your network to see what illegal ports are open. Is this a home based computer??? Then get a network firewall and have an internal NAT, then turn off all non used ports. If you want to be clever then make a Linux box, put it in the DMZ of the firewall and activate all the auditing that you can. Look at the logs to see if the same IP ever does the same scanning a bunch of times. If the attacker gets lazy then they might start useing the same IP address. Do some investigation on the addresses to see if they come from the same subnet, if they do send an email to the abuse@ISP-email-address with the logs that you have.

Hapy

Last night I lay in bed looking up at the stars in the sky and I thought to myself, where the hell is the ceiling?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
138
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
Shmid
  • Locked
  • Question
Hi We´re thinking of enabling Ac
Replies
0
Views
89
Shmid
Shmid
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top