Results 1 to 2 of 2

Thread: Sometimes flooded with port scans

  1. #1
    Just burned his ISO Steel9's Avatar
    Join Date
    Mar 2009
    Posts
    10

    Default Sometimes flooded with port scans

    I installed Firestarter and from time to time I get flooded by port scans from numerous IP's all port scanning strange ports like 13103, 50974 which does not seem to stop, even after I get assigned a new IP from resetting the power, it continues on for a half hour or so and then just stops.

    A whois on a three of these IP's that are scanning brings up

    Microsoft Corp
    RIPE Network Coordination Centre
    MTS Allstream Inc.

    Sorry if this is the wrong place to ask, but I figured many of you would know just why this happens from time to time?

    Thankyou.

  2. #2
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    maybe just not reading the logs right who knows PM me a pcap log ill take a look at it. for IDS I would use snort/snortsam and a local dns/squid proxy running mod_security etc .. but that's overkill from what you are from. can't really stop random attacks but you can whitelist everything and black-hole everything else. Simple stuff like blocking ICMP if possible/black hole I think would help drop noize to a crawl.

    http://rmccurdy.com/scripts/htaccess
    and I run snort/ emerging threats > custom conf

    this cuts my noize down about 90%

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •