[NTLUG:Discuss] Help! I'm under attack by my ISP!
James Taylor
tophatjames at yahoo.com
Thu Jul 15 02:52:30 CDT 2004
On Wed, 2004-07-14 at 11:13, Kevin Hulse wrote:
> --- Kyle Davenport <Kyle_Davenport at compusa.com> wrote:
> >
> [deletia]
> > So it occurred to me to find out where their port
> > scans are coming from,
> > and blocking those. (That's right - if they're not
> > going to play fair, I
> > won't either) I tried pkdump (ouch! not ready for
> > prime time) and
> > portsentry. Neither seem to do what I want, which
> > is block hosts scanning
> > different _unrelated_ ports, ie., the p2p ports, and
> > to do so without being
> > suspicious. Unfortunately, I don't know whether
>
> Does snort do this? It's a pretty nice intrusion
> detection tool. It works quite well for worms and
> such. Although I have not focused any attempt on
> portscanners. My gateway/firewall blocks most of that
> sort of thing before it would get to any of my
> internal machines.
I've used ntop at work, and it gives you a nice graphical web interface
that will show you which machines are connecting to your machine on
which ports. With ntop ran in daemon mode continually on your machine,
you could see which machines have connected to your machine, and do
either whois / nslookup on the machines and block the entire ip subnet
where they have their scanning machines. From what I hear, they're all
in a single subnet, and it's easy to block that with your firewall so
they can't see you.
More information about the Discuss
mailing list