Port scan Attacks
 

McAffee firewall keeps telling me Its traced a port scan attack. I've traced it but I'm lost as to what to do now? Also what is a port scan attack ? Help I'm lost !

longarm,

The increased attacks you are seeing are caused by the MSBlast/LoveSAN Worm. There are two threads already about it in this forum. Here is the main thread:

RPC/Blast worm virus

You can report the attacks to McAffee if you want. There is an option to do so in the Firewall software.

Take Care,

Richard

It isn't necessarily due to w32.blaster.worm - my firewall regularly gets scanned by all sorts of things from old-fashioned ping to the latest worm-of-the-week. It almost certainly isn't an attack as such, just an attempt to find out what is out there in your corner of the internet. If you're exposing an exploitable vulnerability then you may get revisited in more depth, but your computer is probably too dull to be of interest. :)

Your firewall is doing it's job, so unless you are repeatedly scanned across a variety of TCP ports then i'd ignore it. A precursor to a real attack would probably be sufficiently stealthed that many firewalls wouldn't pick it up anyway.

As an aside, if you're really interested in learning about what's going on, have a look
here, have a look at some of the reading list, grab nmap (easier if you have a Linux box) and start scanning yourself. It's quite interesting what you may be offering to the outside world :)

As a corporate admin in some of my time, we look up the abuse ISP contact for the emanating IP address and send abuse reports to them .. this is good practice and polite


www.ripe.net
and www.arin.net for whois db for US and EU

Notwithstanding the fact that "they" are doing it to you, you need to bear in mind that such scanning may be illegal -- I say may, because although "unauthorised access" in an offence under the act, nobody has tested in court (to any significant extent) what actually constitues "unauthorised access" :mad:

If you are repeatedly being scanned from a particular address or network[*], you may want to report this fact to the ISP concerned -- but bear in mind that such an ISP could be anywhere in the world. Reputable ISP will do something about this -- you will be surprised by the number of well-known ISPs which are not reputable, using this definition :mad:

Pruners may find http://www.samspade.org/ssw/ useful for tracing the source of this stuff :ok:

* If you need more info on how network addresses work, please come back to me.

HTH,

RTFM

Very true. I've turned off recording of port scans and the like - I was getting too many to bother to report them.

The worst offenders, in my experience, both for port scans and spam, are Chinese, Korean, Japanese, and others from that part of the world.

Close behind come Mexico, Brazil, and Argentina.

Then, and probably ten to twenty a day on my machine, are from the infamous North American ISPs: Attbi.com, Bell.ca, Comcast.net, Pacbell, RR.com, and above all Verizon. I've sent them all frequent "cease and desist" messages which they've totally ignored. I assume port scanning and spam-sending is totally legal in the USA and nothing can be done about it.

I'M not familiar with US law, but I believe that they have tightend up a lot on this recently. However.... as with so much in the USA everything is money-centered: I believe that nobody is interested in prosecuting, unless a lot of money is involved. Some years back I heard a figure of $100,000 being mentioned. So I guess these days, if you haven't lost over $500,000 they won't be interested... :yuk:

RTFM -

um, I did say scan yourself (as in 127.0.0.1). I'm guess that's authorized :) but I could have worded it better. But don't try this at work without asking that friendly ... or otherwise ... sysadmin, folks.

I stand by what I said, though. I've learned an awful lot about network security by playing with some of these tools, and nmap is one of the most useful. Turn the firewall off and see what services you are offering to the outside world. Turn it on, port scan yourself, watch the firewall pick it up, then turn on SYN or FIN stealth and with some home favourites watch it do nothing... :ooh: