Dealing with portscans

David Allen the.real.david.allen at
Mon Sep 22 22:12:19 UTC 2008

On 9/22/08, Matthew Seaman <m.seaman at> wrote:
> David Allen wrote:
>> On 9/22/08, Ghirai <ghirai at> wrote:
>>> On Mon, 22 Sep 2008 08:17:02 -0700
>>> "David Allen" <the.real.david.allen at> wrote:

>> However, receiving SYN packets to ports 1024-40000 isn't going to
>> match anything than a default "block all" rule, which creates no
>> state.  That gives you zero such features to work with, but does give
>> you 38976 individual log entries.
> Most of this sort of port scanning is automated by infected machines
> -- it doesn't indicate a directed attack at you.  it's been described as
> the 'background radiation of the Internet'.  So long as your systems
> aren't vulnerable to the specific problems the malware is attempting to
> exploit -- and assuming you aren't running windows then you're almost
> certainly immune from this automated stuff -- then why bother putting any
> effort into blocking the source hosts?  Just dump the traffic and ignore.
> Drop the traffic using a 'block log all' default action and 'set
> block-policy drop' in pf.conf.

I'm not sure I agree that a single host scanning 30K ports can be so
easily dismissed as the result of a bot.  That said, I agree with your
comments generally, but I prefer to log blocked traffic (with the
exception of certain categories of "noise").  That means when the
"block log all" rule matches, I'm at risk of tens of thousands of
Mostly Useless log entries as pointed out earlier.

The fact that those log entries or that activity is also Mostly
Harmless, could mean that your Don't Panic is the right advice.  But
then, what if it's someone trying to build an interspace bypass and
all I have is a bathrobe and a towel to work with?

> Don't open up high-port ranges to incoming traffic, either UDP or TCP
> -- if you have to run FTP servers then use ftp/ftp-proxy to avoid having
> to open your firewall too much.

I could write a rule to explicity block (and not log) high port
ranges, but I'd prefer at least to be aware of someone actively
scanning my network.   Which suggests, at least to me, that limited
logging with automagic table creation are the way to go.

> Also consider the following sysctls:
> # Blackhole packets to ports without listeners
> net.inet.tcp.blackhole=1
> net.inet.udp.blackhole=1
> although these will be redundant if your firewalling is effective.

I wonder, though, would using a block-policy setting of return (which
I'm currently using) render the above redundant, or would the above
take precedence?  I'll have to add that to the list of Stuff to Check.

> Cheers,

Same to you, mate.  and thanks for gracing me with your presence once again.

More information about the freebsd-questions mailing list