My Ports are being scanned

Posted on 2006-10-30
Medium Priority
Last Modified: 2010-04-11
I'm running a windows 2003 server with a Zyxel firewall, the firewall logs indicate that I am regularly having my ports scanned, is there any way I can identify whose doing the scanning. What information can I get from the offending IP address? Is there some 'passive' investigation I can do?
Question by:mike99c

Accepted Solution

crawfordits earned 1000 total points
ID: 17838725
Take the IP to www.dnsstuff.com.  Get the abuse email address and try reporting to the ISP of the person performing the port scanning.

Expert Comment

by:Austin Texas
ID: 17840006
Mike -

Since currently this is a port scanning issue and not spam, I would instead recommend that you get the IP block ownership records from ARIN (http://www.arin.net)

This will tell you what ISP ownes the IP block.  Send your logs to their abuse department and don't get your hopes up.

Let me know what happens.

Thanks - Tex


Expert Comment

ID: 17842306
you can go to www.arin.net, lacnic.net or the IP block administrator you need to find who is the owner. however it's very probable that you will find that the IP belongs to an ISP and they will never tell who is bothering you unless you go to a trial.... may be the abuse department may help but I don't really trust them.... try to be as protected as you can (patches, antivirus, personal firewall or firewall, good OS configurations) will be the best you can do for yourself.
on the other hand you will be investigating ISPs all the time because this is VERY common.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 38

Expert Comment

by:Rich Rumble
ID: 17849223
Scan yourself to see what info might be available, your firewall should be logging the IP address's. As stated above, do and nslookup and whois on the IP's to see what domain or ISP you can report the abuse to. If you scan yourself and see that there isn't much you didn't already know, like port 80 is open, then don't bother,  otherwise you'll spend all your time reporting abuse and doing nothing else ;) You should have self or contracted audit's done on a regular basis, if your being hosted at an ISP they should take care of patching and securing the servers themselves(if they own them), but it never hurts to have an audit done to make sure they do their job's.
LVL 30

Expert Comment

ID: 17850916
Port scanning is not illegal,and if you are connected to the net,just a fact of life.

It's analogous  to somebody knocking on your door.
It only becomess illegal when they break in.

Expert Comment

by:Austin Texas
ID: 17851331
That's analogy is not quite equal IMHO.  A ping might be more like a knock on the door where as a port scan is more like someone knocking on your front and back door and every window of your house.  Many port scans are accompanied with vulnerability scans which would then equate to someone attempting to open all the doors and windows and testing the locks.  While none of this may be illeagal, it is at the least suspicious and worthy of monitoring and protecting against.  Most modern firewalls can detect portscans and drop them.
LVL 30

Expert Comment

ID: 17851435
I would say the percentage of people out on the net that have been port scanned at some point in time is 100%.

You're not going to stop it.

There are probably ten's of thousands of machines at any one time that are doing port scans,either knowingly or unknowingly.

Blaster and Nimda are still out there and what do they do? Port scan.

Author Comment

ID: 17853518
Thanks for the useful info.
I'm keeping a note of the IP addresses from the logs, but as you say a lot of this may be automated.
I did a shields up (grc) test which gave me a pass, saying all my ports were 'stealthy', even though I have some port forwarding! Maybe my h/w firewall can detect the difference between a port scan and a specific request to a single port?

Expert Comment

by:Austin Texas
ID: 17853784
More and more hardware firewalls have some form of basic algos that attempt to detect a port, vulnerability and footprint scans.

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question