Who is portscanning me?

[willmac]

Hi, curiosity is getting the better of me. I have a dialup internet connection and a firewall up and running. At present I get around 5 alerts per minute telling me that a remote host is portscanning me. I try to determine the host name using a little freeware app called IP Convert but it has never been able to resolve the host name (it does work because I have tried it on website IP addresses). Is there any way that I can find out where these attacks are coming from?

PS I only seem to get scanned in the high port numbers!

will

 

[tbenning]

I assume your firewall is reporting the IP address of the device performing the port scan on your computer. You are then attempting to identify the DNS-registered host name associated with this IP address.

It is very unlikely that a server with a DNS-registered host name is running a port scan on your computer. A port scan is not exactly a proper activity that a reputable server should perform. The person running the port scan would not want to be identified. They would be using a temporary IP address (like a DHCP address from an ISP) to perform this type of activity anonymously.

 

[jinson]

The only way to tell is to sniff the line. I've never tried tcpdump with a dialup connection, so I don't know if you will be able to see anything.

 

[lurk]

You can also use traceroute on the IP that won't necessarily tell you who it is but it will give you a good idea of where they are.

-Eric

 

[scruffy]

Don't bother. Real firewalls don't scream bloody murder every time a harmless little port scan comes along, they just sit quietly in the background and do their job - blocking that portscan. If you want to know what's been going on, you can check the logs.

Zillions of little script kiddies around the world with broadband connections are running zillions of automated scans of entire blocks of the Internet all the time.

If they're clever, they will select netblocks appropriate to the vulnerability they are looking for - .edu blocks for unix vulnerabilities, residential access blocks for old windows vulnerabilities, etc - so if you're on a home dial-up, they're likely going to be after windows boxes.

Also, if they're halfway clever enough to present a threat to you (an up-to-date OS X user, presumably), they will likely be using a whole bunch of spoofed source IP addresses, so your firewall will report about 12 different sources, only one of which will be the real one. Since it seems you're using one of these personal (i.e. toy) firewalls, it will probably stop logging IP addresses after the first half dozen or so, so you very likely wouldn't see the real one anyway.