From: John Dalbec <jpdalbec@ys...> - 2003-01-27 15:11:14
No, they're not. See below.
Toby Johnson wrote:
> Psad says that my ISP (attbi.com, I go through insightbb.com) is scanning
> me. They have scanned UDP and TCP ports in the 33000-34000 range so far,
> from to different IP's (126.96.36.199 and 188.8.131.52).
Probably these hosts are not scanning you. PSAD (actually, iptables)
has false positives when DNS response times are slow. Check the source
port on the "scan" packets. If it's 53 (DNS) then what you are seeing
are late DNS responses that are being dropped and logged by your firewall.
This problem has to do with the connectionless nature of UDP. The
kernel tries to track UDP "connections", but there's no way to be sure
when a UDP "connection" is closed, so it just times out the "connection"
if there's no activity after a while. Unfortunately, sometimes the
"connection" is still open when this happens and any packets from the
remote host are dropped and logged and can trigger PSAD warnings.
> The problem is that these are also their DNS servers. So the question is, if
> I block all incoming packets from them, will that affect my ability to use
> DNS at all?
It's possible you would no longer be able to use DNS. I would recommend
instead adding these hosts to psad_auto_ips with a danger level of "0"
(or is it -1?) so that PSAD will no longer send false scan warnings.