Stopping an attacker?

[Spanky]

I've got this guy trying a port scan on my network. My router is catching it, so it's not like he's getting in, but it sure is annoying to get security violation e-mails every few minutes. I've back-traced him to an ISP in Algeria, and sent e-mail to his ISP and to him personally asking him to stop, but the attack continues. I forced my router to renegotiate a different IP address, and tried to block his IP address, but I'm still getting 'SYN with Data' security notices.

His ISP said they would look into it, but it would take a few days, which seems like plenty of time for him to finish a complete scan.

Can you suggest any other steps I could/should take to thwart this jerk?

[wh1t3 and n3rdy]

I just yesterday got a guy in japan nailed for trying to Ddos me. (emailed his ISP with logs and screencaps. They shitcanned his access). Personally i would keep amassing logs to use as evidence against him. You could always post his IP address on a hacking forum.

[digip]

I forced my router to renegotiate a different IP address

If your home IP has changed and you still see traffic from the same foreign IP address trying to get in, makes me think they are already on the inside of your network somehow, and calling home while trying to scan the rest of your network. Make sure your router itself hasn't been hacked.

[barry99705]

I get crap like that all the time. I just have my firewall drop everything from those ip addresses after 3 bad snort hits.

[Netshroud]

What firewall is that?

[barry99705]

What firewall is that?

Smoothwall with a few addons. Here's the firewall graph for the last week.

[ameshockey]

Smoothwall with a few addons. Here's the firewall graph for the last week.

can you please tell me what addons, i am about to start using smoothwall.

[psydT0ne]

Maybe he has some pox on his pc that is allowing someone else to run a portscans....

I'd let the ISP look into it further, first.

Just keep logs of everything that occurs for now...and of course take whatever precautions u need to, backing up data, adding a firewall etc etc.

OR...

Maybe route the traffic from this guy to a nice honeypot?

[dr0p]

More than likely just part of an automated scan, nothing to worry about.

[Darkmist!]

well you can make your own TCP/IP stack and just open up up listening connections that are reporting that they have room for a connection but not the memory. this will force the connection to stay open and not be dropped by the attacker. this way you can DOS a connection with 1 laptop.

my explanation is a bit fuzzy. they went into great detail on it on security now under the sockstress podcast.

im at work so i cant go into much detail. but look into that

[vanquish.security]

I've got this guy trying a port scan on my network. My router is catching it, so it's not like he's getting in, but it sure is annoying to get security violation e-mails every few minutes. I've back-traced him to an ISP in Algeria, and sent e-mail to his ISP and to him personally asking him to stop, but the attack continues. I forced my router to renegotiate a different IP address, and tried to block his IP address, but I'm still getting 'SYN with Data' security notices.

His ISP said they would look into it, but it would take a few days, which seems like plenty of time for him to finish a complete scan.

Can you suggest any other steps I could/should take to thwart this jerk?

If your on a more advanced level, try iptables on Linux. You will need knowledge of Linux and configuring the rules for IPtables. You will have more flexibly to block attacker IP address's, and the sky's the limit with what you can do.