[strongSwan] How to block Netstat attacks from VPN users?

Noel Kuntze noel.kuntze at thermi.consulting
Wed Jul 31 12:21:20 CEST 2019

Hello Houman,

A "netscan" attack isn't actually anything worthy of an abuse email.
It's not part of a benign usage pattern of a VPN service, but it itself isn't illegal or anything.
You can only slow down such scans by rate limiting the number of new connections using the hashlimit match module, for example.

E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT

Kind regards


Am 30.07.19 um 16:39 schrieb Houman:
> Sorry I mistyped. I meant  Netscan.
> The abuse message was saying: *NetscanOutLevel: Netscan detected from xx.xx.xx.xx*
> This is possible though, that VPN users run a netscan and scan the ports. Am I correct?
> Thanks,
> On Tue, 30 Jul 2019 at 15:30, Thor Simon <Thor.Simon at twosigma.com <mailto:Thor.Simon at twosigma.com>> wrote:
>     I don't think netstat does what you think it does.  It is a _local_ tool.  Perhaps the "abuse notification" you received is a phishing attack?
>     Hae a look at the manual page:
>     http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
>     ________________________________
>     From: Houman <houmie at gmail.com <mailto:houmie at gmail.com>>
>     Sent: Jul 30, 2019 10:18 AM
>     To: users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>     Subject: [strongSwan] How to block Netstat attacks from VPN users?
>     Hello,
>     I had an interesting abuse notification that someone has run a netstat through our VPN.
>     > time                protocol src_ip src_port          dest_ip dest_port
>     > ---------------------------------------------------------------------------
>     > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => 21346
>     > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => 21346
>     I was wondering if there is a good way to block all VPN users from running hacker tools such as netstat (port scanning) altogether.  Is there a reliable way to do that with iptables?
>     I came across this snippet that should block port scans, but I'm not sure if that would block a VPN user after all since the VPN traffic is masqueraded.
>     iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
>     iptables -A port-scan -j DROP --log-level 6
>     iptables -A specific-rule-set -p tcp --syn -j syn-flood
>     iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
>     Any suggestions, please?
>     Many Thanks,
>     Houman

Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190731/f4a9f909/attachment.sig>

More information about the Users mailing list