How to report port or address range scanning

What is scanning?

See also Port and address scanning.

Address range scanning

The most common abuse is from a worm (or virus, bot etc) trying to infect other computers by exploiting a single vulnerability on the same port at a great number of addresses.

Port scanning

You may be reporting packets or connections to a large number of UDP or TCP ports at just one address (or a very small number of addresses).

Abuse from JANET addresses or domains

See the general guidance Reporting abuse originating from JANET for notes on which domains and IP addresses are part of JANET.

What to include in your report

Please include as much as possible of the following:

• source IP address in JANET;
• number of destination IP addresses (in your network) for an address range scan, and the range of addresses scanned;
  or destination address for a port scan;
• destination TCP or UDP port for an address range scan;
  or range of TCP or UDP ports scanned at a single address;
• date and time when the abuse started and finished (include your timezone and check whether your system clock was accurate at the time);
• brief description of what happened;
• any original log or trace information;
• any other information you think may be helpful.

Often a good sample of log information is all that is needed.

To get your report to JANET CSIRT see the general guidance Reporting abuse originating from JANET, which also explains how we will respond.

Abuse of JANET from outside

If you belong to a JANET organization and you have seen scanning of your network, please note the advice in Reporting abuse if you are a JANET user. Normally users should refer first to their local IT support or network staff.

The information required is the same as that described above where the abuse may have originated within JANET, but it is not always easy to decide where to send the report.