How can i find what generates a NetScan Abuse and how to prevent it?
I have a VPS, on which i have some docker containers running. From time to time i receive a message, similar to the one below, from my VPS provider that a NetScan abuse
was detected from my server.
As it can be seen, the source ip is my server's ip, using random ports and trying to scan different local IPs on a fixed port. Sometimes is a port used by my docker containers, sometimes not.
> # Netscan detected from host 49.x.x.x #
> ##########################################################################
>
> time protocol src_ip src_port dest_ip dest_port
> ---------------------------------------------------------------------------
> Mon Sep 14 16:22:53 2020 TCP 49.x.x.x 51360 => 172.20.162.202 5432
> Mon Sep 14 16:22:53 2020 TCP 49.x.x.x 40062 => 172.20.162.216 5432
> Mon Sep 14 16:22:53 2020 TCP 49.x.x.x 41904 => 172.20.162.221 5432
> Mon Sep 14 16:22:53 2020 TCP 49.x.x.x 56428 => 172.20.162.230 5432
> Mon Sep 14 16:22:53 2020 TCP 49.x.x.x 59682 => 172.20.162.249 5432
And the list goes on...
My question is : how can i find out what triggers such behaviour and how can i prevent it?
LE : my ip route result :
default via 172.31.1.1 dev eth0 proto dhcp metric 100
49.x.x.x dev eth0 proto kernel scope link src 49.x.x.x metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.31.1.1 dev eth0 proto dhcp scope link metric 100
172.255.0.0/24 dev br-632ed70d0651 proto kernel scope link src 172.255.0.1
172.255.1.0/24 dev br-0d6c24afff89 proto kernel scope link src 172.255.1.1
Solution 1:
Don't try to route private IP addresses to the Internet. If that network is used by your Docker containers, make sure Docker is up and the virtual network was created correctly.