Portscan attacks from somewhere

I realize this is a lamer/beginner question, but I've been attacked by a couple of addresses in China and I'm not sure how to close the hole.

My snort logs (yes I'm using snort! I see you are impressed) show things like this:

TCP Portscan

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3] 
11/09-06:48:46.652278 58.218.199.227 -> 208.69.57.101
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:166 DF

And fragmentation overlap:

[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Priority: 3] 
11/09-06:25:44.678218 208.69.57.102 -> 183.177.114.1
UDP TTL:64 TOS:0x0 ID:33670 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x0000   Frag Size: 0x05C8

I don't understand what this means, but I think it means that someone is portscanning me from 58.218.199.227 (208.69.57.101 is my IP address). They are also fragmenting my overlaps, which I don't take kindly to.

This is is the alert file generated by snort. My server provider shut down my server because he said there was something like 60 GB of data transfer last night.

So what should I do now?

  • What are immediate actions? I shut down the web server, mysql server. Anything else I should do?
  • How do I fix the problem? Should I just go through the log file and manually block all ip addresses that generated alerts?

Solution 1:

To my eye those alerts are simple background noise. Just by being internet visible you'll get 'portscan' alerts in any firewall or IDS system. Are they an attack? No, not really. They're just jiggling door handles to figure out which doors are possibly open. This is a recon step before anything else is done.

Snort throws ALERT on those because they are potentially interesting. Trends in the ports being scanned are interesting to the general Information Security community as they yield intelligence on what the hacker community considers newly-vulnerable. If you really don't care about jiggling door handles, I believe you can suppress those alerts.