There are two types of network: Enterprise and Service Provider.
I kind of have both types. I call them unmanaged and managed. For certain
ip blocks (always larger then /24) all traffic is passing through linux
firewall with multiple vlans & ethernet ports to be able to accomodate
multiple customers at the same time. I'd like to at least stop this scan
for everything behind the firewall. Would be best if I stop it for entire
network too, but that is just a wish and I did not see any easy way to do
it using cisco configuration and modifying access lists every minute is
probably not too interesting (here I again get reminded of the cooperative
bgp filtering draft I worked on for bogons with Michael, Rob & Joren, see
http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt
I'll have to wait until its part of OS to try something for scan prevention...).
The job of the service provider is very simple. Just provide plain
Internet connectivity.
The above is true if you're very "plain" network provider. Some of us do
more then just simple internet connectivity services...
if the traffic is detined to an IP which is
in my network, it is considered legitimate traffic. )
The problem is these are random scans, the traffic is going to ips that
are not used and never were. They're clearly a random sequential scans.
But it can block your legitimate traffic as well.
I've thought about it and the way I see it - if somebody is scanning me,
its not a legitimate traffic to me and big potential security risk. So if
same ip hits within fraction of a sec 2 or 3 sequential ip addresses on
some monitoring device, it seems ok for me if its blocked for next 10 minutes
(but not permanently). I don't think any legitimate traffic would be lost
in this case. (Note: definition of "legitimate" varies from network to
network and from one person to another).