Detect computer which does port scanning

Solution 1:

This is a bit of a crazy idea and it would involve some network down time but it sounds like your options are limited by your cheap gateway, with no way to see what's being NAT'd.

Change the IP address of your gateway to something else, then disable DHCP to prevent any machines finding out new gateway address. Boot-up a machine running ethereal/wireshark taking over the old IP address of your gateway.

The offending machine should come up like christmas lights, now that the machine doing the packet sniffing IS the gateway!

Solution 2:

You should check NAT log of your router so that if someone from the outside world give you source ports and time of the port scan you can check on your router logs to find the corresponding inside computer.
If your router can't keep NAT log you probably want to buy a new one because looking at logs is really the only way to have a 100% good result

Solution 3:

You could use wireshark to monitor incoming network packets, and look for abnormal behavior (ARP "who has" type of requests - only dns servers should be doing those a lot).

Same thing can be done with tcpdump:

tcpdump -l -n arp | egrep 'arp who-has' | head -100 | awk '{ print $NF }' |sort | uniq -c | sort -n

Solution 4:

Imagine the scanning is going on a continous rate:

  • Connect a laptop or select a station on the same LAN where the computers are.
  • Launch a graphical software to watch packets, like INAV or etherape or rumint
  • Watch for the host doing connections on many ports

On the other hand, if there's only scanning on certain periods, you could install snort and wait for the 'port scanning' event.

Except for etherape, I think that all these tools run on Windows. If you don't want to mess with installing them, you could try a Linux security liveCD like backtrack.

In any case, remember to implement outward rules on the router to known used ports (e.g., 80, 443, etc.) to limit the scans.