What are your methods to block abusing IPs which are known to permanently scan hosts?
When do you decide that someone should be treated as “hacker”?
I see 3 IPs which scan/“check” my routers each second. They are responsible for 90% of “checks”.
These IPs are reported on many abuse list but traffic is continously passed by ISPs from them.
What average user can do to protect itself if ISP does not want to cooperate or underplay the problem?
The point is that a centralized automated protection at ISP level (I’m not an ISP) is both risky and resource-intensive for the ISP. If a legal site is hijacked and starts scanning the 'net while still providing its legtimate service, an automated ban on that site would make your non-IT customers complain they cannot reach it. If you would use connection tracking to allow your customers to establish new connections to that site from their end but not vice versa, you could run out of memory if you would do that at your peering routers where traffic from all your users concentrates. Pushing of such rules closer to the source, i.e. to the routers receiving traffic from CPEs, could be a good trade-off but it would require some scripting.
The other point is that some vulnerabilities do not need multiple attempts on a device to succeed, such as the http server vulnerability of up-to-6.38.something, so no classification of source addresses per SYN packets per unit of time can protect your network - as soon as it succeeds on the first device inside your network, that one can infect the next one or rather next 50 before your SYN-limit rule stops that.
My ISP who uses Mikrotiks and UBNT as CPEs seems to have a policy of not permitting access from outside to ports on which Mikrotik an UBNT devices are listening with default settings of services and without firewall, but letting in connections to other ports including the various VPN ones (pptp, l2tp, ipsec). This does not cause any discomfort for non-IT users and means the ISP doesn’t need to apply security patches on CPEs on issues like the above one. And if an IT-savvy user comes to them with a request to allow http access to his address, they probably either convince him to place the web server to their hosting or tell him to run the service on a non-standard port, thus preventing people from running services visited by half of the planet on a home-grade connection.
I have a similar problem, user from France keep trying to get into my IP PBX system. I reported the IP on abuse sites, also contacted the owners of the IP block a couple of times, and their response is services disabled only to find the user is coming again but from a different IP in the same IP block, so I suspect the user just disconnects, get a new IP and then start attacking me again.
So for now, I am dropping that whole subnet 163.172.0.0/16 with address list and raw rule, not the best way, but works for me at the moment.
I typically block any new traffic from outside North America on most client border routers. I just create an address-list with the NA prefixes and drop anything not in the list.