first of all I am not a network engineer. My network has been under a heavy port scan for a couple of days. It started at low ports and now is up into the 61000 range. I wasn't concerned at first because my SonicWall drops the scan plus it is not uncommon to have a few scans here and there but closer look shows that the scans have increased and are now less than 1 minute apart sometimes I get three different block scans on the same connection. my log file is filling up and now it is starting to bother me. I feel like someone is circling just waiting for a port to open.

I have contacted the NOC of the source IP and my ISP's NOC. I have sent a 4 hour log to them.

Question 1 is, Do I accept this nonsense and just let my log files pile up or is there a way to just block the source IP from making any connection WHATSOEVER without addin any extra hardware?

Is there anything I can to to counter the attack? (I am like that, you hit me and I hit back harder)

thx.

Countering the attacks with a counterattack is inappropriate, and your ISP might do something about that - like terminate your service, for example. It's frustrating, but keep reporting the attackers and sooner or later, their ISP might deign to do something.

Your SonicWALL is already blocking those incoming packets, so that's not really the issue. Your issue is with your logs filling up, and can be fixed by temporarily turning off logging of attacks while this is going on. The issue with that is your documentation that this is happening then disappears, and I would think you would want that documentation to keep reporting it to your attackers' ISP(s).

Auto log archival? If the feature is available, then evidence can be preserved.

As mentioned direct retaliation is not a good idea, not at all.

Have you ever heard of a tarpit? Basic concept is to purposely delay valid responses to probe packets to the maximum technically possible. It can slow a probe to a crawl. But there are tarpit countermeasures also. You need to have a good understanding of what's going on because you could open yourself up inadvertently when trying to implement a tarpit.

I have to assume you current protection is simply ignoring the probe packets which is the safest course. The tarpit concept requires responding which can in itself reveal too much info if the attacker is skilled.

A tarpit is an acceptable "retaliation" because it is doing nothing more than providing a delayed response to a query. It is somewhat passive in a sense. Anything more is not really acceptable.