Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| how many 'pings' does your firewall block per day?
Hello All,
i was just wondering about this issue, because for 4-5 days in a row now, i am getting more pings per hour/per day than i have had since i connected to the internet 3years ago.
these days if i am online at home for 3-4 hours, i will typically get over 1500 pings/1 hour.....wether its morning or midnight.
and it not really an attack per se, because the ip addresses are from all over the planet.
many the are directed to "port 445" , which is for "microsoft-ds port" according to www.grc.com
but lately there is a sharp increase in ip's trying to connect to "port 6346" which is "gnutella svc".
i do have 'Limewire Pro' but it dosent load at startup, nor does it non-voluntarily connect to the internet.
My ZAP does a solid job of blocking all these access infringements, so i am not worried as such..........but i am curious as to what story your firewall logs tell.:D |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| Re: how many 'pings' does your firewall block per
said by Shriyash  :i do have 'Limewire Pro' but it dosent load at startup, nor does it non-voluntarily connect to the internet. I guess you mean probes, not pings.
Your P2P usage is probably the cause, even though the program does not connect at start up. Once someone has told their P2P program to connect to you, to download a file from your computer, in many cases it will continue to try to connect to download that file, even when the program is not running on your computer. This will cause your firewall to see these as probes. If the P2P program was active, the firewall would allow the connections, if your settings allowed the program to act as a server.
--
Dog and Butterfly |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to Shriyash
You'll often see probes from other Gnutella clients trying
to connect to you hours after disconnecting from the
network. That is often the case when I'm running Shareaza.
As for the port 445 probes, that's just your typical RPC
and other worm activity. Many of those hits are from
botnetted machines. Last night for me was a busy night in
my Sygate Pro logs - I had hundreds of probes from other
computers in MCI's 63.13.x.x range, which I'm also in, and
at least 3 active responses (where the traffic icon in the
system stays red) from compromised machines.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.To RIAA/MPAA - You can sue but you can't catch everyone! |
|
Jan Janowski
join:2000-06-18
Skokie, IL
 ·AT&T Midwest
| reply to Shriyash
Re: how many 'pings' does your firewall block per day?
Somedays more than others.... |
|
BudBob
Premium
join:2003-01-01
Mckinney, TX | reply to Shriyash
Re: how many 'pings' does your firewall block per
I let my router handle it. I have ZA pro on my Win2k machine
and the only thing in my logs, in the past 30 days is out going UDP packets from ping plotter. |
|
wxboss
This is like Deja vu all over again.
Premium
join:2005-01-30
Jacksonville, FL
clubs:
 ·Comcast
| reply to Shriyash
I noticed in Jan Janowski's post that ports 1026 & 1027 were getting the most activity lately and the same has been true with me. Although I have seen an increase in port 139.
It seems some days are worse than others. I have days where activity is pretty low (around 100 legitimate hits). Other days I get 200+.
As far as port 445, »isc.sans.org//index.php has shown an increase in that port as well.
I remember back in the mid '80s when I used my Commodore 64 and a 300 baud modem to check out local bulletin boards  Never worried about this mess back then, but nowadays you need to protect yourself (new definition - Firewall: (n) A condom for the Internet) 
--
Running: SpywareBlaster, Spyware Doctor, Zone Alarm Security Suite, Firefox, VisualZone Client (making the Internet a safer place). |
|
boiler
Premium
join:2002-01-27
J9H 1xx | reply to Shriyash
5037 today so far and the night is still young. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to Shriyash
yes thats a nice site wxboss, and i see that the sections in 'red' here are specifically for'port 445".
»isc.sans.org//index.php?off=port
also, take a look here:
»isc.sans.org/top10.php
isint there another site which also does a great job of analysing 'internet background-noise' on a global scale?
it has these graphs which show which ports are being targeted in which country. i forgot that sites name
boiler> oh, so many:o
i realise that the whole point of having a firewall is to just sit back and let it do its thing, and not be bothered about any incomming probes/pings.......just sometimes when i am feeling sleepy/bored, i take a look at my logs, and then i am wide awake!:D |
|
BigARR
You Can Call Me Al
Premium
join:2004-01-16
MI, USA
| reply to Shriyash
I've gotten hit 245 times so far today. That's really a pretty slow day here. It slows down after I've had my IP for a while. When I get a new one I see a lot of hits on the P2P ports, probably from the user who had the IP before me using a P2P app. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | reply to Shriyash
that pie-chart looks awesome ]
anyone know of any other programs that display your logs like this?
{i have Visual Zone} |
|
visormiser
Premium
join:2004-02-10
Alexandria, VA
| reply to Shriyash
my isp - cox.net - i believe filters common msft ports, so I don't see much 445 or 135-9, etc. what I do see a TON of is messenger spam, the annoying pop up ads targeted toward ports 1026 and 1027. I counted 55 probes on those ports from mostly different IPs in the last two hours alone. |
|
visormiser
Premium
join:2004-02-10
Alexandria, VA
| my port map |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Shriyash
Re: how many 'pings' does your firewall block per day?
Since March 8th for example I've seen 254 inbound ICMP events, some are Destination Unreachable messages, but most are Pings. Also note there is a system on our local ISP which is responsible for almost half of my inbound Pings (why I'm not sure as I only see pings from that system, so I don't worry about it to much).
1026 and 1027 is typically Net Messenger spam (see »www.linklogger.com/UDP1026.htm ).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
wxboss
This is like Deja vu all over again.
Premium
join:2005-01-30
Jacksonville, FL
clubs:
·Comcast
| reply to Shriyash
Re: how many 'pings' does your firewall block per
I believe there is a program called Zone Logger (not sure if this is the exact name) that will graph your firewall activity. Although I do believe their is a cost involved to use the program.
--
Running: SpywareBlaster, Spyware Doctor, Zone Alarm Security Suite, Firefox, VisualZone Client (making the Internet a safer place). |
|
Alwill
Lost time is never found again.
Premium
join:2002-09-25
Sydney, OZ
| said by wxboss :I believe there is a program called Zone Logger (not sure if this is the exact name) that will graph your firewall activity. Although I do believe their is a cost involved to use the program. There is a ZoneLog Analyser »zonelog.co.uk but it analyses Zone Alarm's logs only.
--
Tact is the art of making a point without making an enemy - Anonymous |
|
wxboss
This is like Deja vu all over again.
Premium
join:2005-01-30
Jacksonville, FL
clubs:
·Comcast
| I may have jumped to a premature conclusion (wouldn't be the first time ), but since I noticed that he is currently using VisualZone which is a ZA only app, I mentioned ZoneLogger as an option.
But to others who don't use ZA, you're right, they would need to look for something else.
--
Running: SpywareBlaster, Spyware Doctor, Zone Alarm Security Suite, Firefox, VisualZone Client (making the Internet a safer place). |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | reply to Shriyash
thanks for the suggestion Alwill and wxboss, will give it a whirl.
heres another site which ' maps Geographic Distribution of attack sources'
»dshield.org/ |
|
wxboss
This is like Deja vu all over again.
Premium
join:2005-01-30
Jacksonville, FL
clubs:
·Comcast
| said by Shriyash :thanks for the suggestion Alwill and wxboss, will give it a whirl. heres another site which ' maps Geographic Distribution of attack sources' » dshield.org/ Since you are running VisualZone, have you created an account with Dshield who are the recipients of your VisualZone log files?
Once activated and set up, you'll be able to log into your Dshield account and see a few basic pie charts which offer some pretty good information. They aren't as elaborate as some other apps, but it's free.
--
Running: SpywareBlaster, Spyware Doctor, Zone Alarm Security Suite, Firefox, VisualZone Client (making the Internet a safer place). |
|
