Heavy Firewall activity (normal?)

Author	All Replies
Jayisspecial join:2003-05-21 Pacific, WA 2 edits	Heavy Firewall activity (normal?) Since about August my Zone Alarm says I've had 1365 intrusion attempts, 40 which have been high level. This includes the Windows port virus thing that struck awhile back.. When that came about (September?) I told my friend about it and made him download Zone Alarm. He was attacked heavily all throughout that week, but I'm not sure what the end tally was.. I do know that as of today, just a few months after install, his Zone Alarm reports 180,615 inutrusion attempts, 15,596 of which have been high level. Since he's logged on this morning he's had 60 blocked intrusion attempts. I've also learned from my friend that one of his buddies in his neigbhborhood who installed in August reports the following 295427 Intrusions have been blocked since Install 9373 of those have been high-rated Both live somewhere in Canada Anyway, there firewall activity seems insane compared to my own so I'd appreciate if anyone could confirm the abnormalness of this or offer an explanation/tips Edit: This morning = 20 minutes after logging on He's also used various spyware sniffing programs to clean them out of his system incase that matters
	to forum · permalink · · 2003-11-23 21:01:26 ·
jansson_mark Markus Jansson Premium join:2001-08-05 Finland	1) What kind of attacks? 2) Inbound or outbound? 3) What ports? 4) Do you have and have you run complete antivirus + antitrojan (lets say Spybot S&D) on your system? 5) Do you have static or dynamic IP address? -- My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.
	to forum · permalink · · 2003-11-23 21:04:16 ·
reaver221 join:2003-05-08 Cincinnati, OH	reply to Jayisspecial Any sample logs or anything? 'Intrusion attempts' may be nothing more than pings and portscans and routine stuff like that. With all the viruses going around lately, it's easy to block a whole lot of traffic real fast if your ISP doesn't block any ports. As long as nothing is getting in, I wouldn't be worried about it - firewall is doing its job.
	to forum · permalink · · 2003-11-23 21:07:30 ·
Ol_OO_ll_Ol Rock And Roll. join:2003-11-23 Canada	reply to jansson_mark Ha ha ha heh.... Yeah, me too. I got 42300 since friday before last friday. I use zone alart free. From what I gather. Has something to do with the welchia virus. Your being checked to see if you have that worm or something like that. Man I'm glad I have zone alarm. BTW. They're mostly pings. Ping...Ping...lol b11ng00 ++
	to forum · permalink · · 2003-11-23 21:10:51 ·
Jayisspecial join:2003-05-21 Pacific, WA	reply to jansson_mark 1) What kind of attacks? 2) Inbound or outbound? 3) What ports? 4) Do you have and have you run complete antivirus + antitrojan (lets say Spybot S&D) on your system? 5) Do you have static or dynamic IP address? 1. not sure what you mean. Incoming? 2. 199 inbound (today) and 24 secured for outbound 3. is this under Protocol? if so it has UDP,TCP, ICMP and he's also a windows Me user packet sent from insertIP (port 4014) 4. Norton 2001 and he's run Spyboy 5. Not sure, he says his IP recently seems to have changed though (doesn't happen often) Heh, I'm fairly ignorant here, I just think its weird that he's garnered 180 thousand intrusions in the time I've got 1000
	to forum · permalink · · 2003-11-23 21:19:35 ·
jansson_mark Markus Jansson Premium join:2001-08-05 Finland	said by Jayisspecial : 1. not sure what you mean. Incoming? Yes, are they incoming or outgoing alerts. quote: 2. 199 inbound (today) and 24 secured for outbound What are secured for outgoing and what are not allowed for outgoing and how much alerts do they produce? -- My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.
	to forum · permalink · · 2003-11-23 21:38:08 ·
ghost16825 Use security metrics Premium join:2003-08-26	reply to Jayisspecial said by Jayisspecial : 1) What kind of attacks? 2) Inbound or outbound? 3) What ports? 4) Do you have and have you run complete antivirus + antitrojan (lets say Spybot S&D) on your system? 5) Do you have static or dynamic IP address? 1. not sure what you mean. Incoming? 2. 199 inbound (today) and 24 secured for outbound 3. is this under Protocol? if so it has UDP,TCP, ICMP and he's also a windows Me user packet sent from insertIP (port 4014) 4. Norton 2001 and he's run Spyboy 5. Not sure, he says his IP recently seems to have changed though (doesn't happen often) Heh, I'm fairly ignorant here, I just think its weird that he's garnered 180 thousand intrusions in the time I've got 1000 If you have no idea whether they're inbound or outbound or which ports or protocols then how can you say they're "intrusion attempts" and therefore they need serious action? Answer: Because ZoneAlarm says they are an intrusion attempt. (Well that's great reasoning. Brilliant idea)
	to forum · permalink · · 2003-11-23 21:48:07 ·
anthrorules Premium join:2003-09-14 Rollinsville, CO ·Qwest.net ·IonSKY	reply to Jayisspecial If they are ICMP (type 8) or TCP on Port 135, then it's probably the Welchia or Blaster coming from infected computers. Your friend can create an expert rule to block ignore these hits, and the log file will not fill up. He or you can search the ZA forums for NoLogWorms, and you should find a thread where someone has posted the expert rule. -- Earthlink/Direcway SRS - DW4000 \| ver. 4.2.1.10 \| Proxy/Port 83 \| G4R \| 1250 \| Dell Dimension 4550 - WinXP Pro SP1 - 256MG Ram \|ZA+ 4.5 \| AVG 7.0 \| Trojan Remover \| Ad-Aware \| SpyBot S&D \| MailWasher Pro 3.2
	to forum · permalink · · 2003-11-23 23:20:35 ·


Monday, 14-Dec 17:51:39	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF