Port Scans
April 3, 2004 10:06 PM   Subscribe

Every day for the last three weeks or so Sygate Personal Firewall Pro has blocked twenty or more port scans. In the past I would be scanned maybe once or twice a week. What has changed? I change my IP address from time to time and I know my box is secure and isn't worth hacking anyway. What gives? I'm getting tired of the blinking icon.
posted by Grod to Computers & Internet (17 answers total)
 
i'm having the same problem. argh.
posted by nyoki at 10:08 PM on April 3, 2004


Response by poster: One interesting thing is that they're all coming from 141.157.***.*** (the last two groups change). A backtrace of the most recent one goes 20 hops to this:
Verizon Internet Services VIS-141-149 (NET-141-149-0-0-1)
141.149.0.0 - 141.158.255.255
Verizon Internet Services VZ-DSLDIAL-NYCMNY-14 (NET-141-157-192-0-1)
141.157.192.0 - 141.157.255.255

# ARIN WHOIS database, last updated 2004-04-03 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Is verizon (my ISP) scanning me?
posted by Grod at 10:31 PM on April 3, 2004


Grod: could be - what ports are they scanning you on? Some ISP's scan 'registered' ports to make sure that you're not violating TOS by running server software.
posted by cheaily at 10:32 PM on April 3, 2004


Response by poster: I don't know how to figure that out with this firewall.
posted by Grod at 10:41 PM on April 3, 2004


In the systray application, go to logs->traffic and sort by destination port (or by source IP to see who's doing the scanning)
I also find that when I open up my hardware firewall that I'm constantly being scanned by other sources from the same ISP (Comcast). I think they're infected zombies that for some reason preferentially scan the same address ranges. At one time I figured out what infection it was but now I can't remember - it's Code Red or Nimda or another one of those.
posted by TimeFactor at 11:32 PM on April 3, 2004


Response by poster: Thanks, It appears to be scanning ports 1025 through 1028, 901, 445, 139, and 138. I don't recognize those last four.
posted by Grod at 1:13 AM on April 4, 2004


138 - NetBios / Samba
139 - NetBios / Samba
445 - Samba
901 - SWAT (HTTP Samba inteface)

Sounds like they're sniffing for shared folders. Info from here
posted by falconred at 1:32 AM on April 4, 2004


You really don't need to worry about this -- the firewall only reports stuff like this to make it look like it's doing something. It's extremely unlikely that any of those ports would have been vulnerable, unless you're running the first release of Windows 95 or something.

What gives? I'm getting tired of the blinking icon.

I would suggest uninstalling the firewall, unless you're really interested in being alerted to unimportant network traffic. Personal firewalls, as a rule, are worse than useless -- they are time consuming, sometimes cost money, but do nothing of use.

If you think I'm just being contrary, read this.
posted by reklaw at 3:40 AM on April 4, 2004


i think that article is a *little* too negative.

a personal firewall does help you learn what ports exist, which is useful if you're a newbie. some also let you open ports to specific addresses which can protect you from viruses on local machines (ie behind the firewall) to some extent (this has helped me in the past, when i was working in an office with idiots but had to keep access open to a central server) - everyone in the company expept me got infected.

but best of all, for people who don't understand much, is to point them to shields up and get them to scan themselves. it's easy and clearly explains what to do to close down services.
posted by andrew cooke at 5:13 AM on April 4, 2004


I agree with reklaw that running a software firewall shouldn't be your first or only step to protect yourself. But I run a software firewall (also Sygate) to monitor/control outgoing traffic at the application level. I can't think of any way to do that other than a software firewall - and it's free, takes only about 3% of my memory and less of CPU usage.
Another good source for Windows services/ports configuration information is Blackviper - for Windows 2000 or XP
posted by TimeFactor at 9:05 AM on April 4, 2004


I agree with TimeFactor for the most part--that is definitely indicative of zombie'd Windows hosts scanning you for whatever vulnerabilities they fell to. In other words, a worm has infected them and is scanning other computers on the Verizon network--including you--trying to see if they're subsceptible to the security holes that worm uses to get in.

It's remotely possible that it's just "normal" activity with people attempting to look for shared drives and the like, but that's very unlikely, especially if the scans are on ALL those ports. Instead, that's another indicator of a worm scan.

Also, do keep some kind of personal firewall around! Unless they're causing problems with one's network connection--which does happen more often than it should--you need one.

There are so many worms out there which spread via the network, and new ones arriving every day, that even if you keep yourself totally "Windows Updated" (virus scans don't help with worms very well, or at all in some cases) you are guaranteed to be vulnerable to a few things, and certainly everyone is vulnerable to the latest worm between the time it's released into the wild, and the time Microsoft gets off their duff and makes a patch.

You may be able to turn off the blinking itself, though, I know most firewalls have a checkbox somewhere that says 'Blink systray icon when blocking traffic'...which you can then uncheck. That way it does its job in the background :)
posted by cyrusdogstar at 10:55 AM on April 4, 2004


you need one

I do?

There are so many worms out there which spread via the network

Contrary to (it appears) popular belief, a personal firewall won't stop things like that, since they're usually caused by security holes in services. Once a service is turned on and the port is open, the firewall can't do anything to stop it being exploited, if exploits exist (in fact, the firewalls themselves can be vulnerable). If it's worms you're worried about, get antivirus software -- a personal firewall offers no protection.

TimeFactor offers the only real use of the things -- allowing/denying traffic from individual apps. I can see this being moderately useful for noticing spyware, or stopping apps from sending out information to the 'net when you don't want them to. All the stuff about not going on the evil internet without a personal firewall to 'protect' you, though, is utter rubbish -- and far too many normally sensible people seem quite willing to repeat the firewall companies' marketing line.
posted by reklaw at 11:04 AM on April 4, 2004


I recently convinced my mom and her husband to switch to a firewalling NAT router. A "firewall" should be a seperate physical device. Period. But, as reklaw and TimeFactor say, a software firewall can be very useful in monitoring outgoing traffic—and that's the only reason I have one running.

Anyway, Grod, I'm very surprised that you've up till recently been seeing so little activity. For the last three or so years, both on cable and now DSL, I've been pretty much continuously probed—hundreds of attempted connections per day, when I've logged it. Most are probably worms trying to spread themselves, looking for IIS or something. But I see a lot of aggressive port scanning, too.

These days, I think it's insane not to use a firewall—a software firewall is better than nothing, I guess, because the fact of the matter is that most of us aren't sysadmins who can keep up with all security vulnerabilities and patches. Blocking the traffic is the best solution.

But I believe that outgoing stuff is the burgeoning problem.
posted by Ethereal Bligh at 1:49 PM on April 4, 2004


Response by poster: I'm not really worried about my security. I use f-prot antivirus and update weekly, download Microsoft's patches, etc. The truly obvious ports (the ones on that Shield's Up website) are closed, and so on. I agree that a software based firewall is better than nothing (which is why I use one) and wasn't worried about being attack so much as curious about the sudden increase in traffic. I think the simplest solution will be to deselect "show desktop icon" and forget about the firewall. THanks everyone for the info.
falconred Thanks for the link!
As a rule I don't allow shared folders. That's what ftp servers are for.
Thanks everyone.
posted by Grod at 2:26 PM on April 4, 2004


Any particular difference between firewalling routers or are they all pretty much the same?
posted by timeistight at 3:15 PM on April 4, 2004


I think it's insane not to use a firewall—a software firewall is better than nothing, I guess.

Until something like this happens: "A buffer overflow vulnerability has been discovered in Kerio Personal Firewall... Successful exploitation of this vulnerabilty may allow an attacker to execute arbitrary commands on a target system, with the privileges of the Kerio firewall. " -- from here, an account of a vulnerability in Kerio Personal Firewall. I know it wasn't the same firewall, but just about all programs are vulnerable to such things sooner or later, including personal firewalls. Note that there would have been no exploit had the firewall not been running. The computer would have been safer.

Seriously, running extra programs that do nothing is not "better than nothing". It is sometimes worse. If you are already running a vulnerable service, a personal firewall won't protect you. If you're not vulnerable, then an exploit in the firewall itself could make you vulnerable. Get antivirus software and a hardware firewall. Personal firewalls are worse than useless.
posted by reklaw at 3:42 PM on April 4, 2004


Again, in conjunction with a hardware firewall, the monitoring of outgoing connections on an application basis is really useful.

You're making a good point, reklaw, but I feel that the relative risks need to be quantified before a judgment could reliably be made. To my mind, without investigation, all the modern OSs are now inherently networking OSs whose networking architectural design predates WAN and presumes a more secure LAN. If you turn off file sharing on Win98, you can probably expose that box to the internet without it being compromised. Win2K, OS X and the like now come with default networking services configured. On the Win platform, the RPC exploit likely caught a bunch of people unaware. You take an out-of-the-box XP install and see how many ports will accept connections—it's more than you probably think. So, the vulnerability that the software firewall creates is, I think, more than offset by the vulnerabilities it likely eliminates.

But the bottom line is that I agree with you. Software firewalls are, to me, an oxymoron. I want to stop someone before they make it to my box. Once they're here, they're here.

Timeistight: all the basic consumer "Cable/DSL routers" seems to have the same set of core features and are almost certainly adequate for most purposes. They're all NAT, that's really what the "routing" means. I do think that some kind of permanent logging ability is desirable and not always included. Higher end models have VPN features and stuff that only SOHO users might want. I just recently switched to one that's a Wi-Fi access point, too. And it wasn't that much money. (But Wi-Fi brings with it a whole new set of security problems—and basically gives me the heebie-geebies. I'm using it, though.)
posted by Ethereal Bligh at 5:21 PM on April 4, 2004


« Older Compensation for airline delay - esp Air NZ, Star...   |   PC Power Supply troubleshooting Newer »
This thread is closed to new comments.