Unrelenting port scans from asia, europe, etc… what to do???
-
What I did, ,thinking it would make a difference:
-
changed my static IP to dynamic. This made the foreign port scans even worse, I guess because my ISP has limited pool of dynamic IP's, and they are recycled and already compromised when I get one???
-
pfblocker doesn't seem to do anything… I can't figure out how it works... you select the top spamming countries... then in another tab you select the individual countries as well? I select EVERYTHING on both tabs, ,and it makes no difference... the scans keep coming within seconds cycling modem and changing IP address. How to update lists???
-
installed SNORT with free lists, but again, not sure if it's even working... had some alerts, ,but that was my iphone connecting outbound to akamai technologies web server for some type of update on it's own. I don't like that it did this without my asking first. Akamai is EVERYWHERE, have you all noticed that? Video servers, file servers, software updates, most of the time it's on an akamai server.
Has anyone else experienced these types of unrelenting port scans from all over the world? It's driving me nuts and makes me concerned about my internet banking, ,etc.
I have a fresh install of windows xp, ran malawarebytes, spybot, alvira... nothing....
then I noticed my DNS resolver cache was full of CRAP from foreign .cn websites, I tried to flush it, but it wouldn't flush.... ipconfig /displaydns continued to show the crap.. .not sure the significance of this as I'm new to all this stuff.... so I disabled the local DNS server service... I don't need it.
here's a typical scan from Latvia: 84.237.147.162:54300
any help greatly appreciated.
Brian -
-
hmmm…. I think I stumbled upon something that is way over my head at the moment.... "DNS cache poisoning" or spoofing.... seems this might be affecting me?
Should I change my DNS servers to Google DNS?
Could this be the source of all my foreign port scans??? I don't understand enough to make the connection between the two.
Please, anyone know what's happening?
thanks -
hmmm…. I think I stumbled upon something that is way over my head at the moment.... "DNS cache poisoning" or spoofing.... seems this might be affecting me?
Should I change my DNS servers to Google DNS?
Could this be the source of all my foreign port scans??? I don't understand enough to make the connection between the two.
Please, anyone know what's happening?
thanksI think you can't avoid the port scanning. These people just select random CIDR's and start the port scanning to find some open port and start an attack. If you are using pfblocker select the option block instead of reject to simulate that your computer is not there.
-
With pfblocker you select the countries that you want to block and then go back to the first tab and click the box that says "Enable"
I had what you do plus 10-15 different attacks on my email server a day that quit after I installed pfblocker here…
Trust me... 10-15 full fledged 3 login attempts per second attacks a day (that last for hours each) aint nothing compared to what some servers see. But since we don't do business overseas and Im not missing any incoming emails Id rather stop em at the gate.
If you install the pfblocker widget on the dashboard you can see if its up or not and how many hits your getting from those areas...
-
You also have the option to assign pfblocker rule action to alias only and block specific services leaving others working using firewall rules.
-
thanks everyone, I appreciate it.
I'm a little closer to understanding what's going on. The DNS resolver cache is used by the DNS server service in Windows XP and is populated by Spybot, I'm guessing coming from the Hosts file. All entries point to 127.0.0.1 …. so it's nothing to do with what I'm experiencing. I shut down the DNS server service anyway.
Called my ISP. It seems that my previous group of IP's were used ALOT by users of MLPPP and uTorrent... that explains to me anyway, why I got so many scans from overseas. The techie put me on a completely different group of IP's and bingo, I went from 100 scans in 5 minutes to just 3 scans in 15 minutes, and now, ironically, the port scans are all coming from the USA. Big difference.
I will play around with pfBlocker a bit more.... seems to be doing it's job. Thanks for letting me know about the widget.... never even saw that feature on Pfsense until now!
-
I spoke too soon. The scans are frequent again, about 1 minute apart, and coming from Verizon in the USA. Looks like pfBlocker is doing it's job for at least some of the scanners. Has anyone ever tried to file a complaint against an IP or would that be a fruitless thing to try?
Makes me want to forget about internet banking and walk into the bank the old fashioned way.
From a layman's point of view (me), I don't understand why, given our intelligence, we can't stop random port scanning from happening on the internet altogether. I guess it's because a lot of companies would then go out of business? I just don't understand.
thanks for your help, everyone, I appreciate it.
-
The firewall is stopping them at the gate right?
Are you running any services? Kids playing games? Computers all clean? Are you sure?
-
What's the full log you're seeing getting blocked? Including the TCP:* shown at the right. That will help determine what they really are.
then I noticed my DNS resolver cache was full of CRAP from foreign .cn websites, I tried to flush it, but it wouldn't flush…. ipconfig /displaydns continued to show the crap.. .not sure the significance of this as I'm new to all this stuff.... so I disabled the local DNS server service... I don't need it.
That has nothing to do with whether you have a DNS server service running. Hosts in there are there because your machine made DNS lookup requests for those hosts. Which screams infected machine unless you're browsing a bunch of Chinese websites.
Port scans are nothing at all to be concerned with in and of themselves, they can't hurt you. But certain things, like having an infected host on your network which definitely seems to be the case if you have a bunch of .cn hosts in your DNS cache, will cause command and control servers to port scan you to see what you have open if anything. Getting hit heavily by port scans on a home connection is very unusual short of attracting them to you by having an infected host on your network.
-
I routinely see any amount from 2 or 3 up to around 20+ firewall blocks per minute. This just means the firewall is doing its job. More to the point, check the traffic you are allowing, ntop is good for this.
-
@cmb:
What's the full log you're seeing getting blocked? Including the TCP:* shown at the right. That will help determine what they really are.
then I noticed my DNS resolver cache was full of CRAP from foreign .cn websites, I tried to flush it, but it wouldn't flush…. ipconfig /displaydns continued to show the crap.. .not sure the significance of this as I'm new to all this stuff.... so I disabled the local DNS server service... I don't need it.
That has nothing to do with whether you have a DNS server service running. Hosts in there are there because your machine made DNS lookup requests for those hosts. Which screams infected machine unless you're browsing a bunch of Chinese websites.
Port scans are nothing at all to be concerned with in and of themselves, they can't hurt you. But certain things, like having an infected host on your network which definitely seems to be the case if you have a bunch of .cn hosts in your DNS cache, will cause command and control servers to port scan you to see what you have open if anything. Getting hit heavily by port scans on a home connection is very unusual short of attracting them to you by having an infected host on your network.
I tried to flush the DNS cache, but it would not flush. I can't clear it. By stopping the service, am I preventing what you are describing? I do have SpyBot S&D installed, and I know it modifies the hosts file. I still don't understand the DNS cache, however and why it does not flush when I had the DNS service running. All these .cn websites are pointing to 127.0.0.1…. is that not OK? It's looping back to me. Confused.
-
In that case you probably have those things in your hosts file. Why, depends. Sometimes people put a bunch of crud in there for ad blocking purposes. Many times malware puts things in there to prevent you from connecting to certain things.
-
SpyBot S&D
Spybot S&D has the option to include those in the host file… Its the Immunize option...
-
"I had what you do plus 10-15 different attacks on my email server a day that quit after I installed pfblocker here…"
You do understand that the traffic is still there - your just not logging it now..
There is NOTHING you can on your firewall to stop traffic from getting to it.. What you can do is not log the noise ;) If you do not want the traffic to reach your firewall, then you would need to filter it up stream.
What pfblocker can do is prevent access from those bad ips to your services that are open. But it can not "stop" port scanning.
-
What pfblocker can do is prevent access from those bad ips to your services that are open. But it can not "stop" port scanning.
Now that's something I never considered before. Thank you for that insight.