Unrelenting port scans from asia, europe, etc… what to do???
-
thanks everyone, I appreciate it.
I'm a little closer to understanding what's going on. The DNS resolver cache is used by the DNS server service in Windows XP and is populated by Spybot, I'm guessing coming from the Hosts file. All entries point to 127.0.0.1 …. so it's nothing to do with what I'm experiencing. I shut down the DNS server service anyway.
Called my ISP. It seems that my previous group of IP's were used ALOT by users of MLPPP and uTorrent... that explains to me anyway, why I got so many scans from overseas. The techie put me on a completely different group of IP's and bingo, I went from 100 scans in 5 minutes to just 3 scans in 15 minutes, and now, ironically, the port scans are all coming from the USA. Big difference.
I will play around with pfBlocker a bit more.... seems to be doing it's job. Thanks for letting me know about the widget.... never even saw that feature on Pfsense until now!
-
I spoke too soon. The scans are frequent again, about 1 minute apart, and coming from Verizon in the USA. Looks like pfBlocker is doing it's job for at least some of the scanners. Has anyone ever tried to file a complaint against an IP or would that be a fruitless thing to try?
Makes me want to forget about internet banking and walk into the bank the old fashioned way.
From a layman's point of view (me), I don't understand why, given our intelligence, we can't stop random port scanning from happening on the internet altogether. I guess it's because a lot of companies would then go out of business? I just don't understand.
thanks for your help, everyone, I appreciate it.
-
The firewall is stopping them at the gate right?
Are you running any services? Kids playing games? Computers all clean? Are you sure?
-
What's the full log you're seeing getting blocked? Including the TCP:* shown at the right. That will help determine what they really are.
then I noticed my DNS resolver cache was full of CRAP from foreign .cn websites, I tried to flush it, but it wouldn't flush…. ipconfig /displaydns continued to show the crap.. .not sure the significance of this as I'm new to all this stuff.... so I disabled the local DNS server service... I don't need it.
That has nothing to do with whether you have a DNS server service running. Hosts in there are there because your machine made DNS lookup requests for those hosts. Which screams infected machine unless you're browsing a bunch of Chinese websites.
Port scans are nothing at all to be concerned with in and of themselves, they can't hurt you. But certain things, like having an infected host on your network which definitely seems to be the case if you have a bunch of .cn hosts in your DNS cache, will cause command and control servers to port scan you to see what you have open if anything. Getting hit heavily by port scans on a home connection is very unusual short of attracting them to you by having an infected host on your network.
-
I routinely see any amount from 2 or 3 up to around 20+ firewall blocks per minute. This just means the firewall is doing its job. More to the point, check the traffic you are allowing, ntop is good for this.
-
@cmb:
What's the full log you're seeing getting blocked? Including the TCP:* shown at the right. That will help determine what they really are.
then I noticed my DNS resolver cache was full of CRAP from foreign .cn websites, I tried to flush it, but it wouldn't flush…. ipconfig /displaydns continued to show the crap.. .not sure the significance of this as I'm new to all this stuff.... so I disabled the local DNS server service... I don't need it.
That has nothing to do with whether you have a DNS server service running. Hosts in there are there because your machine made DNS lookup requests for those hosts. Which screams infected machine unless you're browsing a bunch of Chinese websites.
Port scans are nothing at all to be concerned with in and of themselves, they can't hurt you. But certain things, like having an infected host on your network which definitely seems to be the case if you have a bunch of .cn hosts in your DNS cache, will cause command and control servers to port scan you to see what you have open if anything. Getting hit heavily by port scans on a home connection is very unusual short of attracting them to you by having an infected host on your network.
I tried to flush the DNS cache, but it would not flush. I can't clear it. By stopping the service, am I preventing what you are describing? I do have SpyBot S&D installed, and I know it modifies the hosts file. I still don't understand the DNS cache, however and why it does not flush when I had the DNS service running. All these .cn websites are pointing to 127.0.0.1…. is that not OK? It's looping back to me. Confused.
-
In that case you probably have those things in your hosts file. Why, depends. Sometimes people put a bunch of crud in there for ad blocking purposes. Many times malware puts things in there to prevent you from connecting to certain things.
-
SpyBot S&D
Spybot S&D has the option to include those in the host file… Its the Immunize option...
-
"I had what you do plus 10-15 different attacks on my email server a day that quit after I installed pfblocker here…"
You do understand that the traffic is still there - your just not logging it now..
There is NOTHING you can on your firewall to stop traffic from getting to it.. What you can do is not log the noise ;) If you do not want the traffic to reach your firewall, then you would need to filter it up stream.
What pfblocker can do is prevent access from those bad ips to your services that are open. But it can not "stop" port scanning.
-
What pfblocker can do is prevent access from those bad ips to your services that are open. But it can not "stop" port scanning.
Now that's something I never considered before. Thank you for that insight.