Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Huge number of port connections? (Black Ice)

Status
Not open for further replies.
Poff

Poff

Technical User
Feb 2, 2003
3
FR
Hi,

I know a lot of people make mountains out of mole hills when they install a firewall and think they've been "hax0red"...

BUT, in 4 hours since I've been running Black Ice Defender, I've had 83 unique ip addresses probing TCP ports, but most worryingly is some IP's probing > 500 times! Apart from that most are around 50 times; but why is the traffic this high?

I'm on adsl and was told the rate should be a few connections a week, in these 4 hours it's registered 4800 "suspicious" attempts with one probe for some Trojan port.

I have an up-to-date AV, and also am running the "Cleaner" to scan for trojans.

I don't use CHAT or IRC or anything to openly broadcast my IP address, although obviously my ISP sends out some random info to broadcast it.

I have ALL incoming traffic blocked... but it's still a bit freaky.

Any ideas?

I'm on win2k. I dual boot netbsd but haven't figured out how to use portsentry well enough yet to get stats on that :)

Thanks for any help,

Poff
 
Sort by date Sort by votes
What are the IPs? Good chance some are keep alives / dns inquiries from your isp's network. Common practice for less intellegent individuals to run port scans on the net. (just looking for open ports. There is a finite number of ip addresses, they don't have to be published) Find a listening port on an unproctected network. Insert a worm to use that network to initiate more scans, and so forth. Does not take long for the numbers to get big.

You might consider forwarding you logs to a group such as d-shield or similiar. ( They compile a dbase of port request logs, when hi traffic from a given ip to a number of networks is spotted, the originator is notified. They may actually not know their network is compromised, or if they are malacious, the isp will usually take some sort of action, if only to protect their own bandwidth.

Lastly, always good to remember:
Just 'cause you're paranoid, doesn't mean they aren't out to get you!
 
Upvote 0 Downvote
What ports are they trying to hit? Or is it just a general all ports type scan?
If you're blocking all inbound ports (good for you) then this is really nothing more than an annoyance. Whats a couple of those IP addresses that are scanning you? ________________________________________
Check out
 
Upvote 0 Downvote
Poff -

Pretty typical, I'm afraid. See my reply to Leptonite in thread83-466053.

Chip H.


 
Upvote 0 Downvote
Thanks, I filtered out suspicious so I see I get trojan probes, BO probes...

Bunch of crap, but all incoming is blocked so it should be ok.

Thanks again,

Poff
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
1K
Rick998
Rick998
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
555
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
617
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Hi We´re thinking of enabling Ac
Replies
0
Views
470
Shmid
Shmid
steve56k
  • Locked
  • Question
Number of connections for VPN tunnel
Replies
0
Views
89
steve56k
steve56k

Part and Inventory Search

Sponsor

Back
Top