Flood of unsolicited attempts to contact my system via Internet

Discussion in 'Virus Information' started by Phil Weldon, Jun 18, 2004.

  1. Phil Weldon

    Phil Weldon Guest

    I have a simple hardware firewall (Microsoft wireless base station.) The
    log shows about 300 attempts per hour, usually two or three from one IP
    address, then from another, then .....

    Is anyone else experiencing such a flood? The reverse lookup shows the
    IP's are from all over the map.

    --
    Phil Weldon, pweldonatmindjumpdotcom
    For communication,
    replace "at" with the 'at sign'
    replace "mindjump" with "mindspring."
    replace "dot" with "."
     
    Phil Weldon, Jun 18, 2004
    #1
    1. Advertisements

  2. Phil Weldon

    N. Miller Guest

    Do you mean stuff like the following:
    While I am not experiencing 300 an hour right now, there was a time, during
    the peak of Code Red, when I was. Now, if you were experiencing 300 a
    minute, or worse, you could expect degradation of service. Maybe, if you are
    using a cheap router, 300 an hour would have an adverse impact; but I didn't
    suffer any noticeable deterioration of service during the Code Red attacks.
     
    N. Miller, Jun 18, 2004
    #2
    1. Advertisements

  3. Called my ISP on a premium line about a problem. Yes silly of me.

    I=1
    HELLOU:

    ISP person: "I recommend you use our dialler software".
    Me: "No way"

    I=I+1, If I<=3 Then Goto HELLOU

    Then I hang up.
     
    Johannes H Andersen, Jun 18, 2004
    #3
  4. Phil Weldon

    Phil Weldon Guest

    No, I of course don't experience degradation of service, but it does seem to
    be a high number.
    Example from log, edited to protect the innocent:

    2004/06/13 21:53:33 Connection attempt to base station from WAN blocked --
    src:<83.37.12.221:3268>
    2004/06/13 21:53:33 Connection attempt to base station from WAN blocked --
    src:<65.115.175.40:63617>
    2004/06/13 21:53:36 Connection attempt to base station from WAN blocked --
    src:<201.8.246.148:3662>
    2004/06/13 21:53:36 Connection attempt to base station from WAN blocked --
    src:<24.86.39.231:2855>
    2004/06/13 21:53:39 Connection attempt to base station from WAN blocked --
    src:<201.8.246.148:3662>
    2004/06/13 21:53:39 Connection attempt to base station from WAN blocked --
    src:<83.37.12.221:3268>
    2004/06/13 21:53:39 Connection attempt to base station from WAN blocked --
    src:<24.86.39.231:2855>>

    --
    Phil Weldon, pweldonatmindjumpdotcom
    For communication,
    replace "at" with the 'at sign'
    replace "mindjump" with "mindspring."
    replace "dot" with "."

    unopened port received': Blocked: In TCP, dyn-83-155-48-215.ppp.tiscali.fr
    [83.155.48.215:4800]->localhost:6882, Owner: no owner..
    ..
    ..
     
    Phil Weldon, Jun 19, 2004
    #4
  5. Phil Weldon

    N. Miller Guest

    Unfortunately, you managed to edit the interesting log entries. Knowing the
    destination ports is a long way to knowing what is up. Looking again at
    mine, somewhat edited to conserve space:
    Somebody looking for BitTorrent activity. This entry was made within a few
    hours of me closing a BitTorrent file download. This log entry was created
    by Kerio Personal Firewall; the packets were passed through by the router on
    a rule I created to allow access to ports 6881-6889 for BitTorrent
    downloads. When the BitTorrent client is not running, KPF logs the packets
    as "Blocked".
    Somebody looking for NetBIOS connections on my network. These were logged by
    the Netgear router, which has no NetBIOS capability at all. This kind of
    probe, looking for NetBIOS connections, can be considered hostile; but are
    not a problem in my case because NetBIOS is not exposed to the Internet.

    I did not hide anything my original article because there was nothing to
    hide. Three kinds of IP addresses can be seen in my logs; WAN source IP
    address, where the packets were coming from; WAN destination IP address,
    where the packets were going to; LAN IP addresses, the local machines that
    were involved in packet transactions accepted by the router.

    I don't care what you know about my private LAN; RFC 1918 addresses are
    normally not accessible to the Internet. I have yet to encounter actual
    evidence that somebody knowing my private LAN RFC 1918 addresses makes me
    vulnerable. I don't care who knows my WAN IP address because it is
    accessible from the Internet anyway. But it helps, greatly, to know the
    destination ports because those can tell a story about possible reasons for
    the probes. The source port and the destination port, together, can be
    pretty revealing. Two successive UDP probes, one to port 135, another to
    port 102x (where 'x' can be from 4 to 7) from port 666, and the same source
    IP address is an attempt to deliver Windows Messenger popup spam!

    Currently, in my logs, the hottest destination ports are 4899, 5554, and
    9898. Apparently some kind of worm. Next is 137; NetBIOS. All of my 4899,
    5554, and 9898 probes tonight seem to be from APNIC. Port 137 probes from
    ARIN and RIPE.
     
    N. Miller, Jun 19, 2004
    #5
  6. Phil Weldon

    Derek Guest

    Hi Phil,
    I think this problem is pretty widespread. I find that weekends are worse
    than weekdays and evenings worse than daytime.
    Derek
     
    Derek, Jun 19, 2004
    #6
  7. Phil Weldon

    Lance Guest

    Phil Weldon thought carefully and wrote On 6/18/2004 1:59 PM:
    Hi Phil,

    When I first starting using firewalls and looked at the logs, I just
    about freaked out. But this is a fundamental nature of the internet,
    anybody can connect to anybody else - or at least try to connect.

    I work at a large university and "Academic Freedom" is a faculty
    rallying cry, thus our IT dept has little control over individual
    computer setups. 300 probes every *minute* is almost normal. Our network
    appears robust enough to handle this without any service degradation.

    Lance
    *****
     
    Lance, Jun 19, 2004
    #7
  8. Phil Weldon

    Phil Weldon Guest

    Thanks Lance. I've had my hardware firewall function for about a year, but
    only just uploaded the log (which fills up after 500 or so contacts.) I
    then began to check it periodically, and found more than I ever expected. I
    wonder why ISPs don't provide a hardware firewall function in their
    broadband modems? It couldn't cost very much considering the unit volume.

    --
    Phil Weldon, pweldonatmindjumpdotcom
    For communication,
    replace "at" with the 'at sign'
    replace "mindjump" with "mindspring."
    replace "dot" with "."
     
    Phil Weldon, Jun 19, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.