Using Zone Alarm?(or any other firewall) how many port scans do you get in a day? (1 Viewer)

[AndyVX]

I'm just wondering if the amount of port scans that Zone Alarm blocks on my computer per day is normal.

I'm using Rogers@Home as my ISP and I would think that I'm being scanned too many times per day.

Lets see, I cleared the alerts list at 8:30 this morning, and now at 3:50pm Zone Alarm has logged 115 alerts.

(A few months back I was getting 500+ per minute for a couple days in a row)

What are other peoples averages per day if you're using Cable/DSL?

Thanks.

 

[Kevin P]

I'm on AT&T Broadband, and lately I have been averaging around 140-150 scans (that is, individual connection attempts) per day. Yesterday I had 141, for example. Today I've had 145, so far. Most of them are HTTP scans (port 80) from computers infected with the Nimda virus. I also get 5-6 hits from sites with trojans like SubSeven or NetBus, plus the occasional FTP attempt.

(A few months back I was getting 500+ per minute for a couple days in a row)

Are you talking mid-September? That was when the Nimda virus/worm first appeared. On 9/18, the first day that Nimda was in the wild, I got 1563 hits. Also back then Code Red/Code Red II were active, so that contributed to the total number as well--in September I was averaging 400-500 hits per day until Nimda struck. So things are a lot quieter now than they were a couple months ago.

I wouldn't worry too much about it. Your firewall is keeping them out. In addition to Nimda, most of the other scans are "script kiddies" looking for open ports.

KJP

 

[AndyVX]

Kevin,
Thanks for reassuring me. I'm glad that we are getting scanned roughly the same amout per day
And yea, when I was getting 500+ per minute was around September now that I think about it. I guess that whole nimda and codered thing would explain it. For whatever reason, I wasn't tying the two together (virus + insane port scans)
Anyways, the scans I'm getting now are all HTTP based, but are a WIDE variety of ports (ranging from 1000-5000) and are flagged 'S'-whatever that means.

 

[Kevin P]

HTTP-based means the scans are to a destination port of 80. The ports 1000-5000 you see are the source ports, which are assigned dynamically (they're used to distinguish multiple connections on a single machine). You can use the source port and IP to identify repeated attacks--for example, Nimda tends to make two attempts to connect, so if a Nimda infected machine attempts to connect to yours, you will typically see two scans from the same IP + port combination within about 5 seconds of each other.

The S means the SYN bit is set on the packet, which means a TCP connection is being requested or negotiated. Typically a firewall will block incoming SYN packets since they're attempts to connect to your machine from outside. It will let non-SYN packets through though, since they're only sent once the connection is established.

Since you say the only scans now are HTTP, it's probably Nimda infected machines on your cable subnet. You can determine that by studying the IP addresses.

KJP

 

[AndyVX]

Once again, thanks for the info Kevin.

I was just looking at all the IP address', and the first two sets of numbers from 95% of them are the same as mine. (actually, the second set of numbers varries only by the last number)

So I guess they are all on my subnet. I'm going to click the "more info" tab on a few of them and see what comes up.

 

[Rob FM]

Hey guys, here's some good sites to check on how strong your firewall is:
(Stolen shamelessly from the ARS Technia Forum)
Shields UP !!
INSECURE.ORG
Link Removed
Nessus
I use Tiny Personal Firewall, and have fared pretty well on most of these tests.....so far (gulp)
~Rob

 

[Steve_Ch]

Just about on par.

 

[Carlo_M]

Wow! I can't recommend the Netgear RT 311 Router enough! On the shields up website, it was as if I was running Zone Alarm. The router has a built-in firewall and apparently it works fairly well.

 

[Steve_Ch]

Let me rephrase my answer, I have a Sonicwall Router Firewall in front of my LAN and all my computers on the LAN individually runs ZoneAlarm Pro. Sonicwall is the one that traps all the scans from Internet and provide me with a log of where they came from, how many times, and their source IP address, My ZoneAlarms behind the Sonicwall actaully see nothing, so it works real well. A for Sonicwall.

 

[Joseph S]

I've got the Linksys 100BT model and my PC is behind the firewall, but my Mac is in the "De-Militarized Zone" for remote access reasons. I get my fair share of hits everyday, but they can't really do anything. FTP doesn't allow anonymous access and Apache is secured and forwarding them on to Apple.com at the moment.

The Shields up site isn't a catch all though. I've got 5 ports open and they only caught the FTP and HTTP access.