Using Zone Alarm?(or any other firewall) how many port scans do you get in a day?

Discussion in 'Archived Threads 2001-2004' started by AndyVX, Nov 29, 2001.

  1. AndyVX

    AndyVX Supporting Actor

    Joined:
    Aug 2, 2000
    Messages:
    804
    Likes Received:
    0
    I'm just wondering if the amount of port scans that Zone Alarm blocks on my computer per day is normal.

    I'm using [email protected] as my ISP and I would think that I'm being scanned too many times per day.

    Lets see, I cleared the alerts list at 8:30 this morning, and now at 3:50pm Zone Alarm has logged 115 alerts.

    (A few months back I was getting 500+ per minute for a couple days in a row)

    What are other peoples averages per day if you're using Cable/DSL?

    Thanks.
     
  2. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    I'm on AT&T Broadband, and lately I have been averaging around 140-150 scans (that is, individual connection attempts) per day. Yesterday I had 141, for example. Today I've had 145, so far. Most of them are HTTP scans (port 80) from computers infected with the Nimda virus. I also get 5-6 hits from sites with trojans like SubSeven or NetBus, plus the occasional FTP attempt.

     
  3. AndyVX

    AndyVX Supporting Actor

    Joined:
    Aug 2, 2000
    Messages:
    804
    Likes Received:
    0
    Kevin,
    Thanks for reassuring me. I'm glad that we are getting scanned roughly the same amout per day [​IMG]
    And yea, when I was getting 500+ per minute was around September now that I think about it. I guess that whole nimda and codered thing would explain it. For whatever reason, I wasn't tying the two together (virus + insane port scans)
    Anyways, the scans I'm getting now are all HTTP based, but are a WIDE variety of ports (ranging from 1000-5000) and are flagged 'S'-whatever that means.
     
  4. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    HTTP-based means the scans are to a destination port of 80. The ports 1000-5000 you see are the source ports, which are assigned dynamically (they're used to distinguish multiple connections on a single machine). You can use the source port and IP to identify repeated attacks--for example, Nimda tends to make two attempts to connect, so if a Nimda infected machine attempts to connect to yours, you will typically see two scans from the same IP + port combination within about 5 seconds of each other.

    The S means the SYN bit is set on the packet, which means a TCP connection is being requested or negotiated. Typically a firewall will block incoming SYN packets since they're attempts to connect to your machine from outside. It will let non-SYN packets through though, since they're only sent once the connection is established.

    Since you say the only scans now are HTTP, it's probably Nimda infected machines on your cable subnet. You can determine that by studying the IP addresses.

    KJP
     
  5. AndyVX

    AndyVX Supporting Actor

    Joined:
    Aug 2, 2000
    Messages:
    804
    Likes Received:
    0
    Once again, thanks for the info Kevin.

    I was just looking at all the IP address', and the first two sets of numbers from 95% of them are the same as mine. (actually, the second set of numbers varries only by the last number)

    So I guess they are all on my subnet. I'm going to click the "more info" tab on a few of them and see what comes up.
     
  6. Rob FM

    Rob FM Second Unit

    Joined:
    Jan 15, 2001
    Messages:
    471
    Likes Received:
    0
    Real Name:
    R
    Hey guys, here's some good sites to check on how strong your firewall is:
    (Stolen shamelessly from the ARS Technia Forum) [​IMG]
    Shields UP !!
    INSECURE.ORG
    Hackerwhacker
    Nessus
    I use Tiny Personal Firewall, and have fared pretty well on most of these tests.....so far (gulp)
    ~Rob
     
  7. Steve_Ch

    Steve_Ch Supporting Actor

    Joined:
    Oct 14, 2001
    Messages:
    978
    Likes Received:
    0
    Just about on par.
     
  8. Carlo Medina

    Carlo Medina Executive Producer

    Joined:
    Oct 31, 1997
    Messages:
    10,431
    Likes Received:
    636
    Wow! I can't recommend the Netgear RT 311 Router enough! On the shields up website, it was as if I was running Zone Alarm. The router has a built-in firewall and apparently it works fairly well. [​IMG]
     
  9. Steve_Ch

    Steve_Ch Supporting Actor

    Joined:
    Oct 14, 2001
    Messages:
    978
    Likes Received:
    0
    Let me rephrase my answer, I have a Sonicwall Router Firewall in front of my LAN and all my computers on the LAN individually runs ZoneAlarm Pro. Sonicwall is the one that traps all the scans from Internet and provide me with a log of where they came from, how many times, and their source IP address, My ZoneAlarms behind the Sonicwall actaully see nothing, so it works real well. A[​IMG] for Sonicwall.
     
  10. Joseph S

    Joseph S Cinematographer

    Joined:
    Dec 23, 1999
    Messages:
    2,862
    Likes Received:
    0
    I've got the Linksys 100BT model and my PC is behind the firewall, but my Mac is in the "De-Militarized Zone" for remote access reasons. I get my fair share of hits everyday, but they can't really do anything. FTP doesn't allow anonymous access and Apache is secured and forwarding them on to Apple.com at the moment.

    The Shields up site isn't a catch all though. I've got 5 ports open and they only caught the FTP and HTTP access.
     

Share This Page