Since several days now we are plagued with the hundreds of knocks on our UDP port 137 mainly caused by the Opasoft and/or Bugbear, in the meantime additional ports have shown up. I found a solution which works for me to have not any of those portscans at all, which is:
Use TDS > Networks > TCP Port Listen > choose port 137 > Listen.
After your firewall might ask to allow server or not; in both cases it works the same for me: i don't see packets from that entering my system nor do i get any portscans anymore as long as that function is up, while it immediately starts again when i close that.
I'm urgently trying to get straight answers from other users if that solution works for others as well or not at all or if they have other ways to stop them to be able to give this as an advice to other users who even are about Ddossed in several cases by those "attacks" and even lose internet connections!
So please for the well-being of the internet community as a whole be so kind to try this trick on your own system and be so kind as to choose the option which works best for you. Thanks a lot for cooperation!

Jooske,
I don't use TDS. I do use ZA Pro and and just check my logs now and again to see if someone is still trying to find the key to my door !!
Regards,
bill :)

I use ZAPro too, and have the netbios ports blocked for ingoing and outgoing traffic. But it drives people crazy all those portscans as although they can't pass the FW (yet) you still get the scans and in several cases leading to users connections Ddossed and even ADSL connections lost by them.
Would almost say if you like have a try with an eval of TDS and see if it helps you, but i am not promoting the program here for that reason only of course, as i think there are more programs with the kind of function or another one which might do the same trick. It's just my goal to get peace and quiet and safe internet back for all and which tools we have together for that.

hi all

i to have noticed this i to have also been shut down by this a few times last nite i got somwhere in the region of 300 or more alerts from this though it was kinda strange that the volume of alerts had increased recentley but the odd thing is that most of the alerts where on port 0 not 137 although i have had a few on 137

cant try ya trick out as i dont got tds i only got za free and vz

wish i knew a way to stop this sort of thing coz this is not the first time my conection has suffered from this sort of thing plus it interfears with my downloads it slows things down and sometimes i log on and even though in conected at max speed 64k isdn the pages wont load so i need to d/cthen r/c at which i get a difrent ip and everythin works ok well for a lil while anyway

also if ya go to the dshield web page ya can look at the world map that shows what sort of alerts have been happening and where and at what rate last time i was there this 137 thing made up about 50% of the totle alerts receaved from the uk where i live

i think what is needed here is a lil app that can intercept and redirect the probes away from you mabe back to where it came from that way it wont interfear with ya conection mabe an app that works kinda like adshield ya juat add the port number to ya bock list and then nomatter how hard a person trys you will never receave trafic on that port again untill ya unblock it mabe if someone smart here can figure out why what ya did with tds worked for you thay can replcate it in an app for the rest of us

finges crosed

nite

Hi Bethrezen,
I've been in such port 0 attacks as well, which i think was people all together playing some game, as my log showed all were IPs from universities in one occasion, from all over the world. Disconnecting, waiting some quart of an hour before connecting again helped me out that time.

For the 137 port knocking my ISP suggested to keep on warning all knockers ISPs as the people probably are infected, and with our warnings we can help to get internet cleaned out little by little. But i must admit only if i see the same people really frequent with such a port i warn.
Too many people need that port for file and printer sharing over internet, so my ISP is not going to filter it out.
Wished they gave some button or option on their site where customers can enable / disable it at their own wish...

They come only through when i don't use that TCP Port Listen function. Of course you can put it on whatever port you like for the moment. So we let a year ago port 80 CodeRed packets come in to look what they are and see the variants. Once we knew what it was i blocked port 80 in my FW too.
Why don't you try it out and download TDS at www.diamondcs.com.au (look in the DCS > TDS forums here for suggested basic configuration) and try that port listen function to get your peace. You can try it out for free for several days, and clean your system in the meantime from trojans if there are and have lots of other tools at hand. The only risk is you really love and like the tool and don't want to stop using it or you would not like it and don't mind it stopping after those 30 days.
So if you get remarkable many portscans on one certain port you could try to quiet it down with that port listen function and depending if you want to see what happens stopping that port extra in ZA too.

I opened this poll of course hoping to see more solutions, as too many people get ddos-ed with them...

First I would like to apologize to Jooske for not trying her solution.
I was hit really hard with those scans; so hard that I was indeed dDOSsed out.
My solution (not a cheap one....) was buying a good hardware firewall. So far it has helped me (fingers crossed!).
I agree with Jooske: it would be very nice if a provider would give its users the option to block it on the provider-level, not by default but giving the user the option to enable such a block.

I'm rather practicle, first trying the stuff i have already, before looking at other solutions which might be more permanent, if necessary.
Of course a router will be a good solution, and i hope you're doing fine with it by now once configured well etc.
So with the router on it, do you still get the 137 scans in the log files?
Does it help against being ddos-ed out?
I'm not logging nor seeing them nor ddossed out, unless i don't set that TDS function and then they hit really every few seconds.

Ok here is my SPF log file on port 137
hope you can read it.
1***10/19/2002 19:31:08***Allowed***UDP***Outgoing******63.255.255.255***137***00.000.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***15***10/19/2002 19:30:03***10/19/2002 19:30:07***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
***
2***10/19/2002 19:31:08***Allowed***UDP***Incoming******00.000.000.000***137***63.255.255.255***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***15***10/19/2002 19:30:03***10/19/2002 19:30:07***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
***
46***10/19/2002 20:10:50***Allowed***UDP***Outgoing******216.160.21.255***137***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***18***10/19/2002 20:09:42***10/19/2002 20:09:48***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
***
47***10/19/2002 20:10:50***Allowed***UDP***Incoming******216.160.21.208***137***216.160.21.255***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***18***10/19/2002 20:09:42***10/19/2002 20:09:48***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
***
48***10/19/2002 20:10:50***Blocked***ICMP***Incoming******216.160.20.254***1***216.160.21.208***3******
***
49***10/19/2002 20:10:50***Blocked***UDP***Incoming******12.84.204.61***1028***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 20:09:46***10/19/2002 20:09:46***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

66***10/19/2002 20:19:18***Blocked***UDP***Incoming******00.000.000.000***1032***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 20:18:13***10/19/2002 20:18:13***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

77***10/19/2002 20:22:56***Blocked***UDP***Incoming******00.00.0.000***1025***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 20:21:51***10/19/2002 20:21:51***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

109***10/19/2002 20:41:31***Blocked***UDP***Incoming******218.148.222.17***1025***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 20:40:26***10/19/2002 20:40:26***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

113***10/19/2002 21:03:05***Blocked***UDP***Incoming******216.72.232.243***1028***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 21:02:00***10/19/2002 21:02:00***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

114***10/19/2002 21:05:34***Blocked***UDP***Incoming******12.98.40.54***1044***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 21:04:32***10/19/2002 21:04:32***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

118***10/19/2002 21:11:58***Blocked***UDP***Incoming******216.69.36.120***1026***216.160.21.208***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 21:10:57***10/19/2002 21:10:57***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

182***10/19/2002 23:29:04***Allowed***UDP***Outgoing******67.255.255.255***137***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***12***10/19/2002 23:29:03***10/19/2002 23:29:05***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP***


183***10/19/2002 23:29:04***Allowed***UDP***Incoming******00.00.000.000***137***67.255.255.255***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***12***10/19/2002 23:29:03***10/19/2002 23:29:05***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP***

188***10/19/2002 23:30:12***Allowed***UDP***Outgoing******67.255.255.255***137***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***3***10/19/2002 23:29:06***10/19/2002 23:29:08***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP***

189***10/19/2002 23:30:12***Allowed***UDP***Incoming******00.00.000.000***137***67.255.255.255***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***3***10/19/2002 23:29:06***10/19/2002 23:29:08***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP***

198***10/19/2002 23:32:51***Blocked***UDP***Incoming******210.201.100.129***1027***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/19/2002 23:32:52***10/19/2002 23:32:52***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***


238***10/20/2002 07:01:40***Allowed***UDP***Outgoing******67.255.255.255***137***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***15***10/20/2002 07:00:33***10/20/2002 07:00:37***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP***

239***10/20/2002 07:01:40***Allowed***UDP***Incoming******00.00.000.000***137***67.255.255.255***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***15***10/20/2002 07:00:33***10/20/2002 07:00:37***GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP***

262***10/20/2002 07:06:49***Blocked***UDP***Incoming******217.208.164.217***33566***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/20/2002 07:05:44***10/20/2002 07:05:44***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

300***10/20/2002 07:21:50***Blocked***UDP***Incoming******200.195.178.164***1028***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/20/2002 07:20:47***10/20/2002 07:20:47***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***

317***10/20/2002 07:33:49***Blocked***UDP***Incoming******217.164.103.113***1030***00.00.000.000***137***C:\WINDOWS\SYSTEM\KERNEL32.DLL***1***10/20/2002 07:32:48***10/20/2002 07:32:48***GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP***
***
***

x

That's a nice log; i see OUTGOING UDP 137 traffic too: is that intentionally or...?
Did you also try any packet sniffer / port listen function or anything at all to have not all those 137 knocks on ports?
I'm not sure about the rulesets, that is SPF users knowledge :D.
I would love to see if such a tool eliminates the knocks and thus the possible ddossing.

Some of those incomming and outgoing are confusing me too.
That is not my IP either way LOL

Jooske? Are you saying that making port 137 unstealthed
stops the port scan? I am getting confused on what you mean by listen. As you can see from my SPF log, I am listening on 137

Hi Controler, if you still have your TDS copy installed see what happens if you use the Networks > TCS Port Listen function. I guess the Traffic Bridge would do the same. In the firewall they are still blocked, unless you really want to get them in and look at the packets sent to you.
Not even sure if it unstealthes the port. But you can use it as a server or just connect with internet and listen for incoming data packets on that. Of course you can take any port number you like.
Hm, did not even try allowing server and on port 1025 ;D

Isn't this a nice result? TCP Port Listen on port # 137

FWIN,2002/10/19,20:36:16 +2:00 GMT,206.117.161.xx:1371,xxx.xxx.xxx.xxx:80,TCP (flags:S)
FWIN,2002/10/19,20:41:22 +2:00 GMT,203.198.140.xxx:59022,xxx.xxx.xxx.xxx:80,TCP (flags:S)
FWIN,2002/10/19,21:01:00 +2:00 GMT,202.118.210.xxx:3872,xxx.xxx.xxx.xxx:80,TCP (flags:S)
FWIN,2002/10/19,23:03:52 +2:00 GMT,62.139.254.xxx:1667,xxx.xxx.xxx.xxx:27374,TCP (flags:S)
FWIN,2002/10/20,05:53:36 +2:00 GMT,64.128.237.xxx:60272,xxx.xxx.xxx.xxx:80,TCP (flags:S)
FWIN,2002/10/20,05:55:50 +2:00 GMT,210.212.216.xxx:2005,xxx.xxx.xxx.xxx:80,TCP (flags:S)
FWIN,2002/10/20,08:46:00 +2:00 GMT,218.155.10.xxx:0,xxx.xxx.xxx.xxx:0,ICMP (type:3/subtype:3)
PE,2002/10/20,10:21:50 +2:00 GMT,TCP/IP-opdracht Netstat,xxx.xxx.xxx.xxx:53,N/A
FWIN,2002/10/20,12:44:56 +2:00 GMT,62.25.209.xxx:4084,xxx.xxx.xxx.xxx:27374,TCP (flags:S)
FWIN,2002/10/20,13:34:48 +2:00 GMT,212.131.240.xxx:3875,xxx.xxx.xxx.xxx:111,TCP (flags:S)
FWIN,2002/10/20,14:30:34 +2:00 GMT,65.25.234.xxx:3868,xxx.xxx.xxx.xxx:80,TCP (flags:S)
FWIN,2002/10/20,16:03:58 +2:00 GMT,62.131.54.xxx:3098,xxx.xxx.xxx.xxx:80,TCP (flags:S)

Controler,

But all that 137-139 stuff is inside your box to internal address and that is OK at 0.0.0.0. It is not trying to get outside..it is all nornmal and Sygate just like many other firewall now days are looking INSIDE the box trying to help all of us decide if something abnormal is going on.

Primerose

yup, I know about the 137-139. I was referencing to the firewall log above. The firewall screenshot.
Look at the IP's starting with 216. ect
those are not my IPs

Jooske? you are going to get me to buy TDS-3 yet aren't you ;D
Have you tried your 137 port listen and then gone to DSLreports to do a port scan to see how that port looks?
please do k?

Jooske? What is that high number port you have doing?
FWIN,2002/10/20,12:44:56 +2:00 GMT,62.25.209.xxx:4084,xxx.xxx.xxx.xxx:27374,TCP (flags:S)

I'm confused about your portscan remark? How i should do that? Has DSLreports a special page for that?

If the tool is acting as a server, i could look at other people's intentions trying to play with my "server" and me watching their packets coming in. But by no means i would be able to use it as a scanner on others.

That 27374 was a portscan on me with maybe S7, i don't know; i could of course have changed the port listen to that 27374, maybe even have unloaded the protecting socket for that, taking away the blocking from the firewall, and play around with the portscanner with one of the nice Scripts. But i never do anything, first looking what the person is up to and most of time they back off automatically when they see they are discovered with a backtrace for instance.

Jooske

I ment for you to turn the TDS-3 port 137 listen on
Then go to

http://www.dslreports.com

On the left side of the page is TOOLS
click on that and run the port scan to see if you are still stealthed with that port listening.

Hi,

This is the link:

http://www.dslreports.com/scan

You need Java enabled.

hi all

i just ran across this ans was wondering if this could mabe be the answer we are lookin for if ya can set it to moniter port 137 insted of 80

http://www.hackbusters.net/LaBrea/lbathome.html

You mean this result?

Yep :)

Yeah, nothing interesting found, all dull stuff maybe? ;D
I saw them being blocked by the fw.
But i hope there comes some solution for that 137 soon.
As i just found a warning in Kaspersky's newsletter there is a new Opasoft version which would be worse then the other one. they did not describe the ports that one is using, so i keep to the 137 till new instructions are there.

Bethrezen

That Tarpit doesn't support Windows XP

Looked at it and for me it seems like a honeypot in which the intruders get sticked until we release them. Hm, not sure if i want that really, so did not get it, but it sounds nice.

Heya guys, i don't see much voting? Wished we could choose for more then one option, but ok, i'm glad we are discussing the matter and trying to find solutions.

hmm well mine's nothign special but I ahve blocked all traffic on 137 and 138 with SPF so nothing happening to me, doesn't seem to affect anything else so I'm happy as of yet.


oh BTW that rule was made to stop that "kernal" crap from sending msgs hom eor whatever it was doing; and just happened to block this as well.

Being so busy I didn't notice the connection attempts, just checked my router/firewall logs..Yikes! That's alot of connections. Well they never actually make it to my machine so oh well, that why I bought the router in the first place. exo-skeleton

here is a good article for those of you still following the Honeynet people.

Oh my ,,, was this a Linux machine ? LOL

http://project.honeynet.org/scans/scan22/sol/sotm22/

hi all

i just had an odd acrence on my comp and things went haywire and i needed to restart my com and it got me thinking and i was windering if i could use spyblockers pac file to stop these probes by blocking the ip that thay are coming from what do ya think do ya recken it could work and give me a lil pice and quiet so that i wont keep getting these dam scans

{QUOTE-> quoting: Bethrezen link=board=19;threadid=4011;start=15#30750 date=1036631286]
Bethrezen

if i could use spyblockers pac file to stop these probes by blocking the ip that thay are coming from what do ya think do ya recken it could work and give me a lil pice and quiet so that i wont keep getting these dam scans
<-QUOTE}

Howdy
I just went and opened "Spyblocker" up on wordpad and I hit ctrl+F, so I could find if the port 80 was marked there. It is there, and you are able to change it whatever you like but is it "legal" I dunno . And if you are brave enuff to try damn thingy for udp scans.... :P to make them invisible, how can you be sure after they don´t show up, there is activity at all ? just asking. I prefer checking firewall´s log file ;)
-Ari-

Bethrezen


I might be wrong here but I think those port 137 scans are comming from hundreds of thousands of different IP addresses.
You would need to write a nice peice of software that would detect the intrusion and instantly ad a block to that IP/
that is if you don't just stop all traffic from that port.

I decided to ret Kaspersky's Anti-Hacker firewall beta again.
I am finding the rules are pretty userfirendly to setup
I am just messiing around with port 137 now.
This is a brand new install of Windows ME and I am getting DLL errors with the new beta. oh oh

Would someone be so kind as to bring me up to date on this issue....I've only been back on the net less than a week.
during the time back.....I have not received any...none...scans on port 137...........numerous other scans......none on 137.....a few on port 111.....
I do have a blocker listening on ports 137 tcp and udp...no connection attempts showing.....firewall not being hit...............
numerous NetBios Name hits....could this be what this subject is about ?

Thanks in adcance

snowman

This thread has some good information on the viruses/worms thought to be responsible for the massive increase in NetBIOS Name (UDP 137) port scans:

http://www.wilderssecurity.com/showthread.php?t=3986

It was mainly in reference to UDP 137 scans that this poll was started. Looking to find ways to reduce the impact on people's systems from the high volume of scans.

LowWaterMark

appreciate you taken the time to reply....I was totally un-awear of the details.....an just read the entire link you provided.
now I am wondering why I am not getting these scans since yesterday.......none today. there never was any port 137 udp connection attempts made on my computer...the NetBios Name scans were all on other ports....FE: port **** to port #### I must be missing something in my understanding of this.

don't really know how to reply to the topic.....sure there are ways of blocking the evil port.........an for every two people that block the port ..20 million wont....an the internet remains jammed..........for every two persons who follow safe computing.......20 million wont.
got to give this some thought.

snowman

hi there snowman - 'tis great to read your posts again!

i have been keeping a close eye on my router's log since people first started posting about these scans on port 137, and i am guessing my ISP must be blocking it or something because i have not seen one scan attempt on that port in my router's log. Not complaining though! i don't mind being left out for those scans......but i am curious why so many have gotten them and i haven't seen one.

snap

There have been discussions in various places since this whole Opaserv/Bugbear thing started regarding whether or not ISPs should block the NetBIOS ports. Some people have said their ISPs have always blocked these ports (and they haven't seen a single scan). A couple others said their ISP notified them recently that they were going to start blocking these ports in response to the new threat.

Mine does not block them, though, frankly I would not have a problem if they did. I would never use NetBIOS over the Internet, so having access to these ports isn't of any value to me. It just means I can get these scans coming in, which I'd prefer did not happen.

I wonder how many people actually use NetBIOS over the Internet and what the negative impact would be if all ISPs blocked it? The positive impact would be to kill these scans instantly.

(sorry for the delayed reply.....)



SNAPDRAGIN

so very very nice to see you again.....an will be looking forward to sharing many future posts.


LowWaterMark

once again I am in full agreement with you...I would never use any form of file sharing..........since I have a new IP I've no idea if they are blocking netbios....no matter...I have it blocked......since day one of turning this computer on! Surely these scans must be flooding the pipes of IP's..........it would be to their best interest to block the ports.
this issue really has me thinking......its not a new issue...an therein lies the real issue....imo.
at the moment I am at a lost to comment further...I very much appreciate the topic....


snowman

Well initially I was seeing around 200 log entries a day.
Then 300+ and as it approached 400 I got tired of all that crap in the logs.

Solution was to create a rule to block inbound udp 137 No Logging and place it at the top of my rule set. Voila...now my fiewall is not constantly writing to the logs.

With NIS I can see how many times that rule is matched (even though there is no log entry) and it is over 500 per day now :o

Regards
CrazyM

Still...no scans for the past 24 hours,,,,,

last night I noticed that DECOM SERVICES (printer ) listens on ports 135 ,,,1028 tcp.........in fact it can't be blocked...will piggyback outbound on another program ...so perhaps those with a rule based firewall could use this to their advantage,,,,,,by assigning the above ports to the ports of their choice............with netbios disabled.
perhaps the more knowledgeable here can comment on this. if this is possible...an secure....in the future it could be used on other scans.

snowman

Isn´t it possible to make UDP 137 appearing for everyone who knows password ? That would cause ofcourse pop up on intruders screen, and if it was a trojan causing that......

Just thinking... you are wiser than me :P
- Ari

Krusty

just a thought......for a pop-up to appear on another person's machine.......would mean that a connection from machine to machine would have to be made..however briefly..........hmmmmmm.....maybe thats not so good...

snowman

Snow
If the password is not easy hhhmmm....and the most of attacks are just trojan ones, as I said was only a thought.

Krusty

please don't mis-understand.......was caution on my part when commenting...............alot can happen once a machine to machine connection has been established...that a password would not prevent.......

snowman

Snow
Sure I know the risk ok......
-Ari

UDP 137 probes seems to be stopped today 11.11 2002 for now....
-Ari

Hi Krusty,

Maybe you got lucky and your ISP started blocking the NetBIOS ports at their routers. I wish mine would do that. ;D

Best Wishes,
LowWaterMark

{QUOTE-> quoting: Jooske link=board=19;threadid=4011;start=0#28068 date=1035096902]
Hi Bethrezen,
I've been in such port 0 attacks as well, which i think was people all together playing some game, as my log showed all were IPs from universities in one occasion, from all over the world. Disconnecting, waiting some quart of an hour before connecting again helped me out that time.

For the 137 port knocking my ISP suggested to keep on warning all knockers ISPs as the people probably are infected, and with our warnings we can help to get internet cleaned out little by little. But i must admit only if i see the same people really frequent with such a port i warn.
Too many people need that port for file and printer sharing over internet, so my ISP is not going to filter it out.
Wished they gave some button or option on their site where customers can enable / disable it at their own wish...

They come only through when i don't use that TCP Port Listen function. Of course you can put it on whatever port you like for the moment. So we let a year ago port 80 CodeRed packets come in to look what they are and see the variants. Once we knew what it was i blocked port 80 in my FW too.
Why don't you try it out and download TDS at www.diamondcs.com.au (look in the DCS > TDS forums here for suggested basic configuration) and try that port listen function to get your peace. You can try it out for free for several days, and clean your system in the meantime from trojans if there are and have lots of other tools at hand. The only risk is you really love and like the tool and don't want to stop using it or you would not like it and don't mind it stopping after those 30 days.
So if you get remarkable many portscans on one certain port you could try to quiet it down with that port listen function and depending if you want to see what happens stopping that port extra in ZA too.

I opened this poll of course hoping to see more solutions, as too many people get ddos-ed with them...
<-QUOTE}

How does one block ports if you are not running Zone Alarm. I have Sygate Personal Firewall but if there is a way, I haven't figured it out. I also have a router - haven't figured that out either except to block myself. lol

Hey, I'm a writer, sorry.

How do you get Karma around here?

Peace,

Hi museheart,

About blocking ports with Sygate PF: check out this site: http://bellsouthpwp.net/i/k/ikpe/SygateBasicsPt2.html especially under Advanced Rules.
About the karma: you need 50 posts to be able to give and receive karma. To increase someones positive karma you click applaud.
And for those two that don't know: ;) The other button is called smite and not smile ;D

Regards,

Pieter

Dear Pieter,

Thank you!!!

I am ever so grateful!

Peace,