Firewall getting hammered by Chinese

Hi folks, I wonder if anyone can tell me what's up with this? I used to use just Windows Firewall but I have been trying out more lately. After installing McAfee Plus 7.5 on my brothers' computer I noticed that a certain IP was being blocked over and over. It was traced back to China.
I recently tried Outpost Pro on my computer and I kept getting requests from the same IP. I now installed the new ZoneAlarm Free (probably for good... but who knows?) Still getting hammered but at least I know it is blocked and I don't get bothered by constant popups.
My question - who is doing this and why? Just wondering.
Thanks.

[Notok]

I'd be willing to bet it's a worm infected machine somewhere.. worms are far more prevalant than live attacks these days.

[Paranoid2000]

There are numerous possibilites:

• a spammer using a Chinese ISP trying to bombard you with Windows Messenger adverts;
• someone is using a Chinese ISP to scan for open ports;
• the connection attempts are due to a P2P client having been run from your IP address (though you would normally see lots of connections from different addresses).

If you provided more details about the traffic blocked (port numbers specifically), it would be possible, in many cases, to identify the reason (e.g. Windows Messenger popups tend to be port 135/TCP or 1025-1026/UDP). However what is important is that the traffic is blocked.

You did mention trialling Outpost with an implication that this traffic was causing unwanted prompts. This can, as with other firewalls, be stopped by simply having proper rules set up to block unwanted traffic - the exact details will again depend on the traffic in question but there are quite comprehensive guidelines on producing a secure configuration at the Outpost forum.

Thanks for the info!

[AvianFlux]

What do you mean by hammered? I receive messenger spam traffic constantly, once every few minutes. I have messenger service disabled and Window ICF drops the packet.

My question is, if the messenger service were enabled would Windows ICF - configured to disallow all services - still drop the packets? I think it would.

[CrazyM]

Quote:

Originally Posted by AvianFlux

My question is, if the messenger service were enabled would Windows ICF - configured to disallow all services - still drop the packets? I think it would.

As long as you do not put in an exception exposing it to the Internet it would.

Regards,

CrazyM

Quote:

What do you mean by hammered? I receive messenger spam traffic constantly, once every few minutes. I have messenger service disabled and Window ICF drops the packet.

I have had 120+ blocked intrusions since installing ZoneAlarm. I have only used dial-up and been connected for about 2 hours since installing ZA. I have tried various firewalls before and am used to getting the odd port scan but I an getting repeated hits from the same IP range. I too have Windows Messenger service disabled.

What happened?



--------------------------------------------------------------------------------
ZoneAlarm blocked traffic to port 1026 on your machine from port 43683 on a remote computer whose IP address is 222.136.251.118. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

inetnum: 222.136.0.0 - 222.143.255.255
netname: CNCGROUP-HA
descr: CNCGROUP Henan province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: LZ33-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-HA
changed: hm-changed@apnic.net 20031209
status: ALLOCATED PORTABLE
source: APNIC

role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: abuse@cnc-noc.net 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Liping Zhong
address: Henan Multimedia Information Bureau
address: 70, Nong Ye Road
address: ZhengZhou, Henan 450002
address: CN
country: CN
phone: +86-371-3962276
fax-no: +86-371-3962068
e-mail: antispam@public.zz.ha.cn
nic-hdl: LZ33-AP
mnt-by: MAINT-NULL
changed: zhail@email.online.ha.cn 20001124
source: APNIC

[Kye-U]

I've set up my IPCop to block most of China/Korea IPs. But still, some get through. Here are the some.

From 61.129.115.99 - 8 packets to udp(1026,1027)
From 61.132.74.85 - 6 packets to udp(1026,1027)
From 61.138.137.9 - 30 packets to udp(1026,1027)
From 61.152.158.105 - 2 packets to udp(1026,1027)
From 61.152.158.109 - 54 packets to udp(1026,1027)
From 61.152.158.123 - 13 packets to udp(1026,1027)
From 61.152.158.124 - 1 packet to udp(1027)
From 61.152.158.151 - 2 packets to udp(1026)
From 61.152.158.152 - 9 packets to udp(1026,1027)
From 61.152.158.157 - 84 packets to udp(1026,1027,1028,1029)
From 61.152.160.63 - 11 packets to udp(1026,1027)
From 61.233.40.85 - 11 packets to udp(1026,1027)
From 61.233.40.215 - 2 packets to udp(1026)
From 61.235.154.106 - 4 packets to udp(1026,1027)
From 61.235.154.112 - 1 packet to udp(1027)
From 194.43.187.100 - 1 packet to udp(1026)
From 194.166.248.18 - 1 packet to udp(1026)
From 194.217.77.186 - 1 packet to udp(1027)
From 195.28.218.52 - 1 packet to udp(1027)
From 205.13.235.5 - 1 packet to udp(1027)
From 205.22.11.2 - 1 packet to udp(1027)
From 205.33.2.30 - 1 packet to udp(1027)
From 205.40.220.173 - 1 packet to udp(1027)
From 205.46.125.143 - 1 packet to udp(1027)
From 205.51.220.60 - 1 packet to udp(1026)
From 205.92.180.244 - 1 packet to udp(1027)
From 205.94.115.198 - 1 packet to udp(1026)
From 205.122.65.19 - 1 packet to udp(1027)
From 205.125.252.116 - 1 packet to udp(1026)
From 205.146.219.232 - 1 packet to udp(1026)
From 205.156.215.180 - 1 packet to udp(1027)
From 205.181.68.1 - 1 packet to udp(1026)
From 205.188.92.122 - 1 packet to udp(1026)
From 205.190.53.87 - 1 packet to udp(1026)
From 205.196.212.26 - 1 packet to tcp(1024)
From 205.199.157.119 - 1 packet to udp(1026)
From 205.228.121.192 - 1 packet to udp(1026)
From 206.38.94.61 - 1 packet to udp(1027)

[CrazyM]

Quote:

Originally Posted by Ailric

I have had 120+ blocked intrusions since installing ZoneAlarm. I have only used dial-up and been connected for about 2 hours since installing ZA. I have tried various firewalls before and am used to getting the odd port scan but I an getting repeated hits from the same IP range. I too have Windows Messenger service disabled.

What happened?

This is quite normal. My logs will vary from 800+ to 1000+ unsolicited inbound packets per day. In addition to infected systems being a potential source of these unsolicited packets, there is also quite a bit of messenger spam going around these days.

One site you can check for trends, port info, etc. is Internet Storm Center.

Regards,

CrazyM

[Kerodo]

Quote:

Originally Posted by Kye-U

I've set up my IPCop to block most of China/Korea IPs. But still, some get through. Here are the some.

From 61.129.115.99 - 8 packets to udp(1026,1027)
From 61.132.74.85 - 6 packets to udp(1026,1027)
From 61.138.137.9 - 30 packets to udp(1026,1027)
From 61.152.158.105 - 2 packets to udp(1026,1027)
From 61.152.158.109 - 54 packets to udp(1026,1027)
From 61.152.158.123 - 13 packets to udp(1026,1027)
From 61.152.158.124 - 1 packet to udp(1027)
From 61.152.158.151 - 2 packets to udp(1026)
From 61.152.158.152 - 9 packets to udp(1026,1027)
From 61.152.158.157 - 84 packets to udp(1026,1027,1028,1029)
From 61.152.160.63 - 11 packets to udp(1026,1027)
From 61.233.40.85 - 11 packets to udp(1026,1027)
From 61.233.40.215 - 2 packets to udp(1026)
From 61.235.154.106 - 4 packets to udp(1026,1027)
From 61.235.154.112 - 1 packet to udp(1027)
From 194.43.187.100 - 1 packet to udp(1026)
From 194.166.248.18 - 1 packet to udp(1026)
From 194.217.77.186 - 1 packet to udp(1027)
From 195.28.218.52 - 1 packet to udp(1027)
From 205.13.235.5 - 1 packet to udp(1027)
From 205.22.11.2 - 1 packet to udp(1027)
From 205.33.2.30 - 1 packet to udp(1027)
From 205.40.220.173 - 1 packet to udp(1027)
From 205.46.125.143 - 1 packet to udp(1027)
From 205.51.220.60 - 1 packet to udp(1026)
From 205.92.180.244 - 1 packet to udp(1027)
From 205.94.115.198 - 1 packet to udp(1026)
From 205.122.65.19 - 1 packet to udp(1027)
From 205.125.252.116 - 1 packet to udp(1026)
From 205.146.219.232 - 1 packet to udp(1026)
From 205.156.215.180 - 1 packet to udp(1027)
From 205.181.68.1 - 1 packet to udp(1026)
From 205.188.92.122 - 1 packet to udp(1026)
From 205.190.53.87 - 1 packet to udp(1026)
From 205.196.212.26 - 1 packet to tcp(1024)
From 205.199.157.119 - 1 packet to udp(1026)
From 205.228.121.192 - 1 packet to udp(1026)
From 206.38.94.61 - 1 packet to udp(1027)

Just messenger spam, as CrazyM mentioned.. Harmless..

[Kye-U]

Quote:

Originally Posted by Kerodo

Just messenger spam, as CrazyM mentioned.. Harmless..

I know, but it's annoying =P

[toploader]

spam spam spam

[Kerodo]

Quote:

Originally Posted by Kye-U

I know, but it's annoying =P

Don't look at it...

**Quote**
Just messenger spam, as CrazyM mentioned.. Harmless..

-----------------------------------------------------

Well, its not just a messenger spam, I recognised some of the IP's, they are email spammers... Maybe you have an smtp server enabled if your using XP or Win Server 2003. You better check, if its enabled, you better disable it.. They might trying to use it to relay unsolicited emails.....

Since i got a new ip i have the large numbers of portscans from these Chinese.
Port UDP1027 and UDP1026
How to get rid of them?
I have scanned the pc with Antivir and A2- no virus.

[CrazyM]

Quote:

Originally Posted by Go Away China Girl

Since i got a new ip i have the large numbers of portscans from these Chinese.
Port UDP1027 and UDP1026

As noted above it quite normal to see alot of these types of scans in your firewall logs and nothing to worry about.

Quote:

How to get rid of them?

You can't stop the scans, but depending on your firewall you may be able to do something about the log entries if you do not want them. If you are using a rule based firewall, create a rule to block unsolicited inbound UDP to those ports with no logging. You could block entire subnets with no logging, just be sure they do not contain IP's you may use.

Regards,

CrazyM

Thank you for your quick reply Crazy M.
Can i make such a rule with outpost (free)?
Would it be sufficient to change the rule for the browser?
Thanks for your help.

[CrazyM]

Quote:

Originally Posted by Go Away China Girl

Can i make such a rule with outpost (free)?

You should be able to create such a block rule manually, but I have not looked at/used that version. You would only do so if you did not want these blocked packets showing up in your logs. You may see alot of them, but your fiewall is just doing what it is supposed to.

Quote:

Would it be sufficient to change the rule for the browser?

If these are blocked unsolicited inbound UDP packets it would have nothing to do with your browser rule(s).

Regards,

CrazyM

[q1aqza]

All this just shows hows critical firewalls are !!!

If you don't want to see lots of intrusion attempts then get yourself a router (hardware firewall) and don't bother looking at the logs !! If you then run your software firewall behind it you won't (or shouldn't) see any alerts and you will feel comfortable that nothing is hitting your PC

[Itsme]

Quote:

Originally Posted by q1aqza

All this just shows hows critical firewalls are !!!

If you don't want to see lots of intrusion attempts then get yourself a router (hardware firewall) and don't bother looking at the logs !! If you then run your software firewall behind it you won't (or shouldn't) see any alerts and you will feel comfortable that nothing is hitting your PC

Exactly what I wanted to mention too. My sisters and brothers wanted ADSL connection and me to manage their systems. I simply stated... there cannot be always on connection without NAT router and me managing the whole thing. I also need my peace of mind.

Ciao
Itsme

Hi Itsme and q1aqza,

Can you recommend one?

[Itsme]

Quote:

Originally Posted by Go Away China Girl

Hi Itsme and q1aqza,

Can you recommend one?

Let's have some more fun, why not start a new thread titled.... Best NAT (wifi?) / Adsl router.... and let's see what comes up as most popular.

Ciao
Itsme

[q1aqza]

Since having Broadband I have only ever used one type of Wireless ADSL modem/router and it is made by Netgear. I found it dead easy to set up and it has been totally reliable. So I can recommend Netgear based on my experience of it but I can't compare it to other brands.

[oldBear]

Quote:

Originally Posted by q1aqza

All this just shows hows critical firewalls are !!!

Is this the case if you've turned off unnecessary services and aren't running anything that would handle the requests?

What is the attempted access going to do? How will it gain access to your system?

Just curious. As you can guess, I'm not a security expert.

cheers

Whoops - no firewall, but I am behind a wireless router - nevermind

Thanks for you help!
I will check this out if it would be something for me.
My firewall warned me that someone wanted to connect to Outlook.
That sounds nasty.


inetnum: 221.216.0.0 - 221.223.255.255
netname: CNCGROUP-BJ
descr: CNCGROUP Beijing province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: SY21-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-BJ
changed: hm-changed@apnic.net 20031119
status: ALLOCATED PORTABLE
source: APNIC

role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: abuse@cnc-noc.net 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC

person: sun ying
address: Beijing Telecommunication Administration
address: TaiPingHu DongLi 18, Xicheng District
address: Beijing 100031
country: CN
phone: +86-10-66198941
fax-no: +86-10-68511003
e-mail: suny@publicf.bta.net.cn
nic-hdl: SY21-AP
mnt-by: MAINT-CHINANET-BJ
changed: suny@publicf.bta.net.cn 19980824
source: APNIC