Protocol ICMP (type:8/subtype:0) Source IP 128.9.168.98 Source DNS pinger-w3.ant.isi.edu Protocol TCP (flags:S) Source IP 141.212.122.90:39414 To Port 443 HTTPS Source DNS researchscan345.eecs.umich.edu Protocol TCP (flags:S) Source IP 141.212.121.128:47041 To Port 443 HTTPS Source DNS gianni.eecs.umich.edu Protocol UDP Source IP 71.6.216.39:17185 Source DNS scanner2.labs.rapid7.com Protocol ICMP (type:8/subtype:0) Program Source IP 129.82.138.44 Source DNS pinger6.netsec.colostate.edu Protocol TCP (flags:S) Source IP 94.102.52.27:34680 Source DNS actualtests.com I seem to get them almost every day, & multiple times too.
is your question a joke or do you try to test us? i dont see any revelance to any software or hardware, so why should i care? ICMP is good explained here https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol whois for ip or domains here http://whois.domaintools.com/ better luck next time.
You don't, Really ! FW = Software & hardware - Router = Hardware & software. So the fact those IP's are constantly trying to probe, & some Actually trying gain access to our comps via for eg, UDP, & Port 443 HTTPS inbounds, doesn't concern you, or anybody else ? By the way, some of those IP's use various other Port #'s as well to try & get in. That was just a small sample. Do you know who those IP's belong to, & what their purpose for scanning our IP's is ? Those organisations are "supposed" to be friendly, & only testing to see if we are safe from attack etc. I know what ICMP is, & i also know how to use whois. I just wondered if others had their FW & Routers blocking such attempts, as i do. How do you think Plenty of people get hacked Every day. Because their FW and/or Routers have ports open without them realising ! I'm not saying those IP's above are going to hack us. Of course if on a security forum people don't care to check, & then do all they can to close any/all holes they can, then .............
@CloneRanger You're probably seeing zombies and/or spoofed IPs. Apparent origins of packets from attackers cannot be trusted, because IP doesn't have any means of source validation; that's all higher level stuff. Likewise, many companies and nonprofits have at least a few zombie machines in one office or another. Edit: mind, not a day goes by when my router doesn't block thousands of malicious packets from thousands of spoofed, zombie, or just plain dubious sources. This is the Internet version of acid rain, more or less.
please dont get that wrong, why do you ask if you know how to determine such addresses or ports and protocols? idd, since using a router i dont need any sophisticated firewall for inbound and outbound connections. not this way. ofc routers are not 100% secure but most people get hacked with unsecure files or with unsecure browser. the latest flash update covers a 0day exploit from angler-ek. thats how people get "hacked" unexamined statement - please do not guess if you dont know. ports are normally closed in any router if there are no errors by designed (firmware). and any router is designed to drop packets to closed connections. like a software firewall. but this exceeds your question and my current time. get some basics in your spare time. btw windows itself is pretty much secure as long you dont screw on it and it has no vulnerabilities. at least you hopefuly can see that i have done my homework when using software firewall - decades ago i noticed same entries in logfile. and decades ago i used also edonkey p2p and that fille dmy logs rapidly when changing ip or when computer started up. i got an ip from someone before who used edonkey - simple as that. what i tried you to tell is that you have to proviode more than some ports or addresses. i dont know about your hard or software, your country, your system. otherwise i can look into my magic glass and can tell you you would be pregnant this year. ok?
My guess from your logs is the EDU domains are either a penetration testing course doing a task or a zombie computer. My bet is on a penetration course. The rapid7 is nothing to be worried about. It's just HDmoore doing what he does best a network scan of your router and i.p address to search for vulnrabilities.
@ Gullible Jones They are not zombies and/or spoofed IPs, but research www's @ Brummelchen If you think most routers, especially those supplied by ISP's, don't have open ports/backdoors, then you just need to do a search for the subject, & see that they DO ! @ amarildojr No i don't, or wish to. @ ComputerSaysNo Yes you're right, one is from a a penetration course, & i know about rapid7 & HDmoore too. * I was just wondering if others see these scans, & as often. Here's another i keep getting, with some info about the damage etc it caused ! Description Packet sent from 93.189.25.174 (TCP Port 41241) to Port 529 was blocked Protocol TCP (flags:S) Source IP 93.189.25.174:41241 Source DNS scan.sba-research.org https://www.sba-research.org http://www.blog.gmane.org/gmane.mail.imap.uw.c-client/month=20150
Too bad you don't use Linux. Look at my signature, that firewall configuration is enough to stop a good ammount of network attacks.
@ amarildojr Hi, i'm not against Linux at all. I just have Lots of non security programs that i use that won't run on it ! Anyway, my FW does block ALL those scans & everything else. * More "research" scans. Description Packet sent from 128.232.18.57 (TCP Port 41590) to Port 80 (HTTP) Protocol TCP (flags:S) Source IP 128.232.18.57:41590 Direction Incoming Action Taken Blocked Source DNS ephemer2.sec.cl.cam.ac.uk Description Packet sent from 128.232.110.28 (TCP Port 41592) to Port 80 (HTTP) Protocol TCP (flags:S) Source IP 128.232.110.28:41592 Direction Incoming Action Taken Blocked Source DNS tor-limits-scanning.cl.cam.ac.uk Description Packet sent from 64.74.133.89 (UDP Port 32857) to (UDP Port 33450) Protocol UDP Source IP 64.74.133.89:32857 Direction Incoming Action Taken Blocked Source DNS performance-measurement-174-1.sje.pnap.net Description Packet sent from 130.88.99.217 (DNS) to (UDP Port 11980) Protocol UDP Source IP 130.88.99.217:53 Direction Incoming Action Taken Blocked Source DNS aruba-ctlr1-nat.its.manchester.ac.uk Description Packet sent from 61.240.144.64 (TCP Port 60000) to (POP3) was blocked Protocol TCP (flags:S) Source IP 61.240.144.64:60000 Direction Incoming Action Taken Blocked Source DNS s1.securityresearch.360.cn
if you dont have a router what stops this stuff? i just have a laptop and mobile broadband connection that changes IP every time i connect but i dont i think i get any malware in the last 5-10 years. (or at least have never found any with any AV or anti-malware program)
@ Snoop3 My FW blocks them, plus i have closed the few open ports that XP had open with nice Apps. Which is a Lot harder or impossible to do on later OS's ! Most ISP routers have multiple open ports ! Others have open "bugs"
Open ports aren't a bad thing. The real question is whether there's a service listening on that port.
@ Fox Mulder True, but i think that closed is better. * More "security scans" ! Description Packet sent from 169.229.3.90 (TCP Port 42088) to (HTTP) was blocked Protocol TCP (flags:S) Source IP 169.229.3.90:42088 Direction Incoming Action Taken Blocked Source DNS researchscan0.EECS.Berkeley.EDU Description Packet sent from 66.151.226.209 (UDP Port 36439) to (UDP Port 33442) was blocked Protocol UDP Source IP 66.151.226.209:36439 Direction Incoming Action Taken Blocked Source DNS performance-measurement-209-1.bsn.pnap.net Description Packet sent from 134.147.203.115 (UDP Port 28220) to (UDP Port 161) was blocked Protocol UDP Source IP 134.147.203.115:28220 Direction Incoming Action Taken Blocked Source DNS scanresearch1.syssec.ruhr-uni-bochum.de
best is "icmp unreachable" "closed" leads to more action if the subject is of interest, "stealth" and blocked" are stupid answers. see http://www.insanitybit.com/2012/05/30/stealth-ports-or-closed/ a router send "closed" from NAT (default action if no client is listening).
@ Brummelchen All that really matters to me, & some others, is not allowing unsolicited entries into our comps. If that's via stealth or closed in our FW's, so what ! Anyway, most non commercial internet users, in the UK at least, have dynamic IP's, as i do. So as soon as we disconnect, any chance of further probing that IP that was allocated to us at the time, has gone. * Here's a bunch that all came in together ! It includes one i havn't seen before Description Packet sent from 96.47.226.20 (TCP Port 41590) to (HTTP) was blocked Type Firewall Protocol TCP (flags:S) Source IP 96.47.226.20:41590 Action Taken Blocked Source DNS bolobolo1.torservers.net
A new one, along with previous ones, all Trying to come in @ almost the same time again I guess the Snowdon one is "supposed" to be some kind of a joke !
Salut, Your router is misconfigured, these packages should not reach your PC, ICMP type 8 code 0 inbound is normal in a local area network, better configure your router.
@ Boblvf Hi, i don't have a router, i have a 3G modem & software firewall. My FW blocks ALL unrequested inbounds. * The question i asked, right at the start was, Does anyone else see these ? So far Nobody has said they have seen even one ? Which i find hard to believe !
" My FW blocks ALL unrequested inbounds. " No ! ICMP ping inbound reaches your computer, bad ! it shows his presence. Configure, or buy a router. Your internet provider think to you ...