blocked intrusion attempts

Discussion in 'other firewalls' started by iceni60, Jan 14, 2005.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, it looks like everything that my FW has blocked since i reinstalled XP (2 Jan) has come from different addresses on my ISP. what does that mean? thanks
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, the answer is... that it depends. ;)

    In order to tell you much of anything specifc we would need to see samples from the log. (If you post log extracts, simply block your own IP address, but leave everything else - src & dst ports, flags, etc.) But, in general there are a couple things that can be said. First that it is common for worms to probe IP addresses in the same network ranges as the machines they infect, and second that some ISPs block a few common worm ports at their outer network borders so that the only packets you are likely to see on some ports have to come from within your ISP's network.
     
  3. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    here's some which are fairly recent...
     

    Attached Files:

  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    In my experience that is pretty typical blocked traffic.

    Quite a while back now when one of the big new worms came out and people were getting hundreds or thousands of attempts per hour from it, (when previously that was the number of block packets they'd usually see in a month), and they wanted to stop getting alerts or logging them but still see the other traffic in their logs, we advised them to block without logging the activity on those ports.

    This thread showed one way to do it for ZoneAlarm users:

    https://www.wilderssecurity.com/showthread.php?t=12936

    But in any case, the blocked packets you are seeing are normal. There is nothing on your machine causing those, they are just a normal part of being on the Internet now. ISP's blocking incoming TCP port 135 at their borders (which my ISP is doing) is one reason why I would only see source addresses from systems on my ISP's network if I was still logging them. Your ISP may be doing the same. Just ignore it. Your firewall is blocking it and there's nothing you can do to stop the packets from coming at your IP address.
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, LWM :) i'll go and have alook at that thread. i just downloaded a log viewer to use too, i'll configure it now. thanks for the help :cool:
     
Loading...
Thread Status:
Not open for further replies.