Constant connnection requests!!!!

Discussion in 'other firewalls' started by Dark5tar, Sep 6, 2003.

Thread Status:
Not open for further replies.
  1. Dark5tar

    Dark5tar Guest

    Well Im using outpost firewall 2 pro, and ive gotta 3500+ connection requests from differnt 67.*.*.* ips. How do I stop thiso_O!
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    How about some logs?

    When dealing with internet connections there is always someone/something scanning for open services, people who use dynamic connections will see the leftover packets hit their firewall from previous connections, and just people who pointed to the wrong address.

    Currently with the rpc worms there is constant attempts for inbound icmp type 8, and tcp/udp 135. The more common probes are the netbios ports of 137-139, recently ports 1026-1027, and various other ports.

    So just calm down, somebody is not out to get you personally, its something that comes with the internet.
     
  3. Dark5tar

    Dark5tar Guest

    Heres a log:
    9:01:18 PM   67.4.17.216   ICMP (204:cool:
    9:01:06 PM   67.0.114.163   ICMP (204:cool:
    9:01:05 PM   67.0.218.146   ICMP (204:cool:
    9:00:51 PM   67.1.1.143   TCP (135)
    9:00:50 PM   67.3.45.191   ICMP (204:cool:
    9:00:47 PM   67.2.46.92   ICMP (204:cool:
    9:00:26 PM   66.255.164.119   ICMP (204:cool:
    9:00:23 PM   67.2.148.30   ICMP (204:cool:
    9:00:04 PM   67.1.77.39   ICMP (204:cool:
    8:59:58 PM   66.255.128.20   ICMP (204:cool:
    8:59:53 PM   67.0.81.215   ICMP (204:cool:
    8:59:47 PM   67.4.97.252   ICMP (204:cool:
    8:59:45 PM   67.0.78.171   ICMP (204:cool:
    8:59:32 PM   67.2.143.83   ICMP (204:cool:
    8:59:14 PM   67.2.153.11   TCP (135)
    8:59:02 PM   67.4.97.202   ICMP (204:cool:
    8:58:45 PM   67.5.56.137   ICMP (204:cool:
    8:58:43 PM   67.2.170.82   ICMP (204:cool:
    8:58:35 PM   67.0.101.233   ICMP (204:cool:
    8:58:33 PM   67.0.109.161   ICMP (204:cool:
    8:58:27 PM   67.5.115.215   ICMP (204:cool:
    8:58:22 PM   67.2.45.180   ICMP (204:cool:
    8:58:07 PM   67.3.197.131   ICMP (204:cool:
    8:58:05 PM   67.2.149.48   ICMP (204:cool:
    8:57:57 PM   67.2.127.159   ICMP (204:cool:
    8:57:53 PM   67.4.224.188   ICMP (204:cool:
    8:57:48 PM   67.0.50.250   ICMP (204:cool:
    8:57:43 PM   67.0.213.143   TCP (135)
    8:57:32 PM   67.1.22.35   ICMP (204:cool:
    8:57:31 PM   67.4.102.8   ICMP (204:cool:
    8:57:24 PM   67.1.74.55   TCP (135)
    8:57:12 PM   67.3.86.199   ICMP (204:cool:
    8:57:01 PM   67.2.142.254   ICMP (204:cool:
    8:57:00 PM   67.2.242.73   ICMP (204:cool:
    8:56:59 PM   67.0.137.159   ICMP (204:cool:
    8:56:53 PM   67.2.142.141   ICMP (204:cool:
    8:56:48 PM   67.1.184.1   ICMP (204:cool:
    8:56:33 PM   67.2.93.214   ICMP (204:cool:
    8:56:24 PM   67.3.187.175   ICMP (204:cool:
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I'll say this straight up, the logs in Outpost suck, and there is no ICMP (204:cool:....

    This is part of the welchia worm, it pings(icmp 8, echo request) you first, and if you answer the ping by sending icmp 0 echo reply it will then see if it can connect to your system on port 135. However eariler versions of the worm only sent packets to your port 135. Even if you allowed the pings they won't hurt you, and your blocking the port 135 probes so your fine.

    So, you can either ignore the logs, or hopefully through the settings block it without logging it if its bothering you so much. You would have to make a rule to block inbound icmp type 8 echo request, and not log the packet. I don't fully remember how to tell you how to do that, but it would likely be part of your system rules.

    Everyone is seeing this right now, your not special, and the worm does this on the same ip block that the infected computer is on.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Wow, what version of Outpost is that ?
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    One that badly needs update that's for sure ! :D
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    LOL
     
  8. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Outpost is one of many known software firewalls with horrible logs, but I was hoping they had actually gotten a clue about it. If they want to be taken seriously from an advanced security standpoint they better have detailed logs.

    OT: I have tried many firewalls, and one of the main things I judge is the logs. In the rare event I report something like a real attack/flood to disable my connection then I want logs which the abuse desks which won't just read the first line realizing that they are useless, since they are missing information.
     
  9. Dark5tar

    Dark5tar Guest

    Well it was kinda weird cuz right when I switched to Outpost I started getting these. I usually use sygate, but I wanted to test a bunch of firewalls out there. I liked Mcafee's interface the best, but I still think sygate is the best firewall.
     
Thread Status:
Not open for further replies.