Do you see these ?

Discussion in 'other firewalls' started by CloneRanger, Jul 5, 2015.

  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Protocol ICMP (type:8/subtype:0)
    Source IP 128.9.168.98
    Source DNS pinger-w3.ant.isi.edu

    Protocol TCP (flags:S)
    Source IP 141.212.122.90:39414
    To Port 443 HTTPS
    Source DNS researchscan345.eecs.umich.edu

    Protocol TCP (flags:S)
    Source IP 141.212.121.128:47041
    To Port 443 HTTPS
    Source DNS gianni.eecs.umich.edu

    Protocol UDP
    Source IP 71.6.216.39:17185
    Source DNS scanner2.labs.rapid7.com

    Protocol ICMP (type:8/subtype:0)
    Program
    Source IP 129.82.138.44
    Source DNS pinger6.netsec.colostate.edu

    Protocol TCP (flags:S)
    Source IP 94.102.52.27:34680
    Source DNS actualtests.com

    I seem to get them almost every day, & multiple times too.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    In case you don't know, i'm talking about in your FW logs
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Funny, nobody interested in whether their FW is blocking such probes, or not !
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    You don't, Really ! FW = Software & hardware - Router = Hardware & software.

    So the fact those IP's are constantly trying to probe, & some Actually trying gain access to our comps via for eg, UDP, & Port 443 HTTPS inbounds, doesn't concern you, or anybody else ? By the way, some of those IP's use various other Port #'s as well to try & get in. That was just a small sample.

    Do you know who those IP's belong to, & what their purpose for scanning our IP's is ? Those organisations are "supposed" to be friendly, & only testing to see if we are safe from attack etc.

    I know what ICMP is, & i also know how to use whois.

    I just wondered if others had their FW & Routers blocking such attempts, as i do. How do you think Plenty of people get hacked Every day. Because their FW and/or Routers have ports open without them realising ! I'm not saying those IP's above are going to hack us.

    Of course if on a security forum people don't care to check, & then do all they can to close any/all holes they can, then .............
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @CloneRanger

    You're probably seeing zombies and/or spoofed IPs. Apparent origins of packets from attackers cannot be trusted, because IP doesn't have any means of source validation; that's all higher level stuff. Likewise, many companies and nonprofits have at least a few zombie machines in one office or another.

    Edit: mind, not a day goes by when my router doesn't block thousands of malicious packets from thousands of spoofed, zombie, or just plain dubious sources. This is the Internet version of acid rain, more or less.
     
  7. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    761
    Location:
    SW USA
    An excellent analogy. :thumb:

    And more like packets in the 10's of thousands. An hour.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    please dont get that wrong, why do you ask if you know how to determine such addresses or ports and protocols?

    idd, since using a router i dont need any sophisticated firewall for inbound and outbound connections.

    not this way. ofc routers are not 100% secure but most people get hacked with unsecure files or with unsecure browser. the latest flash update covers a 0day exploit from angler-ek. thats how people get "hacked"
    unexamined statement - please do not guess if you dont know.
    ports are normally closed in any router if there are no errors by designed (firmware). and any router is designed to drop packets to closed connections. like a software firewall. but this exceeds your question and my current time. get some basics in your spare time.

    btw windows itself is pretty much secure as long you dont screw on it and it has no vulnerabilities.

    at least you hopefuly can see that i have done my homework when using software firewall - decades ago i noticed same entries in logfile. and decades ago i used also edonkey p2p and that fille dmy logs rapidly when changing ip or when computer started up. i got an ip from someone before who used edonkey - simple as that.

    what i tried you to tell is that you have to proviode more than some ports or addresses. i dont know about your hard or software, your country, your system. otherwise i can look into my magic glass and can tell you you would be pregnant this year. ok?
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    Do you use Linux?
     
  10. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    My guess from your logs is the EDU domains are either a penetration testing course doing a task or a zombie computer. My bet is on a penetration course.

    The rapid7 is nothing to be worried about. It's just HDmoore doing what he does best a network scan of your router and i.p address to search for vulnrabilities.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Gullible Jones

    They are not zombies and/or spoofed IPs, but research www's

    @ Brummelchen

    If you think most routers, especially those supplied by ISP's, don't have open ports/backdoors, then you just need to do a search for the subject, & see that they DO !

    @ amarildojr

    No i don't, or wish to.

    @ ComputerSaysNo

    Yes you're right, one is from a a penetration course, & i know about rapid7 & HDmoore too.

    *

    I was just wondering if others see these scans, & as often. Here's another i keep getting, with some info about the damage etc it caused !

    Description Packet sent from 93.189.25.174 (TCP Port 41241) to Port 529:cool: was blocked
    Protocol TCP (flags:S)
    Source IP 93.189.25.174:41241
    Source DNS scan.sba-research.org

    https://www.sba-research.org

    http://www.blog.gmane.org/gmane.mail.imap.uw.c-client/month=20150
     
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    Too bad you don't use Linux. Look at my signature, that firewall configuration is enough to stop a good ammount of network attacks.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ amarildojr

    Hi, i'm not against Linux at all. I just have Lots of non security programs that i use that won't run on it ! Anyway, my FW does block ALL those scans & everything else.

    *

    More "research" scans.

    Description Packet sent from 128.232.18.57 (TCP Port 41590) to Port 80 (HTTP)
    Protocol TCP (flags:S)
    Source IP 128.232.18.57:41590
    Direction Incoming
    Action Taken Blocked
    Source DNS ephemer2.sec.cl.cam.ac.uk

    Description Packet sent from 128.232.110.28 (TCP Port 41592) to Port 80 (HTTP)
    Protocol TCP (flags:S)
    Source IP 128.232.110.28:41592
    Direction Incoming
    Action Taken Blocked
    Source DNS tor-limits-scanning.cl.cam.ac.uk

    Description Packet sent from 64.74.133.89 (UDP Port 32857) to (UDP Port 33450)
    Protocol UDP
    Source IP 64.74.133.89:32857
    Direction Incoming
    Action Taken Blocked
    Source DNS performance-measurement-174-1.sje.pnap.net

    Description Packet sent from 130.88.99.217 (DNS) to (UDP Port 11980)
    Protocol UDP
    Source IP 130.88.99.217:53
    Direction Incoming
    Action Taken Blocked
    Source DNS aruba-ctlr1-nat.its.manchester.ac.uk

    Description Packet sent from 61.240.144.64 (TCP Port 60000) to (POP3) was blocked
    Protocol TCP (flags:S)
    Source IP 61.240.144.64:60000
    Direction Incoming
    Action Taken Blocked
    Source DNS s1.securityresearch.360.cn
     
    Last edited: Jul 31, 2015
  14. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    if you dont have a router what stops this stuff?

    i just have a laptop and mobile broadband connection that changes IP every time i connect but i dont i think i get any malware in the last 5-10 years. (or at least have never found any with any AV or anti-malware program)
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Snoop3

    My FW blocks them, plus i have closed the few open ports that XP had open with nice Apps. Which is a Lot harder or impossible to do on later OS's ! Most ISP routers have multiple open ports ! Others have open "bugs"
     
  16. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Open ports aren't a bad thing. The real question is whether there's a service listening on that port.
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Fox Mulder

    True, but i think that closed is better.

    *

    More "security scans" !
    Description Packet sent from 169.229.3.90 (TCP Port 42088) to (HTTP) was blocked
    Protocol TCP (flags:S)
    Source IP 169.229.3.90:42088
    Direction Incoming
    Action Taken Blocked
    Source DNS researchscan0.EECS.Berkeley.EDU

    Description Packet sent from 66.151.226.209 (UDP Port 36439) to (UDP Port 33442) was blocked
    Protocol UDP
    Source IP 66.151.226.209:36439
    Direction Incoming
    Action Taken Blocked
    Source DNS performance-measurement-209-1.bsn.pnap.net

    Description Packet sent from 134.147.203.115 (UDP Port 28220) to (UDP Port 161) was blocked
    Protocol UDP
    Source IP 134.147.203.115:28220
    Direction Incoming
    Action Taken Blocked
    Source DNS scanresearch1.syssec.ruhr-uni-bochum.de
     
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Brummelchen

    All that really matters to me, & some others, is not allowing unsolicited entries into our comps. If that's via stealth or closed in our FW's, so what ! Anyway, most non commercial internet users, in the UK at least, have dynamic IP's, as i do. So as soon as we disconnect, any chance of further probing that IP that was allocated to us at the time, has gone.

    *

    Here's a bunch that all came in together ! It includes one i havn't seen before

    fw.png

    Description Packet sent from 96.47.226.20 (TCP Port 41590) to (HTTP) was blocked
    Type Firewall
    Protocol TCP (flags:S)
    Source IP 96.47.226.20:41590
    Action Taken Blocked
    Source DNS bolobolo1.torservers.net
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    A new one, along with previous ones, all Trying to come in @ almost the same time again :p

    IP.png

    I guess the Snowdon one is "supposed" to be some kind of a joke !
     
  21. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
    Salut,


    Your router is misconfigured, these packages should not reach your PC, ICMP type 8 code 0 inbound is normal in a local area network, better configure your router.
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Boblvf

    Hi, i don't have a router, i have a 3G modem & software firewall. My FW blocks ALL unrequested inbounds.

    *

    The question i asked, right at the start was, Does anyone else see these ? So far Nobody has said they have seen even one ? Which i find hard to believe !
     
  23. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
    " My FW blocks ALL unrequested inbounds. "

    No ! ICMP ping inbound reaches your computer, bad ! it shows his presence.
    Configure, or buy a router.

    Your internet provider think to you ...
     
    Last edited: Aug 18, 2015