ISP constant Probes etc ?

Discussion in 'other firewalls' started by StevieO, Dec 17, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

    Hi hope someone can enlighten me !

    I can understand Port probes/attacks from wherever for all sorts of reasons, but why should i and other people be subjected to these from our Own ISP's ?

    I get constant Probes etc to 135/139/445 but also on other Ports like 1026/1433 etc etc. I know they are from my ISP as i have looked them up many times. These happen almost every minute, and often several times a minute.

    I get 100% stealth from ShieldsUp at grc.com, so i'm not worried. I just don't get it !

    I realise it's possible they might be trying to Ping me to maybe release the IP number if it's no longer being used. I'm on broadband with a dynamic IP.

    Anybody know why this could be, and why they waste their server time and bandwith ?

    Thanks


    StevieO
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Are you sure those probes are "from your ISP" itself? Are you saying you looked up the IP addresses and they translated to a specific server at your ISP, (such as their mail, dns or other similar server address), and not just from the range of IP addresses owned by the ISP?

    It seems doubtful that those packets would come from dedicated servers owned by an ISP, but more likely that they'd come from infected PCs owned by other customers using your ISP.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
  4. StevieO

    StevieO Guest

  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Could you go into the log file itself and copy some samples to post. Just xxx out the end of your public IP.
    Dec 10 2005 07:22:23.481 PST denied tcp 154.20.84.30(4080) -> 154.20.xxx.xx(1433)
    Dec 10 2005 07:22:26.405 PST denied tcp 154.20.84.30(4080) -> 154.20.xxx.xx(1433)

    These types of scans are quite common, and as LWM eluded to, it is not unusual to see more of them from systems on the same subnet as you are (fellow subscribers to the same ISP).

    Regards,

    CrazyM
     
  6. StevieO

    StevieO Guest

    Hi CrazyM,

    As LowWaterMark and yourself pointed out, it may very well be insecure PC's or script kiddies on the same ISP as myself doing this !

    I've done as you suggested and dug out a few 135/139/445 entries, but removed my ISP's IP numbers and also mine and replaced them with ( ) for reasons i'm sure you will understand !

    12-17-2005 17:43:07.64 - 4540859 Packet DROPPED: Proto: IP_TCP Flags: 0x0000000a Src: ( XXX etc From my ISP's IP ranges ) Dest: ( XXX etc To my IP ) SrcPort: 4442 DstPort: 139
    12-17-2005 17:43:20.80 - 4554023 Packet DROPPED: Proto: IP_TCP Flags: 0x0000000a Src: ( XXX etc From my ISP's IP ranges ) Dest: ( XXX etc To my IP ) SrcPort: 4665 DstPort: 135
    12-17-2005 17:43:21.42 - 4554647 Packet DROPPED: Proto: IP_TCP Flags: 0x0000000a Src: ( XXX etc From my ISP's IP ranges ) Dest: ( XXX etc To my IP ) SrcPort: 4398 DstPort: 445

    I hope that's the info you required and you can make some sense out of those.

    Thanks


    StevieO
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Your initial concern was if it was your ISP (one of their servers) specifically scanning you. While it is more likely other subscribers on your subnet, we cannot tell this without the source IP's. If the source IP's are random, then these would be normal to see and not something your ISP itself is doing.

    Regards,

    CrazyM
     
  8. Arup

    Arup Guest

    Agree here with CrazyM, I get scanned like crazy,ports 135 and 445, I called up my ISP and according to them, its someone on their subnet, no ISP would risk its reputation by running a infected server or try and spy on their customers in this blatant way.
     
  9. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    I'm also getting probed like crazy on ports 135-139 and 445 from IPs on the same subnet as me. That's the most common thing I see in my logs. It's pretty annoying.
     
  10. StevieO

    StevieO Guest

    Hi guys,

    After reading your thoughts on the matter, it does seem like it's those other subscribers knowingly, or not that's the cause of it !

    I didn't think that my ISP was spying etc on me lol, i just wasn't 100% sure why it all happens so frequently.

    Thanks once more for all the input


    StevieO
     
  11. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    My ISP uses Level3's network. I frequently see connection attempts from other Level3 users in my firewall log. So what I did is looked up the IP ranges for Level3 dialup users and created a rule in Kerio to block the main IP range that Level3 dialup users are on. It's not really necessary, but it should provide a little extra protection.

    Phil
     
Thread Status:
Not open for further replies.