Something I've wanted to know, but have been too afraid to ask...until now

Discussion in 'other firewalls' started by HandsOff, Dec 31, 2003.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I have noticed that my firewall (Norton) includes a visual tracker and can tell you the address and the domain of the dozens of people who attack my little home computer every day.

    I have known for some time that one can report "abuses" to a representative of the domain that includes the address that has launched an attack on you.

    I am pretty sure that there are two unwritten rules:

    1) Do not bother blocking individuals because there are too many to block
    2) Do not compaint the Abuse@blahblahblah because you are only asking for trouble if you do.

    At this point i may as well state that I no longer have enough money to buy the prescriptions that keep me relatively rational.
    Recently I began laboriously blocking every single solitary address that attacked my computer (hundreds, thousands). I am aware of the downside of blocking so many addresses, however this was sort of an experiment...in short, rule number one broken. Today I finally sent off a letter to abuse@aol.net, not necessarily because they are worse than the rest, just happened to the most recent attackers. I included the details of two recent attacks from there domain, as well as a great deal of editorializing on my part.

    I guess i should include at least the two examples (i'll spare you the rant)

    12/30/2003 @ 9:50:22 pm
    Details: Rule "Default Block Backdoor/SubSeven Trojan horse" blocked (172.158.16.104,27374)
    Inbound TCP connection
    Local address,service is (xxxxxxxxxxxxxxxxxxxxxxxxxxxx)
    Remote address,service is (172.158.16.104,3957)
    Process name is "N/A"

    12/30/2003 @ 9:54:54 pm
    Details: Rule "Default Block Backdoor/SubSeven Trojan horse" blocked (172.202.127.84,27374)
    Inbound TCP connection
    Local address,service is (xxxxxxxxxxxxxxxxxxxxxxxxxxx)
    Remote address,service is (172.202.127.84,3159)
    Process name is "N/A"

    I wrote because i was annoyed but also, i want to know, and i don't seem to be getting it on my own.
    -Are the so called attacks Norton reports really attacks?
    -Do ISP's care, will they investigate complaints?
    -Should I turn off my computer for several months until the people i have offended by complaining forget about me?

    It is too soon to see if AOL responds, but my hope of getting a useful answer is not very high. Anyone care to comment?

    -HandsOff
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi HandsOff

    No real need to do that, the firewall was already blocking them and will continue to do so. The firewall, if properly configured, will block all unsolicited packets.

    No, just any number of things that routinely show up in firewall logs as a result of the recent worms, compromised systems and people scanning for compromised systems.

    There is not much point in dealing with ISP's on an individual basis for routine and harmless scans. If you want to do something about these events, you are better off getting involved with something like DShield or myNetWatchman where they collect and summarize logs from all contributors and send notices to the appropriate ISP's.

    No, let your firewall do what it is supposed to, don't worry about the logs and go about surfing and enjoy your time on the Internet.

    Not having ever dealt with AOL I can't say, but don't hold your breath. SubSeven scans are quite common and harmless if you have a firewall in place.

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.