Port scans causing denial of service [moved from General Security}

Blockhead · 04-27-2008, 10:55 AM

HELP!!

Can anyone out there please advise me on how to prevent my pc being under almost constant attack from port scans (every ten seconds or so at worst) that frequently prevent network access.

I'm running XP SP2 and this happens if I use either IE7 or Firefox. My firewall is System Suite 8 NetDefense. My ISP is Virgin Media (formerly Blueyonder) and despite complaints to them nothing has happened.

I have tried releasing my IP address and renewing it. The attacks originate from the following IP addresses:

62.30.0.39
62.30.112.39
194.117.134.19

I would really appreciate some guidance here.

Thanks.

johnhook · 04-27-2008, 01:21 PM

Blockhead,

Hopefully I'm not going to get in trouble for replying to this. I don't believe it falls into Malware.

The good news is that you've got decent firewall software that's detecting and blocking these attacks. The bad news is that they keep happening.

I've run into these attacks many times myself. I was using Norton Internet Security at the time.

The first thing you want to do is permanently BLOCK the offending IP addresses in your firewall software's configuration. This will prevent these IP's from having ANY access to your PC. Secondly, if you feel like reporting these attacks, you do a reverse lookup of the offending IP addresses, locate their ISP and send an email to that ISP including the date/time of the attack, the IP address in question, and a log or description of the message from your firewall software.

To track down the user or ISP from the IP address, go to:

http://www.arin.net/whois/

Type in the IP and you'll get a detailed listing of the ISP, domain, location.etc.

That first address in your post, 62.30.0.39 is from an organization in Amsterdam called "Ripe NNC". You can go to their site at: http://www.ripe.net/

If you want to report the port scan attack, click on Contact Us and email the appropriate address. You can also lookup a domain name on:

http://www.networksolutions.com/whois/index.jsp

type in the domain name (i.e. ripe.net) and you'll get detailed information about the domain name owner, administrative and technical contacts, etc.

From there, you can email the appropriate person at this company with your complaint.

Unfortunately, I've found that MOST of this attacks come from overseas (especially Korea - for some reason). In these cases, don't expect a repsonse to your emails as the recipent likely doesn't speak english.

Hope this helps and hope I'm not breaking any rules with this advice.

- John

tetonbob · 04-27-2008, 01:48 PM

Hi Blockhead -

Most of what johnhook has stated is true.

@johnhook -

You've used ARIN for RIPE based IP addresses. It's a european equivalent of ARIN

All those IP addies resolve to Telewest Broadband IP Network Services in the UK.

johnhook · 04-27-2008, 02:22 PM

tetonbob,

What link did you go to to resolve those addresses to "Telewest Broadband IP Network Services " ? Just curious. It's been awhile since I've had to look up ip addresses of attacks on my PC. I found that most of those attacks came from Seoul Korea. It's kind of confusing as to which authority/organization controls domain names/ip addresses for various countries. I know that Networksolutions.com pretty much handles all of the US domain names.

Blockhead,

The main thing is to simply permanently BLOCK the offending IPs in your firewall software. If you find lots of attacks coming from the same IP network, i.e. 62.30.x.x - you may want to block that entire IP network. Be careful with this as there might be legit websites hosted on these ISP's network which blocking would prevent you from accessing.

Another thing I found helpful was in my previous versions of Norton Internet Security, there was a nice tool that allow visual tracking of IP addresses. It brought up a map and showed the originating country/location of the IP address in question. Check out:

http://pcwin.com/Internet/VisualRoute_2007/index.htm

- John

johnwill · 04-28-2008, 06:47 AM

Also note that if you are seeing the IP addresses in the firewall log, that's not the major issue. It's the addresses you DON'T SEE that are the problem, they're getting through!

tetonbob · 04-28-2008, 08:13 AM

@johnhook -

I use several methods for DNS lookups. There are addons for firefox, but one the most frequently used sites is dnsstuff

**Cellus** · 04-28-2008, 01:35 PM

Tracing back an IP address by using something like Visual Route is misleading and gives a false sense of security. Anyone with half a brain and any intent on compromising your computer will bounce their connection and make standard tracebacks impossible to locate the actual originator.

It is not unusual for certain netblocks with certain ISPs to see more scans than usual. This is because that netblock has either at one point in time been "ripe for the picking" (known residential addresses are notorious) or the ISP's filtering is not as diligent. In either case you do not need to worry too much.

It is only when the scans actually yield fruit to the wannabe infiltrator that you should be concerned. I recommend, for example, you scan your systems at GRC's ShieldsUP! and make sure things are in the green. Stealthed ports are great, Closed ports are all right (but it is better to be stealthed), Open ports are red flags. Run the scans and see what you get.

Blockhead · 04-29-2008, 09:38 AM

Thanks people - I'll use this info.

04-27-2008, 10:55 AM	#1 (permalink)
Blockhead Registered User Join Date: Apr 2008 Location: London Posts: 2 OS: Windows XP SP2	Port scans causing denial of service [moved from General Security} HELP!! Can anyone out there please advise me on how to prevent my pc being under almost constant attack from port scans (every ten seconds or so at worst) that frequently prevent network access. I'm running XP SP2 and this happens if I use either IE7 or Firefox. My firewall is System Suite 8 NetDefense. My ISP is Virgin Media (formerly Blueyonder) and despite complaints to them nothing has happened. I have tried releasing my IP address and renewing it. The attacks originate from the following IP addresses: 62.30.0.39 62.30.112.39 194.117.134.19 I would really appreciate some guidance here. Thanks.

04-27-2008, 01:21 PM	#2 (permalink)
johnhook Tech Hardware Team Join Date: Apr 2008 Posts: 670 OS: MS SBS 2003 SP2	Re: Port scans causing denial of service Blockhead, Hopefully I'm not going to get in trouble for replying to this. I don't believe it falls into Malware. The good news is that you've got decent firewall software that's detecting and blocking these attacks. The bad news is that they keep happening. I've run into these attacks many times myself. I was using Norton Internet Security at the time. The first thing you want to do is permanently BLOCK the offending IP addresses in your firewall software's configuration. This will prevent these IP's from having ANY access to your PC. Secondly, if you feel like reporting these attacks, you do a reverse lookup of the offending IP addresses, locate their ISP and send an email to that ISP including the date/time of the attack, the IP address in question, and a log or description of the message from your firewall software. To track down the user or ISP from the IP address, go to: http://www.arin.net/whois/ Type in the IP and you'll get a detailed listing of the ISP, domain, location.etc. That first address in your post, 62.30.0.39 is from an organization in Amsterdam called "Ripe NNC". You can go to their site at: http://www.ripe.net/ If you want to report the port scan attack, click on Contact Us and email the appropriate address. You can also lookup a domain name on: http://www.networksolutions.com/whois/index.jsp type in the domain name (i.e. ripe.net) and you'll get detailed information about the domain name owner, administrative and technical contacts, etc. From there, you can email the appropriate person at this company with your complaint. Unfortunately, I've found that MOST of this attacks come from overseas (especially Korea - for some reason). In these cases, don't expect a repsonse to your emails as the recipent likely doesn't speak english. Hope this helps and hope I'm not breaking any rules with this advice. - John

04-27-2008, 01:48 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 22,046 OS: 2000 Pro; XP Pro; XP Home	Re: Port scans causing denial of service Hi Blockhead - Most of what johnhook has stated is true. @johnhook - You've used ARIN for RIPE based IP addresses. It's a european equivalent of ARIN All those IP addies resolve to Telewest Broadband IP Network Services in the UK. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Our help is voluntary, but this site needs donations to operate. Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.

04-27-2008, 02:22 PM	#4 (permalink)
johnhook Tech Hardware Team Join Date: Apr 2008 Posts: 670 OS: MS SBS 2003 SP2	Re: Port scans causing denial of service [moved from General Security} tetonbob, What link did you go to to resolve those addresses to "Telewest Broadband IP Network Services " ? Just curious. It's been awhile since I've had to look up ip addresses of attacks on my PC. I found that most of those attacks came from Seoul Korea. It's kind of confusing as to which authority/organization controls domain names/ip addresses for various countries. I know that Networksolutions.com pretty much handles all of the US domain names. Blockhead, The main thing is to simply permanently BLOCK the offending IPs in your firewall software. If you find lots of attacks coming from the same IP network, i.e. 62.30.x.x - you may want to block that entire IP network. Be careful with this as there might be legit websites hosted on these ISP's network which blocking would prevent you from accessing. Another thing I found helpful was in my previous versions of Norton Internet Security, there was a nice tool that allow visual tracking of IP addresses. It brought up a map and showed the originating country/location of the IP address in question. Check out: http://pcwin.com/Internet/VisualRoute_2007/index.htm - John

04-28-2008, 06:47 AM	#5 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 27,299 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Port scans causing denial of service [moved from General Security} Also note that if you are seeing the IP addresses in the firewall log, that's not the major issue. It's the addresses you DON'T SEE that are the problem, they're getting through! __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

04-28-2008, 08:13 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 22,046 OS: 2000 Pro; XP Pro; XP Home	Re: Port scans causing denial of service [moved from General Security} @johnhook - I use several methods for DNS lookups. There are addons for firefox, but one the most frequently used sites is dnsstuff __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Our help is voluntary, but this site needs donations to operate. Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.

04-28-2008, 01:35 PM	#7 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,388 OS: Windows XP Pro SP2 My System	Re: Port scans causing denial of service [moved from General Security} Tracing back an IP address by using something like Visual Route is misleading and gives a false sense of security. Anyone with half a brain and any intent on compromising your computer will bounce their connection and make standard tracebacks impossible to locate the actual originator. It is not unusual for certain netblocks with certain ISPs to see more scans than usual. This is because that netblock has either at one point in time been "ripe for the picking" (known residential addresses are notorious) or the ISP's filtering is not as diligent. In either case you do not need to worry too much. It is only when the scans actually yield fruit to the wannabe infiltrator that you should be concerned. I recommend, for example, you scan your systems at GRC's ShieldsUP! and make sure things are in the green. Stealthed ports are great, Closed ports are all right (but it is better to be stealthed), Open ports are red flags. Run the scans and see what you get. __________________ TSF Networking Team HijackThis 5 Step Process Donate!

04-29-2008, 09:38 AM	#8 (permalink)
Blockhead Registered User Join Date: Apr 2008 Location: London Posts: 2 OS: Windows XP SP2	Re: Port scans causing denial of service [moved from General Security} Thanks people - I'll use this info.