Firewall attacks questions

When I switched to DSL a couple months ago for my stand-alone computer at my home, I got the BlackICE Defender firewall. As far as I can tell, it's worked fine.

Sometimes when the little icon down in the Sys Tray blinks, I right-click on it to see what just happened or who tried to do what. Today, for example, I've noticed that a number of sources have attempted to attack me several times. By "several," I mean 12, 15, 25, 38, or 42 times. One has tried 74 times so far today in the 4 hours I've been on-line.

My firewall seems to have blocked all these attempts successfully, but I'm curious. Why would an attacker try so many times to hit one possible target, which I assume is selected blindly and at random? Apart from my setting the firewall up to block such attacks, is there anything I can do to keep one of these repeaters from even trying? Or should I want to do that?

Almost all of today's attacks have been TCP port probes. The one exception was an HTTP port probe (3 attempts).

Any significance to any of this, or is it all perfectly normal? Are your experiences pretty much the same?

 

Pretty normal at times. Hacker wannabees trying to find some poor sucker with a trojan loaded and open ports so they can do their "hacking" thing.

They aren't just trying you. They will probably have a little "robot" app that runs thru the IP address range from your ISP and tries each one in turn.

Nothing to do about it but pretty harmless unless you have an open system AND a trojan loaded.

 

With BlackIce you can pretty much ignore everything that dosent have a red icon in the attack list. I for one only pay attention to it when I get a red one.

Since I have a Class C IP range with a lot of domains on it I get A LOT of HTTP/FTP/NetBIOS probes and the occasional SubSeven.

Juse keep an eye on the names of the attack computers and the IP the attacks come from. If you see one IP a lot call your ISP and have them block that IP on their router (if they are a decent ISP they will). Most of the time attacks are unpatched IIS web servers scaning the net.


And if you are using BlackIce patch it fast! There is a denial of service vulnerability that can allow attackers to crash BI.

BlackICE Defender Patch Release version 2.9.car is available at: http://www.iss.net/support/consumer/BI_downloads.php

 

I found this site thanks to RoadRunner and as a result, the steps I took GREATLY improved the security of my PC. If you run this and the result is "Closed" or even worse, "Open ", try ZoneAlarm from ZoneLabs (it's free). All my ports now say "Stealth ", so a potential hacker doesn't even know that your PC exists, so they will quit trying....


https://grc.com/x/ne.dll?bh0bkyd2

It was a real eye-opener for me!


Phil

 

Newt: I'd pretty much figured the same thing, that the attacks were randomly and blindly scanning the Net to see what connections could be found. My firewall was apparently able to block all of them and prevent any harm or mischief from being done. I was just perplexed that some of them tried so many times. I'd expect the randomness to result in far fewer repeats.

JCella: I checked the link you provided, and the patch applies to users of Windows 2000 and XP, whereas I'm using Win98, so I didn't need to download it.

Double911: I spent quite a bit of time perusing the Gibson site's messages. Like you, I found it an eye-opener, especially after I ran the leaks test and saw the result. Right now I have the feeling that external threats pose far more of a potential danger to me than the internal threat that BlackICE Defender is vulnerable to, but I'll think very seriously about ZoneAlarm. The latest issue of PC Magazine tests the different personal firewalls that are available and comes to much the same conclusions about them as Gibson does.

I thank all of you for taking the time to respond and for your suggestions. We seem to be of like mind about the attacks I've been getting.

As for personal firewall programs, I expect that within the next few months the weak ones will be built up and broadband users will be even safer for it. For the time being, though, I'm curious if there are any issues, problems, or conflicts to argue against using ZoneAlarm. The only one the PC Mag article mentioned is a synching problem with MS Outlook Express, which I don't use. They tested ZoneAlarm Pro 2.6, not the free version, by the way, but they didn't rate it any higher than BlackICE Defender. Their Editors' Choice Awards went to Norton Internet Security 2000 and Sygate Personal Firewall PRO 4.2

 

I was under the impression that the more recent versions of BID did in fact offer bi-directional filtering; but maybe I'm mistaken.

ZA is, without question, a good product. However, ZAF lacks the configurability that can be found in ZAP and many other firewalls and is also somewhat heavier on resources than most of the others. I'd suggest that, in addition to ZAF, you also consider both TPF and Outpost.

 

This is really weird. I just checked my BlackICE Defender's Events viewer, and in the 5 hours I've been on-line so far today, I've been attacked just once (not counting the 3 hits I inflicted on myself when I ran the Gibson leak test). Yesterday by this time I'd been hit 200-300 times. What do you make of that?

 

Do you have a dynamic or static IP? If it's the former, then it could simply be the case that the previous "owner" of that IP was running a P2P application of some type.

As an interesting aside, you may wish to read this article, which provides an alternative view as the effectiveness of PF's/IDS's and the alerts which they generate (I should point out that, whilst the article does make several valid points, I am not in overall agreement with its assertions!).

 

brett: I'm a DSL subscriber, so my IP is static, isn't it? I thought that's what made broadband users so vulnerable to hackers. Maybe I have that all wrong. My IP is SBCglobal (PacBell), if that helps clarify anything.

I read the article you linked me to. Interesting. Since my computer is a stand-alone unit, I'm not on a network as I understand the way he uses the term, so the box he recommends as a real firewall, as opposed to software firewalls, is more for LAN and WAN units, isn't it?

 

Bobbo - much more likely that you have a dynamic IP address via DHCP from your ISP.

Easy enough to find out.

For Win9x, go to start~run and put in winipcfg and click the button for details. You will see exactly how your IP is being assigned. If dynamic, you will also see information about the lease period. At the end of your "lease" the DHCP box will check to see if you are still around. If so, you get renewed with the same IP address. If not, that address is placed back into their pool of available addresses and the next time you get on, you will probably get a different address.

For NT/2K/XP, you need to run ipconfig /all] from a DOS window. Same information. For ME I have no clue but it will be one or the other.

Your ISP will have "exclusive rights" to a certain range of IP addresses and will assign from that range. To get more use from a limited number, they usually set a very short lease period so they can recycle them quickly and have a maximum number of users from a minimum number of addresses.

I'm at work now so can't check on my DSL connection at home but I think it may be in the neighborhood of 2 hours for the lease. OTOH, at work we have plenty of addresses and the lease is set at 2 weeks or something to cut down on network traffic caused by the lease negotiation.

 

Newt: I'm running Win98, so I did the Run winipcfg you suggested. I found out a few things, some easily, some with a little difficulty.

The first thing I noticed was that in the IP section, the Host Name shows me as still being with my old dial-up modem ISP. Thinking something was haywire, I went to Control Panel\Network and looked at the list of protocols under Configuration. Most seemed right for DSL, but one looked to be a left-over from POTS days. Not wanting to mess up my DSL configuration, but curious about that dial-up IP, I phoned my DSL provider's support number and learned that I should keep most of the protocols listed but, since I'd removed the unneeded modem card from my computer, I could delete the dial-up protocol. So I did. He also told me my connection is dynamic, which cleared up that point.

Going back to the Run winipcfg, I found I'd somehow been disconnected, so I rebooted, got back on-line, and ran the winipcfg again. Under Ethernet Adapter Information, set to NTS PPPoE Adapter, lease times are both 01 01 80 12:00:00 AM. But in the IP section, the Host Name still shows the old dial-up ISP. Why is it doing that?

The further I get into all this, the more I'm finding out how much there is I don't know or understand. And I started it all, not because something wasn't working, but from just being curious about something. I suppose a lot of great science has come about in exactly that same way, but I've also heard something about curiosity killing the cat. I'm probably somewhere between those two. * sigh *

 

Interesting Bobbo. Some of your settings are for sure not what I'd expect but your system is working. Hmmmmm.

What sort of network adapter are you using now? Regular NIC with the RJ-45 connector (looks like a phone connector with a thyroid problem)?

With winipcfg open, do you show more than one network adapter? You can find out by clicking the drop-down arrow to the right of your "Ethernet Adapter Information" block. I suspect you may see several and the first screen that comes up for you is probably still for the old dial-up adapter which is gone.

 

Newt: I checked and there are 2 adapters: NTS PPPoE and D-Link DFE-530TX-PCI.

I think both of them are for my DSL service, but I'm not positive. (I've decided to not be positive anymore about much of anything that's related to this whole thing.)