Attack Detected - Firewalls

This is a discussion on Attack Detected - Firewalls ; My firewall continually pops up with a little message saying that an attack to some port was detected. It gives me some numbers (like that's supposed to mean something to me) that I don't understand. There's a log with long ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 22

Thread: Attack Detected

  1. Attack Detected

    My firewall continually pops up with a little message saying that an attack
    to some port was detected. It gives me some numbers (like that's supposed
    to mean something to me) that I don't understand. There's a log with long
    lists of these "attacks."
    Am I supposed to do something with this stuff? How do I find out who the
    attacker is?
    As you can see, I'm not very experienced with firewalls (except for
    shutting them off).
    Al



  2. Re: Attack Detected

    Al wrote:
    > My firewall continually pops up with a little message saying that an
    > attack to some port was detected. It gives me some numbers (like
    > that's supposed to mean something to me) that I don't understand.
    > There's a log with long lists of these "attacks."
    > Am I supposed to do something with this stuff?


    Yes. Ignore it.

    > How do I find out who the attacker is?


    If those numbers don't mean anything to you, you don't.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: Attack Detected

    Al wrote:
    > My firewall continually pops up with a little message saying that an attack
    > to some port was detected.


    Drop it. Just use the Windows-Firewall.

    Yours,
    VB.
    --
    "Life was simple before World War II. After that, we had systems."
    Grace Hopper

  4. Re: Attack Detected

    On Tue, 19 Dec 2006 19:49:28 GMT, "Al" wrote:

    >My firewall continually pops up with a little message saying that an attack
    >to some port was detected. It gives me some numbers (like that's supposed
    >to mean something to me) that I don't understand. There's a log with long
    >lists of these "attacks."
    >Am I supposed to do something with this stuff? How do I find out who the
    >attacker is?
    >As you can see, I'm not very experienced with firewalls (except for
    >shutting them off).


    Post the log with the relevant lines.


  5. Re: Attack Detected


    "Al" wrote in message
    news:cnXhh.1288$X72.515@newsread3.news.pas.earthli nk.net...
    > My firewall continually pops up with a little message saying that an
    > attack to some port was detected. It gives me some numbers (like that's
    > supposed to mean something to me) that I don't understand. There's a log
    > with long lists of these "attacks."


    Yes, even a personal FW running on a computer will log events. Those events
    being logged do not mean your machine is being singled out and attacked in
    most cases. The events are unsolicited traffic that is reaching the PFW and
    are being blocked by the PFW, which most likely are everyday events that
    will happen to a computer that's connected to the Internet. This is
    particularly true that events are logged by the PFW on a computer that has a
    direct connection to the modem, and therefore, the machine has a direct
    connection to the Internet. The personal FW will start going off and
    alarming you and most of the time. It's really nothing that's happening,
    other than, the PFW is blocking the traffic and popping messages that it's
    doing that.


    > Am I supposed to do something with this stuff? How do I find out who the
    > attacker is?


    Why even worry about it? The PFW is doing its job of blocking traffic that
    it's not suppose to let through. If you want to check who it is, then take
    the IP and enter it into the Arin WhoIs Search Box
    http://www.arin.net/index.shtml. Most likely, it's someone's machine on some
    ISP's or even your own ISP's network network that has been infected by a
    virus. The virus running on the machine is trying to reach out and find
    other machines that are open to attack and infect them.

    You are small, small, small potatoes and no one is really coming after small
    potatoes.

    > As you can see, I'm not very experienced with firewalls (except for
    > shutting them off).


    If you don't want to be alarmed by the PFW, then what you should do is put a
    cheap NAT router between the modem and the computer, which cost about as
    much as that PFW you have running on the machine.

    The router is going to block all the traffic/attacks in front of the machine
    so that the PFW doesn't start popping messages and events at you, as they
    will never reach the computer or the PFW running on it, because the router
    is sitting there.

    You can even get router that uses Wallwatcher (free). You can watch the
    traffic in real time that's not reaching your computer and feel free as a
    bird, as you watch the traffic being blocked by the NAT router. You can even
    use Arin WhoIs.

    http://www.homenethelp.com/web/explain/about-NAT.asp
    http://www.sonic.net/wallwatcher/

    Duane
    ..



  6. Re: Attack Detected

    On 12/19/2006 11:49 AM, something possessed Al to write:
    > My firewall continually pops up with a little message saying that an attack
    > to some port was detected. It gives me some numbers (like that's supposed
    > to mean something to me) that I don't understand. There's a log with long
    > lists of these "attacks."
    > Am I supposed to do something with this stuff? How do I find out who the
    > attacker is?
    > As you can see, I'm not very experienced with firewalls (except for
    > shutting them off).
    > Al
    >
    >

    They're just portscans, nothing really to be concerned about. The long
    numbers are IP addresses that belong to the computer that's "attacking"
    you. There should be a way to config your Personal Firewall so that you
    don't see these alerts (I'm assuming you're probably using ZA or
    NIS/NPF, since they tend to call portscans attacks), while still keeping
    the FW protection. Anyway, it's nothing on your computer, if that's
    what you're wondering, and nothing really to worry about as far as
    taking action is concerned.

    Regards,

    Will

  7. Re: Attack Detected

    In article ,
    starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...
    > On 12/19/2006 11:49 AM, something possessed Al to write:
    > > My firewall continually pops up with a little message saying that an attack
    > > to some port was detected. It gives me some numbers (like that's supposed
    > > to mean something to me) that I don't understand. There's a log with long
    > > lists of these "attacks."
    > > Am I supposed to do something with this stuff? How do I find out who the
    > > attacker is?
    > > As you can see, I'm not very experienced with firewalls (except for
    > > shutting them off).
    > > Al
    > >
    > >

    > They're just portscans, nothing really to be concerned about. The long
    > numbers are IP addresses that belong to the computer that's "attacking"
    > you. There should be a way to config your Personal Firewall so that you
    > don't see these alerts (I'm assuming you're probably using ZA or
    > NIS/NPF, since they tend to call portscans attacks), while still keeping
    > the FW protection. Anyway, it's nothing on your computer, if that's
    > what you're wondering, and nothing really to worry about as far as
    > taking action is concerned.


    That's not really true - while port scans don't mean much, if they show
    the scanner that you have an exposed port of interest, they will come
    back and take a closer look.

    If you can determine that your IP is being scanned for open ports you
    should take action to block the IP of the scanning host - for at least
    30 days.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  8. Re: Attack Detected

    On 12/25/2006 11:59 AM, something possessed Leythos to write:
    > In article ,
    > starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...
    >> On 12/19/2006 11:49 AM, something possessed Al to write:
    >>> My firewall continually pops up with a little message saying that an attack
    >>> to some port was detected. It gives me some numbers (like that's supposed
    >>> to mean something to me) that I don't understand. There's a log with long
    >>> lists of these "attacks."
    >>> Am I supposed to do something with this stuff? How do I find out who the
    >>> attacker is?
    >>> As you can see, I'm not very experienced with firewalls (except for
    >>> shutting them off).
    >>> Al
    >>>
    >>>

    >> They're just portscans, nothing really to be concerned about. The long
    >> numbers are IP addresses that belong to the computer that's "attacking"
    >> you. There should be a way to config your Personal Firewall so that you
    >> don't see these alerts (I'm assuming you're probably using ZA or
    >> NIS/NPF, since they tend to call portscans attacks), while still keeping
    >> the FW protection. Anyway, it's nothing on your computer, if that's
    >> what you're wondering, and nothing really to worry about as far as
    >> taking action is concerned.

    >
    > That's not really true - while port scans don't mean much, if they show
    > the scanner that you have an exposed port of interest, they will come
    > back and take a closer look.
    >
    > If you can determine that your IP is being scanned for open ports you
    > should take action to block the IP of the scanning host - for at least
    > 30 days.
    >

    30 days? Why even have it unblocked if there's no needed service. The
    point I was making is that some of the FWs tend to overdramatize
    portscans to make their userbase think that someone is trying to
    "attack" their system (which isn't so far off from the truth sometimes,
    but usually is). Of course, all inbound connections (including
    portscans) should be, at all times, blocked unless you're running a
    service that requires that inbound connection (like some messenger or
    P2P (legit use only) programs).

  9. Re: Attack Detected

    In article ,
    starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...
    > > That's not really true - while port scans don't mean much, if they show
    > > the scanner that you have an exposed port of interest, they will come
    > > back and take a closer look.
    > >
    > > If you can determine that your IP is being scanned for open ports you
    > > should take action to block the IP of the scanning host - for at least
    > > 30 days.
    > >

    > 30 days? Why even have it unblocked if there's no needed service. The
    > point I was making is that some of the FWs tend to overdramatize
    > portscans to make their userbase think that someone is trying to
    > "attack" their system (which isn't so far off from the truth sometimes,
    > but usually is). Of course, all inbound connections (including
    > portscans) should be, at all times, blocked unless you're running a
    > service that requires that inbound connection (like some messenger or
    > P2P (legit use only) programs).


    And the point is that port scans are not really harmless - they are a
    clear indication that someone or something is looking for a way in or an
    exploit that is exposed on your system/network.

    If you don't take to blocking the subnet/ip in a permanent ban, a 30 day
    ban will often get them to move on to someone else instead of comming
    back to you later.

    As for not offering services - well, if only it were that simple. As
    we've all seen/know, even Windows firewall allows apps to create
    exceptions without the user knowing, so, unless the user has some form
    of monitoring going on, there is really know way to know what is
    happening for the non-technical/ignorant user.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  10. Re: Attack Detected

    On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    , Leythos wrote:

    >starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...


    >>> That's not really true - while port scans don't mean much, if they show
    >>> the scanner that you have an exposed port of interest, they will come
    >>> back and take a closer look.


    Agreed, but

    >>> If you can determine that your IP is being scanned for open ports you
    >>> should take action to block the IP of the scanning host - for at least
    >>> 30 days.


    I know we're talking about windoze users, but rather than wait until
    some zombie scans your systems and finds you have open ports, one should
    fix the d4mn box so that the port is not open in the first place. If
    that skill is beyond their capabilities, then configure the firewall to
    block the ports itself, and then learn how to fix the computer. If they
    can't do that, then maybe they shouldn't be using a computer.

    >> 30 days? Why even have it unblocked if there's no needed service.


    Why is it open on the computer? Free clue: if you don't run the
    unwanted service, and don't run some wonky "personal firewall" to block
    that service, your computer won't be wasting those CPU cycles, and will
    be able to run faster.

    >> The point I was making is that some of the FWs tend to overdramatize
    >> portscans to make their userbase think that someone is trying to
    >> "attack" their system (which isn't so far off from the truth
    >> sometimes, but usually is).


    The over dramatization is needed to get the attention of the user who
    automatically clicks OK on _any_ and _all_ messages displayed to them.

    >> Of course, all inbound connections (including portscans) should be, at
    >> all times, blocked unless you're running a service that requires that
    >> inbound connection (like some messenger or P2P (legit use only)
    >> programs).


    We'll come back to this point below.

    >And the point is that port scans are not really harmless - they are a
    >clear indication that someone or something is looking for a way in or an
    >exploit that is exposed on your system/network.


    Port scans are not targeting "you" or "your system/network". They're
    looking at all/everyone. If someone were actually targeting you, the
    average user (and probably the average network administrator) wouldn't
    notice, because they are going to be a heck of a lot more subtle.

    >If you don't take to blocking the subnet/ip in a permanent ban, a 30 day
    >ban will often get them to move on to someone else instead of comming
    >back to you later.


    30 minutes is usually adequate.

    >As for not offering services - well, if only it were that simple.


    Congratulations. You've just figured out that they lied to you
    when they told you even an untrained monkey on crack can use a
    computer. Yes, there's a lot to learn

    >As we've all seen/know, even Windows firewall allows apps to create
    >exceptions without the user knowing,


    Running additional firewall or anti-malware stuff on "this" computer
    is just as easy to circumvent. Using a separate box as a firewall will
    usually be _able_ to prevent this, but only if the user doesn't react
    by logging into the firewall to "allow" some unknown service in the
    same way as clicking on the "OK" icon in the warning box to get the
    thing out of the way.

    It's well known that the most important attack vector into a computer
    is the stupid user who lacks the skill set to be using a digital watch,
    much less something as complicated as a computer. There is no Mal-ware
    Fairy who comes around and waves a magic wand to install malware when
    the user isn't looking. The stuff gets installed by the user, either
    because the user thinks it might be a good idea, or because they have
    no concept of what it might be, and this warning box is in the way -
    make it go away by clicking "OK". Go ahead - install more anti-malware
    software, and then wonder why you need a 3 Gigahertz Pentium VI to read
    a text based newsgroup.

    >so, unless the user has some form of monitoring going on, there is
    >really know way to know what is happening for the non-technical/ignorant
    >user.


    but who is going to watch the watchers? And why would the average
    non-technical (and totally ignorant) user know that a message that says
    "this is important" and "you have a problem" should be responded to any
    differently than clicking "OK" and let me get on with surfing this very
    interesting pr0n/warez/gaming site.

    Old guy

  11. Re: Attack Detected

    In article ,
    ibuprofin@painkiller.example.tld says...
    > Port scans are not targeting "you" or "your system/network". They're
    > looking at all/everyone.


    Lets stop here, and I snipped everything else before/after.

    Port scans ARE targeting YOU as they are scanning YOUR network - just
    because they are scanning everyone else doesn't mean they are not
    scanning you.

    Once you accept that if they scan YOU and find something interesting,
    they WILL be back, you will start to better understand security.

    As for not offering services - it's just not that simple for non-
    technical types to get it right, to have their systems continue to
    perform as expected when fully locked down, etc... A properly configured
    firewall, blocking in/out, does a very good job. Oh, and just because
    you don't offer service X doesn't mean that an exploit can't find some
    other path into the system - read that as undocumented exploits.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  12. Re: Attack Detected

    William wrote:
    > On 12/25/2006 11:59 AM, something possessed Leythos to write:
    >> If you can determine that your IP is being scanned for open ports you
    >> should take action to block the IP of the scanning host - for at
    >> least 30 days.

    >
    > 30 days? Why even have it unblocked if there's no needed service.


    *sigh*

    nmap -sS -e eth0 -P0 -T5 -S 198.41.0.4 $YOUR_IP

    Go ahead and block the IP of that "scanning" host ...

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  13. Re: Attack Detected

    On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in
    article <4592d426$0$4859$4c368faf@roadrunner.com>, Leythos wrote:

    >ibuprofin@painkiller.example.tld says...


    >> Port scans are not targeting "you" or "your system/network". They're
    >> looking at all/everyone.

    >
    >Lets stop here, and I snipped everything else before/after.
    >
    >Port scans ARE targeting YOU as they are scanning YOUR network - just
    >because they are scanning everyone else doesn't mean they are not
    >scanning you.


    That's semantics.

    >Once you accept that if they scan YOU and find something interesting,
    >they WILL be back, you will start to better understand security.


    They do scan - my home network gets the broadband service from a very
    popular provider, who wants to be looked at as a "Common Carrier" and
    thus not responsible for the traffic that is using their wires. As a
    result, every idiot is infected with the windoze zombie de heure. Not a
    problem for me - I don't accept incoming from this /1 or 128.0.0.0 if
    you like your network masks that way. In fact, the only server I am
    running (SSH) is even further restricted.

    >As for not offering services - it's just not that simple for non-
    >technical types to get it right, to have their systems continue to
    >perform as expected when fully locked down, etc...


    Unfortunately, microsoft _DID_ get it right originally. They used a
    broken by design protocol called NETBEUI. To bad they didn't keep that
    as the default. Network to big for that? Fine - it's also big enough
    that you can afford someone who can spell clue.

    >Oh, and just because you don't offer service X doesn't mean that an
    >exploit can't find some other path into the system - read that as
    >undocumented exploits.


    My network accepts SSH connection ONLY. It accepts them from a /24
    and a /22 ONLY. Mail viruses? I accept mail from white-listed
    addresses only. I also only accept ASCII text - the poor old
    Berkeley 'mail' program never learned about MIME, never mind HTML.
    Bad websites? 'man lynx', and it's being run as user "noone" rather
    than "ibuprofin". The only other way in is going to be to trojan
    my O/S updates - and which of the 350+ Linux distributions am I using?
    Actually, I cheat there, because I use the download server at work.

    Some people think I'm missing this whole Internet experience. No, I'm
    not _missing_ anything worth-while.

    Old guy


  14. Re: Attack Detected

    Moe Trin wrote:

    >>Port scans ARE targeting YOU as they are scanning YOUR network - just
    >>because they are scanning everyone else doesn't mean they are not
    >>scanning you.

    >
    > That's semantics.


    And nonsense. Where exactly is the difference between asking if you offer
    some services (because *others* told'em) and a port scan? Too many idiots
    and too many broken protocols have been blurring this line even further.

    >>As for not offering services - it's just not that simple for non-
    >>technical types to get it right, to have their systems continue to
    >>perform as expected when fully locked down, etc...

    >
    > Unfortunately, microsoft _DID_ get it right originally. They used a
    > broken by design protocol called NETBEUI. To bad they didn't keep that
    > as the default. Network to big for that? Fine - it's also big enough
    > that you can afford someone who can spell clue.


    One can still limit Windows shares to only used NetBIOS-over-TCP/IP (and no
    SMB), which can be easily bound to network adapters.

    > Mail viruses? I accept mail from white-listed addresses only.


    OK. Practical considerations aside...

    > I also only accept ASCII text - the poor old Berkeley 'mail' program
    > never learned about MIME,


    ....as well as technical limitations for being old and outdated...

    > Bad websites? 'man lynx',


    .... and desires for usability...

    > Some people think I'm missing this whole Internet experience. No, I'm
    > not _missing_ anything worth-while.


    .... your arguments are funny.

  15. Re: Attack Detected

    In article ,
    ibuprofin@painkiller.example.tld says...
    > On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in
    > article <4592d426$0$4859$4c368faf@roadrunner.com>, Leythos wrote:
    >
    > >ibuprofin@painkiller.example.tld says...

    >
    > >> Port scans are not targeting "you" or "your system/network". They're
    > >> looking at all/everyone.

    > >
    > >Lets stop here, and I snipped everything else before/after.
    > >
    > >Port scans ARE targeting YOU as they are scanning YOUR network - just
    > >because they are scanning everyone else doesn't mean they are not
    > >scanning you.

    >
    > That's semantics.


    Yes, it was, it was "semantics" to say that the scans were not targeting
    individuals and to think that they don't really mean anything.

    > >Once you accept that if they scan YOU and find something interesting,
    > >they WILL be back, you will start to better understand security.

    >
    > They do scan - my home network gets the broadband service from a very
    > popular provider, who wants to be looked at as a "Common Carrier" and
    > thus not responsible for the traffic that is using their wires. As a
    > result, every idiot is infected with the windoze zombie de heure. Not a
    > problem for me - I don't accept incoming from this /1 or 128.0.0.0 if
    > you like your network masks that way. In fact, the only server I am
    > running (SSH) is even further restricted.


    And your method may not work for the OP or others - as some people may
    have a web server or other running on their LAN that provides services
    to family and friends also on the same ISP.

    > >As for not offering services - it's just not that simple for non-
    > >technical types to get it right, to have their systems continue to
    > >perform as expected when fully locked down, etc...

    >
    > Unfortunately, microsoft _DID_ get it right originally. They used a
    > broken by design protocol called NETBEUI. To bad they didn't keep that
    > as the default. Network to big for that? Fine - it's also big enough
    > that you can afford someone who can spell clue.
    >
    > >Oh, and just because you don't offer service X doesn't mean that an
    > >exploit can't find some other path into the system - read that as
    > >undocumented exploits.

    >
    > My network accepts SSH connection ONLY. It accepts them from a /24
    > and a /22 ONLY. Mail viruses? I accept mail from white-listed
    > addresses only. I also only accept ASCII text - the poor old
    > Berkeley 'mail' program never learned about MIME, never mind HTML.
    > Bad websites? 'man lynx', and it's being run as user "noone" rather
    > than "ibuprofin". The only other way in is going to be to trojan
    > my O/S updates - and which of the 350+ Linux distributions am I using?
    > Actually, I cheat there, because I use the download server at work.
    >
    > Some people think I'm missing this whole Internet experience. No, I'm
    > not _missing_ anything worth-while.


    I don't think you're missing anything that you don't want. The internet
    is there if anyone needs something on it, but your solution doesn't work
    for most if the ignorant masses of Windows/Nix users (notice I said
    ignorant and nix, because there are a LOT of new ignorant NIX users with
    exposed systems and more are added every day).

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  16. Re: Attack Detected

    On Thu, 28 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    <4593ea1d$0$17135$4c368faf@roadrunner.com>, Leythos wrote:

    >ibuprofin@painkiller.example.tld says...


    >> Leythos wrote:


    >>> Port scans ARE targeting YOU as they are scanning YOUR network - just
    >>> because they are scanning everyone else doesn't mean they are not
    >>> scanning you.

    >>
    >> That's semantics.

    >
    >Yes, it was, it was "semantics" to say that the scans were not targeting
    >individuals and to think that they don't really mean anything.


    The comment is more for those individuals who, on seeing numerous
    "attack" warnings from their personal firewall believes that all the
    attacks are targeting them specifically. I didn't say that the port scans
    are meaningless - merely that they are a fact of life.

    >And your method may not work for the OP or others - as some people may
    >have a web server or other running on their LAN that provides services
    >to family and friends also on the same ISP.


    It's been mentioned countless times - know why OpenBSD has never had a
    root exploit out-of-box (or so they claim)? Simple - _no_ network
    services are enabled by default. You have to learn how to enable it, and
    while doing so you hopefully will learn some of the really obvious bad
    techniques to avoid. On the other hand, microsoft enables a _LOT_ of
    stuff by default, on the off-chance that someone may find it useful.
    The user therefore has no need (or incentive) to learn anything, with
    the inevitable results.

    >I don't think you're missing anything that you don't want.


    Bingo

    >(notice I said ignorant and nix, because there are a LOT of new
    >ignorant NIX users with exposed systems and more are added every day).


    Isn't _that_ the truth. Still, the "popular" *nix tend more towards
    the 'not running by default' mode, and stress separation of the root
    verses normal users. "Ubuntu Linux" (a Debian clone) goes so far as to
    not enable the root account. You can't log in as root. If you need to
    do administrative things, you use 'su' or 'sudo'. That of course raises
    other problems, but they are much less important than using the system
    as root.

    Old guy

  17. Re: Attack Detected

    Moe Trin wrote:

    > It's been mentioned countless times - know why OpenBSD has never had a
    > root exploit out-of-box (or so they claim)?


    Sadly this change to "Only 1 root exploit in the default configuration in
    the last 10 years". Damn TCP/IP stack! :-)

    >>(notice I said ignorant and nix, because there are a LOT of new
    >>ignorant NIX users with exposed systems and more are added every day).

    >
    > Isn't _that_ the truth. Still, the "popular" *nix tend more towards
    > the 'not running by default' mode, and stress separation of the root
    > verses normal users. "Ubuntu Linux" (a Debian clone) goes so far as to
    > not enable the root account. You can't log in as root. If you need to
    > do administrative things, you use 'su' or 'sudo'. That of course raises
    > other problems, but they are much less important than using the system
    > as root.


    OK, then a nice counterexample: Mandriva Linux. Has X11, CUPS and Sun-RPC
    mapped to every network adapter by default, but as least netfilter/iptables
    is running. And you'll find no documentation on this issue in their
    database or support forum. SuSE Linux is even worse, and SlackWare is only
    slightly better (additionally uses tcpwrapper).

    The other distros seem to be OK.

  18. Re: Attack Detected

    In article ,
    ibuprofin@painkiller.example.tld says...
    > >Yes, it was, it was "semantics" to say that the scans were not targeting
    > >individuals and to think that they don't really mean anything.

    >
    > The comment is more for those individuals who, on seeing numerous
    > "attack" warnings from their personal firewall believes that all the
    > attacks are targeting them specifically. I didn't say that the port scans
    > are meaningless - merely that they are a fact of life.

    [snip]

    Yes, but, they are also a clear sign that someone/something is looking
    for exposed systems - which means they will come back and target the
    individual.

    I take port scans very seriously, as do most security professionals -
    sure, they happen all day long, but that doesn't mean we should dismiss
    them and just background chatter.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  19. Re: Attack Detected

    Leythos wrote in
    news:45948034$0$16971$4c368faf@roadrunner.com:

    > In article ,
    > ibuprofin@painkiller.example.tld says...
    >> >Yes, it was, it was "semantics" to say that the scans were not
    >> >targeting individuals and to think that they don't really mean
    >> >anything.

    >>
    >> The comment is more for those individuals who, on seeing numerous
    >> "attack" warnings from their personal firewall believes that all the
    >> attacks are targeting them specifically. I didn't say that the port
    >> scans are meaningless - merely that they are a fact of life.

    > [snip]
    >
    > Yes, but, they are also a clear sign that someone/something is looking
    > for exposed systems - which means they will come back and target the
    > individual.

    Or that your ISP is scanning for unauthorized servers (or if its in an
    office setting, than a sysadmin). I guess that much would depend on the
    originating IP number than, ya?
    >
    > I take port scans very seriously, as do most security professionals -
    > sure, they happen all day long, but that doesn't mean we should
    > dismiss them and just background chatter.
    >

    Well, they are just background chatter for a properly configured
    router/firewall.

  20. Re: Attack Detected

    In article ,
    starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...
    > Leythos wrote in
    > news:45948034$0$16971$4c368faf@roadrunner.com:
    >
    > > In article ,
    > > ibuprofin@painkiller.example.tld says...
    > >> >Yes, it was, it was "semantics" to say that the scans were not
    > >> >targeting individuals and to think that they don't really mean
    > >> >anything.
    > >>
    > >> The comment is more for those individuals who, on seeing numerous
    > >> "attack" warnings from their personal firewall believes that all the
    > >> attacks are targeting them specifically. I didn't say that the port
    > >> scans are meaningless - merely that they are a fact of life.

    > > [snip]
    > >
    > > Yes, but, they are also a clear sign that someone/something is looking
    > > for exposed systems - which means they will come back and target the
    > > individual.

    >
    > Or that your ISP is scanning for unauthorized servers (or if its in an
    > office setting, than a sysadmin). I guess that much would depend on the
    > originating IP number than, ya?


    Not really, it doesn't depend, what it means is the same things - even
    from my own ISP, as I've had compromised users on our ISP's network,
    that when reported, the device/modem was disconnected by the ISP, and
    that traffic stopped.

    > > I take port scans very seriously, as do most security professionals -
    > > sure, they happen all day long, but that doesn't mean we should
    > > dismiss them and just background chatter.
    > >

    > Well, they are just background chatter for a properly configured
    > router/firewall.


    I disagree completely - they are not background chatter "for a properly
    configured router/firewall". They are a clear sign that the network is
    being probed for something to exploit, no matter the firewall or router.

    Taken as they are, sure, they happen all the time, and on a properly
    configured network they have little chance for impact, other than
    reduction of bandwidth, but, they are a clear indication of the daily
    threats all of our systems are under.

    To dismiss them as being "background chatter" is to give a false sense
    of security to those that actually monitor network intrusions and
    security.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

+ Reply to Thread
Page 1 of 2 1 2 LastLast