Being Port Scanned and ISP will not help

R

Rootaah

n00b
Joined
Aug 16, 2004
Messages
44
Here's the situation:

Cablem Modem Service - Toshiba Cable Modem
DLINK 624 Router - Wireless Disabled - DHCP's the live WAN IP address from ISP.
2 PCs connected to Router

For two weeks solid now I believe I have been getting port scanned relentlessly. With my DLINK router log set to save or email me the log....it fills 20 pages full of attack messages, twice a day. These incoming attacks do not stop with the PCs turned off and physically removed from the network. My DLINK router WAN light and my Toshiba Data light flash constantly, again with or without the computers hooked up to the network.

The only way I can stop the data light flashing activity is to remove the actual COAX cable from the cable modem. All flashing light activity stops between the DATA light and the WAN light on the modem and router. Obviously though, I don't have Internet access. As soon as I plug the COAX back in, the intense data activity returns and my log starts to fill back up with entries.

I have sent the router logs to my ISP customer service, and point blank, they are idiots. THREE seperate emails I had to basically state the situation until someone acknowledged that it looked like a port scan.....but as they stated, "We can see that your internet access is there and you are not being shut down". Great...thanks. Now, while it doesn't impact my service drastically, I do feel the slowdown from time to time. Quite frankly, regardless that my service isn't a total loss, just seeing the logs fill up and the lights constantly flashing makes me paranoid.

I have asked TWICE if I could have my service assigned another dynamic IP and TWICE they pointed me to their hosted Internet Speed test to see if my performance was degraded.

My question is, can I demand the ISP change my IP? Especially now that I have written proof from a technician that states he acknowledges I am most likely getting port scanned. Or is it just worth it to not waste my time and accept the fact that the Internet is an evil place and to pray my DLINK router holds out?

Here is a tiny sample from my log with my IP addressed removed:

Mar/27/2007 15:12:10
Drop ICMP packet from WAN src:200.231.139.175:8 dst:xxx.xxx.xxx.xxx:0 Rule: Default deny
Mar/27/2007 15:08:05
Drop UDP packet from WAN src:126.188.16.213:30803 dst:xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 15:07:52
Drop UDP packet from WAN src:204.16.210.62:42144 dst:xxx.xxx.xxx.xxx:1027 Rule: Default deny
Mar/27/2007 15:02:21
Drop TCP packet from WAN src:222.71.102.30:40539 dst:xxx.xxx.xxx.xxx:8000 Rule: Default deny
Mar/27/2007 14:59:02
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:56
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:53
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:51
Drop UDP packet from WAN src:194.181.249.80:19981 dst:xxx.xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 14:48:49
Drop UDP packet from WAN src:218.27.16.156:52238 dst:xxx.xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 14:48:49
Drop UDP packet from WAN src:218.27.16.156:52238 dst:xxx.xxx.xxx.xxx:1027 Rule: Default deny


Can someone clear up whethere or not that looks like port scanning?

Any input is more than welcome.

Thanks!
 
You have exactly the right idea- changing your IP.

Unfortunately most ISPs won't issue you a new IP- primarily because the support reps have no clue what you are talking about. If you new an actual Administrator that had access to the DHCP server, he could assign you one.

All I have been able to do in the past (and this doesn't work all the time), is disconnect all power from the modem. Leave it shut off a few hours (maybe while at work or something), and plug it back in. Hopefully by that time- they assigned that IP to someone else.
 
Personally, I think you're wasting your time. My cable modem does the exact same thing. I have it plugged into a Cisco 871. I can see all kinds of crap hitting the firewall, port scans, Windows Messenger (the service, not the IM program) packets, worms, all kinds of stuff. Its the nature of the Internet these days. Even if you change your IP you're going to see the same behavior immediately or soon after. Unless its actively effecting you in a negative way, i.e. some one is hacking your PC, I wouldn't spend too much time worrying about it. Here's a small (very small), snippet from my log:

%SEC-6-IPACCESSLOGP: list firewall denied udp 24.64.8.83(22781) -> xxx.xxx.xxx.xxx(1026), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied tcp 208.235.248.108(443) -> xxx.xxx.xxx.xxx(2084), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied tcp 208.235.248.108(443) -> xxx.xxx.xxx.xxx(2082), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied tcp 65.200.98.26(60882) -> xxx.xxx.xxx.xxx(21), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied tcp 208.235.248.108(443) -> xxx.xxx.xxx.xxx(2083), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied tcp 208.235.248.108(443) -> xxx.xxx.xxx.xxx(2081), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp 204.16.211.6(53617) -> xxx.xxx.xxx.xxx(1026), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp 204.16.210.130(35375) -> xxx.xxx.xxx.xxx(1027), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp 216.115.21.203(69) -> xxx.xxx.xxx.xxx(3256), 4 packets
%SEC-6-IPACCESSLOGP: list firewall denied udp 24.64.8.83(22781) -> xxx.xxx.xxx.xxx(1027), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp 24.64.8.83(22781) -> xxx.xxx.xxx.xxx(1028), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp 204.16.211.6(53617) -> xxx.xxx.xxx.xxx(1027), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp 209.27.8.106(31193) -> xxx.xxx.xxx.xxx(1026), 1 packet

Looks familiar doesn't it?
 
Port scanning happens constantly to everyone. That's the purpose of a firewall, to prevent access. Changing your IP will do nothing in this situation. All you can do is [H]arden your location and if the port scanning comes repeatedly from one IP address you can do a whois lookup and report the offender to that ISP.
 
and/or just block all traffic from the offending IP if it is the same person
 
Mister Natural said:
Port scanning happens constantly to everyone. That's the purpose of a firewall, to prevent access. Changing your IP will do nothing in this situation. All you can do is [H]arden your location and if the port scanning comes repeatedly from one IP address you can do a whois lookup and report the offender to that ISP.
Click to expand...

Exactly right.

There is a reason why the time to compromise of an unpatched system with a major vendor OS is now in the sub 2 minute range...
 
that's one reason i prefer using Endian.

i remember when i first got a cable modem. our area had *just* gotten them, and the tech was pretty new. for quite some time, the activity lights never blinked on my cisco box (it was a business line) unless i was actually using the connection. looking back on it, it's nearly unbelievable. the internet just wasn't raped like a filthy whore like it is now with every incompetent boob with a broadband link (which, i believe, is fantastic); the ne'er-do-wells run amok unscathed.
 
There are ways to make yourself invisible on the internet.

If somebody port scans you and sees nothing then they will move on, if they find something they will dig deeper.

This site will help you make yourself invisible.

https://www.grc.com/x/ne.dll?bh0bkyd2

click proceed/continue/

then click the ports you want to scan. I suggest if you fail a test find out why (they explain it) and fix it.

Do the common port test and the all service port test.

This is not guaranteed to make your self invisible but look at it from a hackers point of view if they see nothing in the first few scans why stick around when there are less secure places to be.

Also, for gods sake shut off the log. I BELIEVE your log will ping who is trying to port scan you. I could be wrong but if this is true, this is very bad. It WILL tell the port scanner that you are there, remember you want to be invisible.
(I could have this confused with a different service used to block pings. But shieldsup will tell you if you are visible or not.)


 
If you want a new IP address all you will have to do is introduce a new MAC address to the DHCP server. So, if your NAT device has the ability to clone/spoof a MAC address, find a MAC address that you aren't using (look on an unused NIC) and use that as your routers interface address. Once this is in place the DHCP server should issue a new address. If your router doesn't have this ability, just remove your modem from their network for 2-3 hours and hook it back. This will most likely cause your lease with that IP address to timeout and you will be issued another IP once you reconnect.

Are the scans coming from the same IP, all of them?

And there is nothing that will make you "invisible" on the internet. If you are connected to the internet, you CAN be hacked. Just because you aren't responding to ICMP messages doesn't make you invisible. This is something that grc has created.
 
magikman said:
And there is nothing that will make you "invisible" on the internet.
Click to expand...

It is true that you can not be truly “invisible” but the less visible the better. If your router has open ports or responds to pings then you are more visible then you should be.

The harder it is for you to detect the better. This is not a hard concept to understand.



 
The firewall should block these port scans from getting into your network, but they won't stop the traffic from taking a portion of your WAN link. Depending on the firewall, it may or may not block a detected port scan attempt to open ports. Depends on the firewall, and it depends on how the port scan is done.

You can't really do anything about port scans, odds are it's just some automated bot on the net scanning ports across multiple IP's. Most ISP's wouldn't give two cents about this unless you're running some kind of managed security service with them, even then they'd probably tell you this is normal on the internet and not to worry since it isn't making it past your firewall.
 
Welcome to the internet! It happens all the time...it's a waste of time to read firewall logs. Nothing to lose sleep over.

Turning your PCs off will not stop it..it's your router that obtains the public IP address, not your computers..computers behind the router are totally irrelevant.
 
dont worry about it
it happens to everyone
you have a router, so as long as you didn't initiate those connections to those ip addresses, it'll automatically drop those packets because it doesnt know whereto route them

dont worry about it at all, getting port scanned is as big a deal as going to google
 
zpellzlinger said:
It is true that you can not be truly “invisibly” but the less visible the better. If your router has open ports or responds to pings then you are more visible then you should be.

The harder it is for you to detect the better. This is not a hard concept to understand.



Click to expand...

Perhaps you misunderstood my comments as a derogatory statement towards your suggestion. If so, that was not the case.

What i was saying, however, is that disabling ICMP messages is a futile task. I would equate this security action as filtering MAC addresses on an access point. i.e. even if you filter them, there are still 30 other ways to get in.

google these:
TCP SYN (half open) scanning
TCP FIN (stealth) scanning
SYN/FIN scanning using IP fragments (bypasses packet filters)
blah
blah...

My point is that you shouldn't trust blocking ICMP (or grc telling you that you are "invisible") as it will give you a false sense of security.

Anyway, off that. As everyone has already told you, port scans on the internet are a normal thing. There isn't any real need to be worried unless you have stupid ports open with insecure authentication methods in place.
 
YeOldeStonecat said:
Welcome to the internet! It happens all the time...it's a waste of time to read firewall logs. Nothing to lose sleep over..
Click to expand...

I'd agree with you on "welcome to the internet" but I wouldn't say "it's a waste of time to read firewall logs."
 
Who doesn't this happen to :p



Mar/31/2007 19:44:43 Drop UDP packet from WAN 83.39.188.74:9026 68.205.80.208:63853 Rule: Default deny
Mar/31/2007 19:44:42 Drop UDP packet from WAN 84.146.37.203:6112 68.205.80.208:51911 Rule: Default deny
Mar/31/2007 19:44:41 Drop UDP packet from WAN 81.204.181.140:64954 68.205.80.208:51911 Rule: Default deny
Mar/31/2007 19:44:41 Drop UDP packet from WAN 86.101.199.38:60661 68.205.80.208:51911 Rule: Default deny
Mar/31/2007 19:44:41 Drop UDP packet from WAN 201.19.36.109:6881 68.205.80.208:63853 Rule: Default deny
Mar/31/2007 19:44:38 Drop UDP packet from WAN 80.99.29.161:4274 68.205.80.208:63853 Rule: Default deny
Mar/31/2007 19:44:37 Drop UDP packet from WAN 217.125.216.156:17999 68.205.80.208:63806 Rule: Default deny
Mar/31/2007 19:44:36 Drop UDP packet from WAN 85.56.13.139:49152 68.205.80.208:51911 Rule: Default deny
Mar/31/2007 19:44:36 Drop UDP packet from WAN 74.224.86.222:50061 68.205.80.208:51911 Rule: Default deny
Mar/31/2007 19:44:36 Drop UDP packet from WAN 82.243.86.249:54111 68.205.80.208:51911 Rule: Default deny
 
I get port scanned 24/day 7/week. I believe its normal behavior from script kiddies.
 
Stang Man said:
I'd agree with you on "welcome to the internet" but I wouldn't say "it's a waste of time to read firewall logs."
Click to expand...

Depends on what you like to spend your time doing. For a business...if you have some servers and services exposed..yes. But for a home user..with the LAN behind NAT...I'd probably rather repaint the golden gate bridge with a toothbrush than pour through firewall logs yawning over worm scans.
 
gta95 said:
I get port scanned 24/day 7/week. I believe its normal behavior from script kiddies.
Click to expand...

Yes. Scans like what you guys are experiencing are just the nominal background noise of the internet. It also serves as a reminder why you should never place an unpatched/unprotected system online. It takes what, 30 seconds for a system to be rooted now once its attached to the internet?
 
Like most others have said, it's the way it is now. My activity light on my cable modem is constantly blinking, and it's all scans and probes. Usually they seem to hit ports known to be used by exploitable software, as long as your firewall is telling you it's being denied to them, don't worry about it, it's just doing it's job and letting you know it.
 
You're wasting your time with those logs, I used to be paranoid about that crap too, but it's what I call "background noise" on the internet. Those are not port scans, but most likely worms trying to propogate.

Chances are, who those IP's belong to, don't even know they are infected.

Your ISP won't do anything, because they realize it's a waste of time.

If you REALLY want to try to do something to help the online community, take a look at MyNetWatchman http://www.mynetwatchman.com/

I have a perl script setup to automatically upload my firewall logs. That company analyzes the logs and if a certain IP gets multiple hits from multiple logs, they'll contact the ISP for you. It's all automatic, mostly..
 
Yeah I agree with everyone here, it's good to look at logs to see that might be going on, but as for the port scans as long as they are being blocked, no worries. you got that router/firewall to do that, and if it's working your good. I get port scaned all the time, hell even seen where my ISP port scaned me (guess they was checking for any servers.)

Anyways just think if you did not have a router/firewall, and would you bleave that people still dont use them or even have them.
 
Yep. Unfortunate, but Yep.



Mister Natural said:
Port scanning happens constantly to everyone. That's the purpose of a firewall, to prevent access. Changing your IP will do nothing in this situation. All you can do is [H]arden your location and if the port scanning comes repeatedly from one IP address you can do a whois lookup and report the offender to that ISP.
Click to expand...
 
JayAre said:
Start scanning those source ip's back...:D
Click to expand...

It wont do any good. Most likely, the PC's scanning you are zombies that are part of a botnet. The users probably dont even know anything is wrong. And if it was a network that a hacker monitored, you scanning them back will possibly be interpreted as a challenge, if they even notice. Their network is getting scanned all the time as well.
 
You must log in or register to reply here.
Back
Top