I have the free version of Sygate Personal Firewall installed on my computer. Recently, i’ve been noticing that the log shows a heap of incoming port scans, all from the same source. Right now, for example, they’re occuring at the rate of every few minutes, and sometimes even two or three in a minute.
When i do a back trace, and a whois search, it turns out that it’s Verizon Internet Services. Now, Verizon is my DSL provider, but i’ve only really noticed this port scanning recently. Is it something i need to worry about, or do all ISPs do this?
In case it helps, here is the whois log provided by Sygate for these scans:
Chances are it’s just a misconfigured computer used by another customer of your ISP. It’s having a poke around to see what resources are available ‘locally’ and because you’re sitting on the same subnet it’s scanning you. The computer needs further education on what constitutes ‘local’.
I get scans like these all the time, and it’s often the same source.
What you’ve posted includes nothing about the “portscans” themselves, only information about the owner of the range of IPs from which the activity is originating.
The actual log of the incidents is probably being logged elsewhere within your firewall software, or you need to reconfigure your software to capture and log this information.
The logs your looking for should include such information as:
Personal firewalls can be configured for different levels of sensitivity. One of the confusing issues associated with many personal firewall programs is: a threshold set too sensitively can cause normal network traffic to trigger an alert. Many firewall users can’t tell the difference between benign activity and malicious or harmful activity. It is important to interpret the output of your firewall and make sure that it indicates evidence of malicious intent or an actual security risk. Just because a firewall alert is triggered, does not mean that the activity is something to worry about.
Yes, it’s true that 151.196.243.116 belongs to Verizon. So does the IP address Verizon leases to you.
So that port scan is (almost certainly) NOT coming from Verizon’s machines, but rather (almost certainly) from another one of Verizon’s customers.
The fact your firewall is detecting and blocking this traffic is good, and as long as that software keeps working you’ll be 100% fine.
But it does point out the fundamental point that on the Internet, driveby shootings occur every couple of minutes in front of everyone’s houses, there are no safe neighborhoods and anyone unshielded will be hit & damaged within a few minutes of connecting.
Do NOT operate for even a couple of minutes without a firewall or else your machine will be hijacked. That’s maybe a slight exaggeration, but not much.
In addition to the UnaBoard I have an FTP server. It is turned off most all the time, but as soon as it comes alive on those ports, “people” start trying to log in. Almost always from China, Korea, France, or Singapore. Sometimes it can be on for less than 5 minutes and I’ll see some dingus or their cracker running passwords and trying to get in. No one does, but it is annoying.
When I used to log all the “background noise” of the Net the UnaServer experienced my log files grew to Gigabytes worth of crap. Somehow I think there will have to one day be a concerted effort to clean up some of that noise.
Maybe you could answer something else for me, because when it comes to hardware and security issues i’m really a bit in the dark. I use the firewall, and i use Norton anit-virus, and i regularly run Spybot and AdAware, but i don’t really know how this stuff actually works.
What exactly is a port? Is it a physical location in my computer, a route or a wire or a channel of some sort? How many ports are there? And why do certain attacks (e.g., MyDoom etc.) only attack certain ports?
Also, with some things on my computer, i’m not even sure if i should let them access the network through my firewall. Some are no-brainers, like MS Internet Explorer, my email program, Norton Anti-virus, etc. But there are other things that seem to be integral parts of the computer, but whose functions i don’t really know anything about.
For example, Sygate currently shows the following two programs being allowed access:
Win32 Kernel core component
POETKRNL.VXD
The former seems to come up all the time, but i don’t really know what it does. I think the latter is part of my Verizon DSL dialler program. I assume they’re both fine.
Anyhow, any advice you have would be most appreciated.
Ports are just a logical construct to make it easier to sort out traffic intended for various network services.
It’s all coming through the same pipe, so there are conventions in place so that individual services “know” which data is intended for them. Port 80 is, by convention, for HTTP transfer – so a web server “listens” for traffic on port 80. A web browser “uses port 80” by including that port number in every data packet that it sends out. Say you’ve got a web server and an e-mail server running on the same computer. Data packets are coming in willy-nilly. Ones marked “80” go to the web server, and ones marked “25” get passed on to the mail server. This is just a convention though-- Any port can be used for any type of traffic. (as long as the software allows you to fiddle with the port settings.)
The Win32Kernel is part of the OS. I usually block its traffic, because I don’t know what it’s for or what it’s whispering about behind my back. However, I’ve heard that some ISPs poll it to determine if you are online at any given time, and that sometimes blocking it will create problems.
However, I’ve heard that some ISPs poll it to determine if you are online at any given time, and that sometimes blocking it will create problems.