Zone Alarm question. Blocked intrusions huge.

I have had Zone Alarm (the software firewall) installed for several years. It does its job perfectly and I pay it little attention usually.

Two or three days ago I looked at the status page and saw that the number of “blocked intrusions” was something like 180,000! I believe that the number of high-rated intrusions was around 1400 IIRC. The stats are reset each time a newer version of ZA is installed which in my case was (just guessing) perhaps six months ago.

By chance, the next day I was alerted that a new version of ZA was available which I downloaded and installed. So now two days later, I have 12,000 blocked intrusions (126 high rated). I did run “Shields UP” a few times after the new installation so that would account for a few thousand of the blocked intrusions, but my computer has been on for only about an hour today and I already have about 1100 blocked access attempts.

From my experience these numbers are really high. My question is whether other folks have noticed this as well and what could be the cause. If it makes any difference, I have XP Home and ADSL.

I don’t think those numbers are too out of whack. Since you have DSL, you may be in a range of IP’s with other DSL customers and a tempting target for crackers.

On a dialup, I get several hundred such attempts a day, with roughly 6 hours of Internet connection.

BTW, I don’t know how ZA does it, but I use Blackice Defender, and the version I use creates a single .TXT file for each detected entry. That’s fine if you only get 2 attacks a day, but the way PCs allocate disk storage space, even if the file is 50 characters long, one file may occupy 64K or more of effective disk real estate. After I discovered how this program works, I ZIPped up thousands of TXT files (I’m a data junkie, and I hate to delete stuff!) and recovered multi-gigabytes of wasted space. You might keep an eye on ZA’s storage unless you know how they do it.

Be happy. It’s working as designed.

Since my most recent update installation in March, I have 449271 (and counting) blocked intrusions, with 76094 of those rated “high”, on my ADSL connection. I’ve noticed that intrusions vary with certain surfing habits. Some sites seem to invite/produce more intrusion attempts than others.

I’ve got about 1200 blocked intrusions in two hours, and my ISP is blocking a lot of the stuff before it ever gets to me, so your numbers don’t seem out of line. Mostly what I get are pings from other subscribers to the same ISP (Comcast).

One suggestion is that you set ZA to archive the log files every day, and periodically delete the old ones: Alerts and Logs, Main, Advanced, Archive log text files daily. Just by looking at the size of each day’s log file, you can get a feel for whether things have suddenly gotten worse.

I just checked my firewall (I never bither with the log) and I’ve had over 450 for my current session. Mostly ping attacks.

Good point Musicat. I just checked and I see that ZA creates a new log each day which is typically .5 - 1 MB. I’ll clean up the older archives.

It just seems that my current intrusions exceeds the highest I recall from the time that the worm? (whose name I don’t recall) was very active and sending intrusion attempts every which way constantly.

And on preview… No, I am not worried. Just curious if historically there has been a large increase in intrusion attempts or if it’s just me.

Just an anecdotal experience here…

I first installed Blackice Defender about four years ago. It was quite exciting to see an intrusion attempt and interesting to look at who, how and why. That used to happen a few times a week (dialup, 6 hours on/day).

At hundreds per day now, I’d would say it certainly has increased. It parallels the spam spurt, which for me is approaching 400 per day.

I suspect most of the attacks are script kiddies who program a spare computer to run 24/7, then comb thru the promising discoveries at their leisure. It’s not like you need a budget-busting powerhouse PC to do this anymore.

That’s progress!

Another thing I noticed is that my anti-virus software has updated twice today, rather than about weekly as per usual. Perhaps Christmas is bringing on additional activity.

I think you’ll find that most are ICMP pings from a variety of IP’s. I seem to be getting about 2 / minute. One contributory factor might be the Welchia worm, which drove ping traffic through the roof when it emerged:

From my observations, pings went up enormously, and haven’t decreased much since. By now, instances of this thing ought to be getting squashed, but I wouldn’t bet on it, since a lot of people with infected machines won’t notice anything. Whoever did it seems to have been trying to do a “counter worm” to combat the “blaster” worm, and managed to become a problem himself by clogging the net with pings.

I think you nailed it yabob. The vast majority of my alerts are indeed ICMP pings. I hadn’t heard of the Welchia worm.

rsa, those numbers sound extremely high to me.

I noticed something else. I’ve been averaging about 500 hits a day for the past few months, most of them ICMP pings due to the previously mentioned worms. I’m with Comcast and they’ve given me the same IP address for a long time. Thursday evening I got a new one. On Friday I logged over 1500 hits. That’s a bit high because I left the computer on overnight (Friday AM) to record a webcast. But normal usage on Saturday got nearly 1000 hits.

Hmm. I’m getting closer to 1000 an hour. 4800 and counting since this morning. :eek:

BTW, I have Verizon as my ISP.

The Welchia worm was a “white hat” hacker’s handiwork, supposedly, written to try and root and destroy the Blaster code, but it is not all that benign or that well-written:

This particular piece of fun code is designed to expire when the clock rolls over to 2004. It would be interesting to see if your system stats drop on that date.

Agreed. It will be interesting to see if pings decrease after the new year, though it may take some time. From the Symantec description:

As people reboot their infected machines it may go away.

Interesting.

I noticed a month or two ago that port 1024 was responding as closed instead of being stealthed. A few weeks later I made the changes to disable the DCOM service so all is good now. But perhaps my IP got on some white-hat list while that port was not stealthed.

I’ll see how it looks after the first of the year.

Thanks for all of the responses.

BTW, it looks like most non-pings I’m getting lately are port 135, from a different set of IP’s than the pings. Those are likely to be messenger popup spam, although they could also be related to other variants of RPC worms.

This may be a hijack and a rant, but in researching for this thread I ran across Microsoft’s official policy page on the Blaster worm.

On it, they list products affected by the worm as XP, 2000, NT 4, and 2003 Server. Those NOT affected include:

In other words, they are telling us (strongly) to upgrade from products NOT affected by the worm to products that ARE.

Thanks, Microsoft. Your wisdom approaches the quality of your programs. I feel much safer now.

The unaffected products aren’t affected not because they’re superior, but because writers of worms, viruses, and trojans don’t bother writing them for older or lesser-used systems. Why not just run DOS, O/S2, or maybe RSX-11M? You’d certainly be pretty much free of worms, viruses, and trojans. Probably no annoying popups, either! :wink:

Of course, of course! And don’t forget Linux! (What’s a popup? :smiley: )

And I do run DOS, daily. Refreshingly fast, reliable, and for some apps, does the job with flying colors (well, just a few colors, but how many do you need for a checkbook program? :slight_smile: )

I have some accounting programs I wrote in CP/M ca. 1982, ported over to the IBM PC about 1986, and with a few enhancement tweaks as needed, run fast, solidly and beautifully under DOS. I have no plans to change. Viruses? Hah! I is to laff!!

But RSX-11M? Nah! Don’t be silly! :wink:

Careful, Musicat - we’re in serious danger of revealing just how old we really are.

And don’t be dissin’ RSX-11M! It was a wonderful O/S, in which almost everything you ever wanted to do was encapsulated in one command, the Peripheral Interchange Program, or PIP. Everything was just a switch applied to a PIP command: PIP /LI to list, PIP /CO to copy, PIP /DE to delete, etc., etc. All of that, dedicated to controlling the awesome horsepower of a PDP 11/23, with a whole 256k of RAM (though no single process could access more than 64k of it), and twin RL-01 disk drives, removable 14-inch platters that stored a whopping 5Mb apiece.

And we had to walk to the computer room, 6 miles through the snow, without shoes…