Results 1 to 10 of 10

Thread: 2-3 connection blocked "intrusions" per second

  1. #1
    ssssalem Guest

    Default 2-3 connection blocked "intrusions" per second

    Using some p2p software, I restarted my comp and have recently got as many as 5 attempted "instrusions" per second...really slowing down my cpu and any sort of net activity, sometimes timing me out of web surfing.

    I've read the locked Sticky on intrusions, and I added the IP addys under ipconfig /all, yet these still persists.

    Anything I can do?

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm (Free)
    Software Version:7.0

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 2-3 connection blocked "intrusions" per second

    What are the addresses of the intrusions? Which ports are they using to attempt to enter the PC?

    Oldsod
    Best regards.
    oldsod

  3. #3
    ssssalem Guest

    Default Re: 2-3 connection blocked "intrusions" per second

    its still going on, from the day I posted this to now:
    To stop it I just disconnect from the internet. Which is interesting, since if I just use zonealarms LOCK internet mode, the "intrusions" still happen.

    so the last few I can get


    I saved a huge .bmp file from a sreeen shot this morning: it would be too large to post, so follow plz:

    *removed to protect your IP* Oldsod

    If you can tell me a way to .txt or .doc the log that would be great.

    -Salem

    Message Edited by Oldsod on 04-23-2007 02:24 PM

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 2-3 connection blocked "intrusions" per second

    Locking the firewall does not stop the intrusions. They will always continue, the lock just means nothing in and out. Any connections attempts will always be recorded.

    Okay let me take a look at some of these. It would have ben better to actually just list some ip with their remote ports. The .bmp is not that complete that way.

    Oldsod
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 2-3 connection blocked "intrusions" per second

    Port 16656 is unassigned. (suspicious)

    Port 1026 is CAP (DCOM port are that is a risk by itself). Disabling the Messenger in the Services may help, if not done already.

    https://www.grc.com/port_1026.htm


    http://www.iana.org/assignments/port-numbers

    Oldsod

    Message Edited by Oldsod on 04-23-2007 03:22 PM
    Best regards.
    oldsod

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 2-3 connection blocked "intrusions" per second

    Once the p2p was begun, the connections attempt from others will continue. The other p2p servers and users will attempt to establish communications. This is normal for p2p useage. Plus the ports should always be closed after the sharing is finished, as to lessen the risks. Once the ports were opened, they were visible to the internet, and they were visible to internet traffic. Hence the general traffic and pings of the internet are attracted to them. The fact that the ZA is protecting the PC and that they do not respond, does not stop the connection attempts.

    Technically, if there is an open port, it will always give an acknowledgement to pings. It is basically saying that it is there. Technically, if the port is incorrect for the inquiry for the assigned port, the connection attempt stops. The port does not reply and ceases communications. If the inquiry was correct, the port will continue with a reply and then wait for the final connection attempt from the server. If the open port is a dead end for any communications attempts, it basically still is unhackablet from the internet. These are the three stoogies of TCP connections over IP...ACK ACK-SYN and SYN

    http://www.freesoft.org/CIE/Course/Section4/10.htm

    Once TCP and ICMP is established, then UDP is performed. UDP has no true destination and sender headers that the TCP communications does, hence it is never inspected as the TCP packets, with staely packet inspection. But UDP communication is noticed by the firewall and if they were unsolicited, they are immediatedly dropped, as is in your situation.


    Getting a router does help. Even with the ports forwarded, the setup is more secure. Plus the actual IP of the PC is disguised from the internet. This makes the PC less of a target for the general back ground internet traffic or "internet noise".

    Once the P2P was started, expect several weekd to pass by before these unwanted connections will stop completely. The previous network will attempt to re-connect for a good period of time.


    In conjunction with the P2P and the firewall, the use of a P2P IP blocking software is recommended. It is good to use these and not just the IP blocker that is built-in the P2P application. Protowall and PeerGuardian are two of the mostly used IP blockers. These do eliminate lots of bad IP (like the ones from china) and they do help protect in other ways. Plus they can be run even when the P2P is not being used. They are very nhandy for blocking other undesireable IP and their ranges.

    Oldsod
    Best regards.
    oldsod

  8. #8
    ssssalem Guest

    Default Re: 2-3 connection blocked "intrusions" per second

    Awesome thanks for all the info. I've installed peerguardian, and now its picking up the connections.

    I would just block a few select ports (based on your info and other google stuff) but am I wrong that with Zonealarm Free you can't do custom internet zones? I don't seem able to disable specific ports.

    thanks again.

    I'll give this a few weekends..though, some info for ya: never happened with bitcomet, only with installing limewire was this problem immediate.

  9. #9
    ssssalem Guest

    Default Re: 2-3 connection blocked "intrusions" per second

    One more thing..under peerguardian and history it actually shows that all these connections are being allowed. Im guessing through the info you gave me that this is nothing to worry about.

    Thanks.

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 2-3 connection blocked "intrusions" per second

    Be wary of the P2P applications. Some will still run even when turned off- they attempt to open communications silently or to be more exact, a listening port. So watch out from time to time with the netstat commands...

    http://www.microsoft.com/resources/d....mspx?mfr=true

    By default the ZA has all ports closed and stealthed in all versions. It is designed around this principle and the ZA does it well.

    The ZAFree has limited networking features. Other than allowing server rights, there is nothing else. It is the paid versions of the ZA that does the complex networking- ports can be designated by port, port ranges and protocol to be opened. The Expert Rules deal with an as per application (P2P in your situation) and can specify time, protocol, source, destinations,logging, and allowed or blocked. Most users never need to use the special port rules or the expert rules.

    Do the netstat -ano and the source/source port, destination/destination port and the PID will be shown. Open the Task Manager and cross reference the PID shown in the command. Do it fairly often until you see what is actually happening. Now you have a good source of ports being used and by what. This way the ports can be tracked down and decisions as to what to disable or close can be easily made.

    If you get ambitious, the inbound ports can be controlled by the properties of the hardware itself. This is seldom used by most, but it very effective. Dig deep into the Properties of the network connection and find the Properties of the Options. The Protocols and the TCP ports can be easily set. Only specified TCP ports will be allowed to actually let connections into the PC.

    Additional hardening tips ....


    http://www.markusjansson.net/exp.html

    Nice sit with lots of info.

    This will unite the netstat and the hardening process together for you and setup some common examples...

    http://www.hsc.fr/ressources/breves/...win.en.html.fr

    BTW additional IP blocks are to be added to the Peer Guardian, they can be found here>

    http://www.iana.org/assignments/ipv4-address-space

    something like "001/8" translates into 1.0.0.0-1.255.255.255 (this is just an example and is not specifically intended to be used, although you could do so if you wished).

    Also in reference to this thread, check out this...

    http://en.wikipedia.org/wiki/IPv4

    The links if followed to the end should be a lot of reading!



    Oldsod

    Message Edited by Oldsod on 04-24-2007 02:22 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •