Results 1 to 4 of 4

Thread: Multiple ShawCable Probes to multiple ports (ranging from 24.64-24.108)

  1. #1
    miss Guest

    Default Multiple ShawCable Probes to multiple ports (ranging from 24.64-24.108)

    Last month I responded to another member's message, and explained that
    I was receiving multiple probes from shawcable ip addresses. When I contacted Shaw, I was informed
    these were inactive addresses not affiliated with their customers and would most likely all begin
    with 24.64. and would be directed to
    UDP
    on ports 1026, 1027 & 1028.
    Shaw explained there was nothing they
    could do about it despite the fact it was illegal???
    So I took it at that, and simply stopped checking "log viewer". However.....I recently noticed, that I'm
    now receiving MULTIPLE probes DAILY from Shaw ip's
    which range from 24.64. to 24.108. the moment my
    computer is turned on. These are also
    directed to MULTIPLE ports(I've counted well over 30), and some of them have
    source DNS email addresses. One example of many is shown below:

    S010600055dfe1692.cg.shawcable.netIs this truly random? If so, how are these ip addresses able to
    probe
    my computer the moment I log on? Yesterday I restarted my computer three times to change my ip address(out of curiosity), and each time the same thing occurred. Can other members check your log files and tell me if you are receiving
    multiple probes from Shaw as well?
    I receive hundreds daily, and sometimes an entire log
    viewer page is filled with shawcable probes. I contacted Shaw well over a week ago for the
    second time explaining all the above, and they have not responded.
    Right now I have 5 different ranges blocked for shaw. Is there any way to block all these ranges at one time? Or is it necessary to block each range individually.
    For instance two of the five are: 24.64.0.0 to 24.71.255.255 and 24.76.0.0 to 24.79.255.255
    Is there anything ZoneAlarm can do about this? Thanks

    P.S. Also, I've noticed that when I add a
    new blocked range or ip address to the zone,
    even after hitting apply and ok...when I restart my computer one of the items on the blocked list is removed. I'm not sure why,
    so
    I usually have to re-enter whatever
    item was
    removed and restart my computer a 2nd time
    to insure
    everything that I want blocked
    remains on the list. is this a zone alarm glitch? Other members
    may want to double check
    your "blocked zone" if you've recently added new items just to be sure. I've had zone alarm security suite
    I believe since January of this year, and I use it for anti-virus, anti-spyware, and firewall protection.


    Message Edited by Miss on 02-21-2008 07:00 AM

  2. #2
    watcher Guest

    Default Re: Multiple ShawCable Probes to multiple ports (ranging from 24.64-24.108)

    Dear Miss:

    You are talking about the entries located in the Alerts and Logs panel, Log Viewer tab. If Alert Type=Firewall, you are looking at connection attempts to your PC from the Internet. In the Action Taken column, all of these will show Blocked so you are safe. Like you, I became concerned about the number of entries but not for the same reason. My concern was that it is hard to identify actual attacks from hackers when you have to wade through all those entries. Hacker activity is unpredictable. Some days I would have hundreds of entries over like a 6-hour period and then other days I would have only a few. Here is what I did.

    First, harden your computer against attack by preventing exploits against common vulnerabilities on a PC. You can block a LOT of traffic(multiple IP addresses) merely by creating an expert firewall rule that blocks any traffic attempting to connect to a specific port on your computer. Expert firewall rules are enforced prior to Zone rules. Close the following ports using expert firewall rules: 135, 137, 139, 445, 1026, 1027, and 1028. This is assuming you don't use these ports. Then set the rules not to log this traffic. You will reduce the size of your firewall logs greatly. This allows you to concentrate on the remaining entries. This method is useful in a DDoS attack in which the attacker uses a botnet to attack your PC. I had it happen to me. I knew it was a botnet because the source IP addresses were from Class A, B, and C categories so it could not be from a single entity. What they all had in common was they were seeking to connect to a specific port on my computer. I looked at the socket addresses(IP address/colon; port) listed in the Destination IP column to confirm. One expert firewall rule set to block the specific port would take care of this.

    Second, find the attacker(s) who generate the most log entries. Use the Source IP column to identify those with the same IP address. Click on one of them and then click the More Info button in the lower right of the Log Viewer tab and the online SmartDefense Advisor launches. Go right to the Hacker ID tab, find the name and IP range of the offender, write it down, and use to create an expert firewall rule to block the entire IP range. You may find a lot of Chinese, North Korean, and even Iran web sites that are obviously malicious. Then set these not to log. You should do only a few of these per day. Otherwise, it seems like a monumental task.

    Third, create expert firewall rules for IANA-reserved IP ranges. Hackers like to forge these addresses as they are well known addresses and they can't be traced back to them. IANA has Class A reserved range of 10.0.0.0 - 10.255.255.255, Class B reserved range of 172.16.0.0 - 172.31.255.255, and Class C reserved range of 192.168.0.0 - 192.168.255.255. Also, set these to block and not to log any more.

    Currently, I have over 30 expert firewall rules set to block and not log any more. The result is a much smaller firewall log which I can review far easier than before.

    If you decide to do nothing, you are still protected. ZAISS blocks all unsolicited inbound connection attempts by default, using stateful packet inspection(SPI). However, each of these blocked attempts is then logged, creating the large firewall logs.

    Hope this helps.

    WATCHER

  3. #3
    miss Guest

    Default Re: Multiple ShawCable Probes to multiple ports (ranging from 24.64-24.108)

    Hi Watcher, thank you for posting this helpful information. I have to admit it all went over my head, as I'm not
    tech savvy at all.
    I'll
    try following the steps tomorrow, and hopefully I'll be able to
    add the expert rules successfully. I'm sure to return with
    further questions. lol
    Also, I posted a recent message concerning a trojan that was found on computer about 30 minutes ago. Can you visit the thread below and let me know what you think? Thanks again for all your help. It is most appreciated. Miss
    http://forums.zonealarm.org/zonelabs...ssage.id=27231

  4. #4
    brunob Guest

    Default Re: Multiple ShawCable Probes to multiple ports (ranging from 24.64-24.108)

    Thank you WATCHER for your advice to "creating an expert firewall rule that blocks any traffic attempting to connect to a specific port on your computer".
    But the best was the advice "Then set the rules not to log this traffic".My expert rule are now blocking only ports 1026-1028 but the ShawCable crab in the log has been reduced to (literary) nil:-)
    By the way.
    I think the reason Miss answers that "I have to admit it all went over my head" is because its very hard to find a down-to-earth guide of how to create simple expert rules.Im sorry its not possible to publish pics. Because I took a screen dump of the rather simple process it is to make the nessesary expert rule.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •