Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Under Attack


  • Please log in to reply
6 replies to this topic

#1 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 PM

Posted 17 December 2009 - 03:11 AM

Hi,

I was just wondering if anyone knows why someones computer would suddenly become under vigorous attack by would be intruders. I was just glancing at my firewall logs and noticed that in the last hour alone, there have been over 250 attempts into my computer. Usually I get about 70 in a 24 hour period. I am not really worried about this as my firewall is blocking them, but I am curious as to why this would be happening. The only reason I even noticed this is because my firewall icon is showing constant activity and since it had just started a new log about an hour ago and there were already so many hits on it, it was quite obvious something was going on.

One computer has made 44 attempts, another one has made 56, another one 40, another one 58, another one 61, another one 70 and it just keeps going. I haven't looked up any of the IP addresses but the addy of most of these end in .UK or .au. The one that has tried 70 times looks to be from Canada as it is from ShawCable which I believe is in Canada. There are a bunch of other ones that have tried multiple times too, some of which are from the US (which is where I live) as they have Comcast in the addy, but those are sporadic and have not made nearly as many attempts as the ones I listed here. None of them appear to be pings from my ISP.

The only site I have been on all night have been my trusted TV listing site and this one.

Anyone know why this might be happening?

It isn't slowing down at all, here it is about 3 hours later and I am getting around 500 attempts an hour. No I won't keep counting, but what is happening is nuts.

Edited by Stang777, 17 December 2009 - 06:14 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:01 AM

Posted 18 December 2009 - 08:46 AM

If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it. These alerts are often classified by the network port they arrive on and allow you to see the activity of what is happening on your firewall.

It is not unusual for a firewall to provide numerous alerts regarding such attempted access. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion. The alerts allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer.

If the alerts become too annoying, you should be able to go into your firewall settings and turn them off (Hide notification messages).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xXAlphaXx

xXAlphaXx

  • Members
  • 867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carlona
  • Local time:12:01 AM

Posted 18 December 2009 - 09:45 AM

Thats pretty much what I was going too say;

Watch the ports they are attacking on, see if it is specifit too a port. Also make sure your router isn't running in DMZ.
If I am helping you and I do not respond within 24 hours, please send me a PM. :)

#4 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 PM

Posted 19 December 2009 - 02:43 AM

Thanks for the replies but I fully understand that firewall logs will show many attempts into a computer as it is normal for a computer to have many attempts into it and that the firewall has indeed blocked those attempts. Like I said, I normally get about 70 attempts in a 24 hour period. I know that my firewall is blocking all attempts into my computer and have always had the alerts for it shut off as there is no reason to have them on and do not worry about them.

It's just that I am very aware of what is normal on my computer and what is not, and what happened during the 24 hour period surrounding my initial post in this thread was not in any way normal.

For almost exactly 24 hours, my computer was, in fact, for whatever reason, under attack. During that period, I received almost 3,000 attempts into my computer, many times there were as many as 25 attempts per MINUTE, there is no way that was normal anything.

After 24 hours from the beginning of the attack, my computer went back to getting its normal amount of attempts into it. In the last 12 hours, exactly, I have had only 36 attempts into it, which is in the normal range of the amount of hits I have had for the last almost 2 years since I got this computer.

As I am sure anyone reading this can tell, that 24 hour period was not normal. Like I said in my original post, I am not really worried about this, as I know my firewall is blocking the attempts, however, I am curious. It just seems odd to me that for almost exactly 24 hours, ones computer would be under such a vigorous attack from many computers.

There seems to be only one computer that was trying to make contact during that period that is still trying to get in and that ones attempts have fallen off to once every couple of hours, and I mean, two hours apart, to the minute, and no it is not my ISP. This ones source DNS is laptop.jetcafe.org and that source DNS is not one that usually appears in my logs. My ISP's source DNS always has Comcast as part of the name for one ISP and AOL in the other one. When I get hits from them, they are always from the same DNS sources that I recognize.

If nothing else, I hope my post will show those thinking that firewalls are not necessary and are considering being connected to the internet without one, that they most certainly are necessary and will make them never connect to the internet without a good firewall being on.

I firmly believe that had I not had a firewall running, my computer would have many bad things on it after that attack that came out of nowhere. I had not been on any site other than a few that are not only known to be trustworthy, but have been proven over time to be very trustworthy, so there was no reason for that attack, other than, I was connected to the internet.

Edited by Stang777, 19 December 2009 - 02:55 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:01 AM

Posted 19 December 2009 - 08:37 AM

It could have been some form of DoS attack from a Zombie computer. Although a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and root nameservers. These types of attackes involves saturating the target machine with so many external communications requests that it cannot respond to legitimate traffic, or responds so slowly that it is essentially rendered useless. There are various methods of such attackes to include:To learn more about these methods of attack, please refer to:

Edited by quietman7, 19 December 2009 - 08:49 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 PM

Posted 20 December 2009 - 02:58 AM

Thank you Quietman, I appreciate the reply and the info

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:01 AM

Posted 20 December 2009 - 09:45 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users