Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

quantity of icmp requests - unusually large or not?


  • Please log in to reply
11 replies to this topic

#1 bluebird100

bluebird100

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 20 June 2012 - 03:00 AM

Hi Guys,
I check my routers firewall daily - I would say I get approx' 20 ICMP / UDP port scan attempts on a daily basis. (Majority ICMP ) - is this an unsually high figure? - they appear to be from all over the place, main attempts seem to be midnight - to early hours of the morning. No One on any PC's in the house at the time , wireless powered down & all pc's off. Secondly, which one should we be more concerned about a firewall ICMP check or port scan?
Thanks.

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 AM

Posted 20 June 2012 - 04:17 AM

Hi -
First, do you have any "software firewall" installed on your computer, along with your Antivirus program ?
Next, is there a specific reason why you cannot turn off the router at the wall socket over-night (telephone or similar) ?

Thank You -

#3 bluebird100

bluebird100
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 20 June 2012 - 04:39 AM

Thanks,
i run Norton 360 Gold,beleive this includes firewall software.
I could power off the router overnight I guess.......... but that wouldnt stop these attempts would it?.
Is this an unusually large amount or regular though?
Thanks again.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 AM

Posted 20 June 2012 - 05:19 AM

I could power off the router overnight I guess.......... but that wouldnt stop these attempts would it?.
Is this an unusually large amount or regular though?

Hi -
As I understand your first post, you are concerned about "external attempts" to access your system.
If the internet access (via router) is disconnected / turned off, there is no way that I can see the "port scan attempts" continuing overnight.
Many people report attempted unusual access overnight, or during the day also, but if you can get an IP site number these can be simply traced.
Do you have any recorded ?
Examples of these are often Chinese or some Eastern European based sites that use "bots" to randomly scan open ports -

Malwarebytes Pro (paid) version usually picks/records these attempts, and as it actively stops any access like this, it is always a good option ($29 Your choice, I am not a seller) -

Regards -

Edited by noknojon, 20 June 2012 - 05:21 AM.


#5 bluebird100

bluebird100
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 20 June 2012 - 05:47 AM

thanks,

Ive been monitoring the logs for a while,prompted by an earlier compromise /malware issue.
I tend to track them now & they can be from all over the world. Get some local to, but I'm told that the IP tracing sites on the web arent that accurate.

We did have a few instances few weeks ago where, I would see repeated attempts from same IP adresses - even after changing my public IP address via router restart -weird !, reported this , but no real joy, ISp said that it was weird ("sinister") was the word used. As though my PC was broadcasting something . Ran Norton / Super Anti Spyware & Malware Bytes - couldnt see anything. This is the reason why I keep the router on now - so I can see whats happening. I dont understand a lot of it, just bumble through. But I look for regular /repeat attempts.

#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 AM

Posted 20 June 2012 - 06:25 AM

Generally I just enter the IP adress direct to Google and most times I can pinpoint the server within 1 or 2 miles of the actual location.
Just a bit of extra information for you from Norton site -
Norton 360 Gold v5 has settings for a Firewall, so you might just check these to be sure it is turned on.
Items include; - Smart Firewall (should be set to On) - Uncommon Protocols (Configure to suit) - Firewall Reset (Reset if required) - Stealth Blocked Ports (should be set to On) - Stateful Protocol Filter (should be set to On) - Automatic File/Printer Sharing Control (usually set to On) - Block All Network Traffic (generally set to Unblocked, unless you wish to block all traffic) -

These are just examples from Nortons general settings, but can be altered to suit your own usage -
Also note Norton 360 is compatible with Windows XP (excluding 64-bit editions), but OK for Win7 and Vista 64bit as you do not list your system

The latest Gold "Version 6" lists Smart Two-Way Firewall prevents cybercriminals from hacking into your PC and stealing your personal information without constantly asking you to make the security decisions.
Always make sure the program is fully updated and set to scan all items, then this should block the unwanted access problem.

Others may also have extra advice, so please keep an eye on this post -

Regards -

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 20 June 2012 - 07:07 AM

Hi Guys,
I check my routers firewall daily - I would say I get approx' 20 ICMP / UDP port scan attempts on a daily basis. (Majority ICMP ) - is this an unsually high figure? - they appear to be from all over the place, main attempts seem to be midnight - to early hours of the morning. No One on any PC's in the house at the time , wireless powered down & all pc's off. Secondly, which one should we be more concerned about a firewall ICMP check or port scan?
Thanks.


Is that a firewall on a public IP address without ISP filtering? If it is, 20 per day is a low figure.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 bluebird100

bluebird100
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 20 June 2012 - 09:50 AM

Thanks Guys,

IP adress being discussed is my public one, sist behind a router firewall then Norton.
Are you saying then that 20 "hits " a day for an Ip adress is low?.

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 20 June 2012 - 10:01 AM

Are you saying then that 20 "hits " a day for an Ip adress is low?.


Correct, that's less than on hit per hour. Most public IPs get at least several packets per minute. That's why I assume your ISP is filtering traffic for your IP, for example blocking all packets for port 25.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 bluebird100

bluebird100
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 20 June 2012 - 11:33 AM

To confirm -public IP = my ip adress viewable on web (private individual)

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 21 June 2012 - 04:11 AM

To confirm -public IP = my ip adress viewable on web (private individual)


Yes, that is what I mean. You can easily check what public IP address you are assigned by going to a site like this: http://whatismyipaddress.com/

In your home network, you would be using a private IP address, which can be from these subnets:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Consumer grade network devices use 192.168.*.* by default.

Your Internet facing router is translating private IP addresses to the public IP address, and vice versa. (NAT).

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 bluebird100

bluebird100
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 21 June 2012 - 12:32 PM

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users