| View previous topic :: View next topic |
| Author |
Message |
blacklupine
Captain
Premium Member
Joined: Mar 17, 2005
Posts: 484
Location: Over The Hills And Far Away!
|
 Posted: Mon Sep 04, 2006 10:47 am Post subject: Firewall Blocked Intrusions |
|
|
Is there anyway to establish what the average number of recorded firewall blocked intrusions should be in order to determine if you are receiving a higher then normal amount compared to a similar user.
I appreciate that the number must differ between most users due to specific factors ie time spent connected to the net and type of internet connection together with peaks and troughs in intrusive traffic but wondered if anyone records this information to give users some sort of guideline.
The reason this crossed my mind was I have recently noticed an increase in blocked intrusions, a large proportion of which have a source DNS which whilst not from the same adsl connection are all from the same source IP. (my own ISP). I have reported this to the ISP in question but as yet not received a reply. In this connection it occured to me that there was no way to establish if the problem I identified is just that or if it was the accepted norm.
Any comments would be most welcome. Regards
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Mon Sep 04, 2006 3:32 pm Post subject: |
|
|
I get zombie random attempted port scans reported at a rate of as high as 1/minute, with real more serious ones at aboout 1/hour. All are blocked at my gateway by my hardware router/firewall.
Now, if you are getting a lot of them from the same IP from your ISP, there may be a simple answer for that. If your ISP uses PPPoE for connections, those may be routine pings to see if your connection is still being used, and if not so that they can release the line. It's kind of like asking "is anyone home?" Those would generally come at times when you not really actively using the internet.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Mon Sep 04, 2006 3:37 pm Post subject: |
|
|
BTW, I also see a lot of activity from places like CC. If you are on here, but don't refresh your screens of do anything for some period of time the server will automatically check to see if you are still "here". I generally get those if I forget to log out when I close out my connection to CC.
Depending on your firewall, it may interpret routine legitimate pings as potential intrusions.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
blacklupine
Captain
Premium Member
Joined: Mar 17, 2005
Posts: 484
Location: Over The Hills And Far Away!
|
| Posted: Mon Sep 04, 2006 9:45 pm Post subject: |
|
|
Hi PC Bruiser,
I initially queried with my ISP if it was them giving me routine connection checks, but their tech support people advised me that it was too frequent and varied, they asked me to send copies of my firewall log to them so they could further investigate a possible zombie bot. So when I hear from them I will let you know what they say. Regards
|
|
| Back to top |
|
|
blacklupine
Captain
Premium Member
Joined: Mar 17, 2005
Posts: 484
Location: Over The Hills And Far Away!
|
| Posted: Mon Sep 04, 2006 10:10 pm Post subject: |
|
|
BTW my firewall now shows over 27k intrusions blocked in 12 days, not bad for around 6 hours a day on the net. But over 25% of these come from the same source IP!
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
