Results 1 to 4 of 4

Thread: Attack detection from known hosts

  1. #1
    Join Date
    Mar 2005
    Posts
    33

    Attack detection from known hosts

    Hello. I've been looking my father's system (with OP Pro 7.5), and it consistently has a number of "detected scan packet" entries in the Attack Detection log, and most -- but not all -- are from known hosts (at least, the IPs resolve to known hosts). On occasion, there is an "Attack SCAN ... [host blocked]" entry, but again -- it's usually from a known host (ie. a website that has been browsed to, one's even a trusted investment site). A few are from hosts that resolve (with WHOIS) to generic domains, like "Internap Network Services Corporation" or "Level 3 Communications". How is one to tell if any of these are of a concern?

    From what I've read through the forum here, I'm guessing it's not really a security issue, but I have to make sure I understand when something is an issue, and when it isn't.

    Most of the detected scan packets are to an obscure port (eg. 2072, 2194, 2186) and are "[ RST ACK ]". Why would trusted sites (including a bank) be sending these "port scans"? Could these just be acks that have been received after the TCP connection's been closed? The Attack SCAN ports are more like (65029, 64517, 64773, 7676) from one example.

    My system (also using OP Pro 7.5) shows absolutely no entries under Attack Detection, and I browse to some of the same sites, so this is what made me curious as to what's going on. One difference between our systems is the modem/router, so I'm wondering if that would account for the different results between us?

    I do see that OP is doing its job and the logged items are likely innocuous. But any insight would be welcome, mostly on how to guarantee that nothing fishy is going on.

    Systems: WinXP Home SP3 / WinXP Pro SP3
    OP Pro 7.5 (both)
    Avast Pro 7 (both)

    Many thanks,
    tr

  2. #2
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,691

    Re: Attack detection from known hosts

    It's just the firewall doing it's job. Your router is blocking unsolicited inbound packets so you don't see them. Get your father a router since that's cheap protection and does make it easier on the firewall not having to block those normal and often seen malicious inbound packets. The internet is full of malware looking for a helpless victim and a router does a nice job of suppressing that junk.

    Just as a by the way, unprotected computers on the internet can be infected in the order of minutes. A router is just a good addition to your security umbrella.

    Attack Detection does sometimes give false positives. Sometimes the TCP handshake conversation gets delayed and doesn't fit within the AD time window. So some of those RST ACK - reset acknowledgements - could just be a late but normal and get blocked. As long as nothing is being hampered then it doesn't cause any real problems. Still a router is really the way to go.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

  3. #3
    Join Date
    Mar 2005
    Posts
    33

    Re: Attack detection from known hosts

    Hi Manny. Thanks for the reply.

    Sorry, I wasn't clear. My father's computer does have a modem/router, it's just a different one than mine is -- it's the ISP's previous model whereas mine is the latest.

    I was thinking that the RST ACK were just being blocked because they didn't arrive on time for some reason; otherwise, I don't know how they would've gotten through the router's firewall.

    I just want to make sure I don't misunderstand or misread something. I know enough about security just to be dangerous, not enough to actually be knowledgeable.

    tr

  4. #4
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,691

    Re: Attack detection from known hosts

    Those IPS's modem/router combo aren't always that great. But since he has it then go into his configuration panel and look to see if there is a NAT option and if it is turned on. It may be that just a little tweek will do it. Even better, call your ISP and ask them exactly where this is located and how to go about doing it.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Attack Detection Log entry: "Detected attack, host not blocked"; meaning of???
    By spc3rd in forum Outpost Pro FIREWALL General Discussions, Support, and Troubleshooting
    Replies: 6
    Last Post: 10-06-2011, 01:24
  2. Attack Detection Plugin portscan detection failure
    By BAM in forum General Plug-In Discussions
    Replies: 2
    Last Post: 02-05-2005, 10:17
  3. about attack detection
    By Plunderer in forum General Plug-In Discussions
    Replies: 1
    Last Post: 12-11-2004, 17:59
  4. Attack Detection : how to prevent a false attack ?
    By A884126 in forum Outpost Pro FIREWALL General Discussions, Support, and Troubleshooting
    Replies: 1
    Last Post: 07-14-2004, 12:46
  5. Ignoring Hosts in Attack Log
    By Observer in forum Retired Threads
    Replies: 5
    Last Post: 07-05-2002, 06:02

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •