Attack detection from known hosts

[tr.security]

Hello. I've been looking my father's system (with OP Pro 7.5), and it consistently has a number of "detected scan packet" entries in the Attack Detection log, and most -- but not all -- are from known hosts (at least, the IPs resolve to known hosts). On occasion, there is an "Attack SCAN ... [host blocked]" entry, but again -- it's usually from a known host (ie. a website that has been browsed to, one's even a trusted investment site). A few are from hosts that resolve (with WHOIS) to generic domains, like "Internap Network Services Corporation" or "Level 3 Communications". How is one to tell if any of these are of a concern?

From what I've read through the forum here, I'm guessing it's not really a security issue, but I have to make sure I understand when something is an issue, and when it isn't.

Most of the detected scan packets are to an obscure port (eg. 2072, 2194, 2186) and are "[ RST ACK ]". Why would trusted sites (including a bank) be sending these "port scans"? Could these just be acks that have been received after the TCP connection's been closed? The Attack SCAN ports are more like (65029, 64517, 64773, 7676) from one example.

My system (also using OP Pro 7.5) shows absolutely no entries under Attack Detection, and I browse to some of the same sites, so this is what made me curious as to what's going on. One difference between our systems is the modem/router, so I'm wondering if that would account for the different results between us?

I do see that OP is doing its job and the logged items are likely innocuous. But any insight would be welcome, mostly on how to guarantee that nothing fishy is going on.

Systems: WinXP Home SP3 / WinXP Pro SP3
OP Pro 7.5 (both)
Avast Pro 7 (both)

Many thanks,
tr

[Manny Carvalho]

It's just the firewall doing it's job. Your router is blocking unsolicited inbound packets so you don't see them. Get your father a router since that's cheap protection and does make it easier on the firewall not having to block those normal and often seen malicious inbound packets. The internet is full of malware looking for a helpless victim and a router does a nice job of suppressing that junk.

Just as a by the way, unprotected computers on the internet can be infected in the order of minutes. A router is just a good addition to your security umbrella.

Attack Detection does sometimes give false positives. Sometimes the TCP handshake conversation gets delayed and doesn't fit within the AD time window. So some of those RST ACK - reset acknowledgements - could just be a late but normal and get blocked. As long as nothing is being hampered then it doesn't cause any real problems. Still a router is really the way to go.

[tr.security]

Hi Manny. Thanks for the reply.

Sorry, I wasn't clear. My father's computer does have a modem/router, it's just a different one than mine is -- it's the ISP's previous model whereas mine is the latest.

I was thinking that the RST ACK were just being blocked because they didn't arrive on time for some reason; otherwise, I don't know how they would've gotten through the router's firewall.

I just want to make sure I don't misunderstand or misread something. I know enough about security just to be dangerous, not enough to actually be knowledgeable.

tr

[Manny Carvalho]

Those IPS's modem/router combo aren't always that great. But since he has it then go into his configuration panel and look to see if there is a NAT option and if it is turned on. It may be that just a little tweek will do it. Even better, call your ISP and ask them exactly where this is located and how to go about doing it.