For the past week someone as been attempting to access my comp.
My firewall states these attempts are Critical.

At first i just increased the time to block the ips.
This hasn't deterred who ever is doing this,
no sooner is the block finished there is another attempt.

So earlier today i switched of active response there
was a further 8 attempts, now i get 2/3 port scans every hour.

There is about 6 different ip addresses,
but the same remote mac number.

I did an whois on the ips and they are all from the same ip company,
no further information was available.

Any help on what i can do will be much appreciated.

What type of attack is it?

+ what kind of firewall do you have?

Protocol says its a TCP

Thanks for the quick response Chewie UK

Originally posted by supersonic@5 August 2004 - 00:07
+ what kind of firewall do you have?


sygate up to date

Originally posted by Sudden@4 August 2004 - 23:09
Protocol says its a TCP

Thanks for the quick response Chewie UK
TCP? That is a protocol alright, but what attack is being perpetrated using TCP?

make a sygate advanced rules to block the whole IP range.
e.g 64.0.0.0-64.225.225.225
All applications should be affected by this rule, highest periority (put it on top of other rules) on all ports and all protocols.

Chewie UK,5 August 2004 - 00:17
but what attack is being perpetrated using TCP?


Inbound DCE BIND



supersonic Posted on 5 August 2004 - 00:17

make a sygate advanced rules to block the whole IP range.
e.g 64.0.0.0-64.225.225.225
All applications should be affected by this rule, highest periority (put it on top of other rules) on all ports and all proto

If idid that i would block my own ip

I wouldn't bother with it. Just save the logs and if it continues then contact their isp's abuse dept.

Or get a fresh ip.

You don't need to contact your own comp., so you can safely block the range.
If you have a static IP, you can block all the IPs of that ISP, except for yours.

And make sure you do either of the following:
1. Block SVHOST, if it caused problems
then
2.


In the SPF GUI, click on Applications, scroll to SVCHOST.EXE, click the Advanced button, and uncheck the "act as server" box.

Cam


source (http://forums.sygate.com/vb/showthread.php?threadid=8655)


As shn mentioned, your firewall is doing its job, so you shouldn't worry anyway.

I realise the firewall is doing its job,
i just wondered what else i could do.



Thanks shn/Chewie UK/supersonic
For your replys

Originally posted by supersonic@5 August 2004 - 01:04
You don't need to contact your own comp., so you can safely block the range.
If you have a static IP, you can block all the IPs of that ISP, except for yours.

And make sure you do either of the following:
1. Block SVHOST, if it caused problems
then
2.


In the SPF GUI, click on Applications, scroll to SVCHOST.EXE, click the Advanced button, and uncheck the "act as server" box.

Cam


source (http://forums.sygate.com/vb/showthread.php?threadid=8655)


As shn mentioned, your firewall is doing its job, so you shouldn't worry anyway.

I will try the second option first and see how that goes
thanks again

I have the exact same problem resulting in 1000's of those Inbound DCE BIND.
It&#39;s really fucked up <_< It makes that I can&#39;t view webpages after a couple of hours on the net.
All i get is the "page cannot be displayed" message and I have to reboot my comp in order to get it working again.

Weird thing is my connectionstatus says I&#39;m still receiving and sending data (that i&#39;m still connected) and also my messenger stays connected all the time :blink:
But no webpages <_<

You should contact your ISP or send it to &#39;abuse@yourisp&#39; so that they can set it straight.

I think it has something to do with one of the clients on your ISP network that has a bad configured system.

Anyway,I did a backtrace to a lot of the scans I got and it all traced back to one person.
I sent him an email and this is a part of the reply I got:


As responsible for the IP addresses of the major ISP in *******, my name
gets listed for all the addresses in use by our 2 million customers.

Let&#39;s say 1% of them have badly configured PC that triggers firewalls all
around the world, that represent 20000 so-called "hacking" attempts per
day &#33;

Funny thing is,he knows about this problem because he had quite an amusing remark to go with the backtrace:



Remarks:
> - I did *not* hack your computer
> - I did *not* sent you SPAM or virus
> - I will *not* read your abuse complaints

Man&#33;&#33; looks like you&#39;ve been DDOS&#39;D. They use a nifty proggy to make thousands and thousands of connections per second, so your internet is just fine, but you can&#39;t view anything, because the pages time out from connecting.
THe problem is sygate doesn&#39;t stop it, but it stops USEFUL information from getting
into the hands of a ######