Overnight port-scans: anyone else experiencing?

JohnBS · ‎05-12-2007

Hi:
I'm no IT guru, so apologies in advance if this is much ado about nothing.
I use a ZyXEL Prestige 600 ADSL modem, which works really well. It includes a monitoring feature whereby it will E-mail any notable events overnight (when the PC is off, but the router still on). Every night I receive a port-scan-type report, the originating IP(s) (there are several, but perhaps linked) are e.g
24.64.208.73
24.64.153.243
24.64.165.159
61.47.231.222
24.64.153.243
24.64.137.111
24.64.153.243
24.64.224.9
24.64.100.91
24.64.237.41
the first source is listed by ARIN as follows:
OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA
ReferralServer: rwhois://rs1so.cg.shawcable.net:4321
NetRange: 24.64.0.0 - 24.71.255.255
CIDR: 24.64.0.0/13
NetName: SHAW-COMM
NetHandle: NET-24-64-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS7.NO.CG.SHAWCABLE.NET
NameServer: NS8.SO.CG.SHAWCABLE.NET
Comment:
RegDate: 1996-06-03
Updated: 2006-02-08
OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName: SHAW ABUSE
OrgAbusePhone: +1-403-750-7420
OrgAbuseEmail: internet.abuse@sjrb.ca
OrgTechHandle: ZS178-ARIN
OrgTechName: Shaw High-Speed Internet
OrgTechPhone: +1-403-750-7428
OrgTechEmail: ipadmin@sjrb.ca
I've E-mailed them previously, but not had a reply. However, i did subsequently receive a rather ominous threatening E-mail, which may be a coincidence, may not. I'd appreciate knowing if anyone else suffers this kind of scanning, its purpose, and how it can be stopped.
John

Peter_Vaughan · ‎30-07-2007

Everyone suffers from this. It is normally referred to as 'internet noise' and is part of having broadband.
Just 1000s of scripts from 1000s of infected / compromised PCs all trying to find ways into peoples systems.
It comes with the territory and there is nothing you can do - emailing the ISP is a waste of time by the way. Best to ignore it and probably forget about the email from the router as it is doing the job it was designed for; blocking such connection attempts

jnwright · ‎05-04-2007

There are many systems on the Shaw network that have had compromised systems for several months. They each probe ports 1026, 1027 & 1028 successively.
I wrote a rule in my router (also a Zyxel!) to block anything from source ip range 24.64.0.0 to 24.71.355.255 and not to log the probes. This (and a couple of other rules relating to particular Chinese ips) has cut the logfile down enormously so that I get about 2 logs per 24 hours as opposed to about 8 per 24 hours.
I have never wanted to communicate with anyone on the Shaw network and I can't anymore!

scootie · ‎03-11-2007

dont port scans use up some of r bandwith usage.
so basically we r paying for some one to try and gain acsess to r computers. whether they r succesfull or not.
only england could this happen. would u pay sum burglar to test all your doors and windows.
if plus net can see that a packet is p2p even when encrypted and restirct or even block it.
how come they cant stop port scans. i bet they can but has no money benifit to them.

orbrey · ‎18-07-2007

Scootie,
A port scan is simply a set of standard TCP requests sent to sequential ports on a given IP address to see if any of them respond (or specific ports, looking for machines that are already compromised). We can't stop this without seriously disrupting the majority of standard internet traffic.
If you are concerned about this then you can turn on your plusnet firewall, this will stop the request before it gets to your PC and therefore stops it counting towards your usage.
Having said that, the actual amount of data transmitted would be measured in bytes, it's a tiny tiny amount.
Hope that helps,
p.s. Country doesn't matter, at all. This sort of thing is going on all over the world, all the time.

jnwright · ‎05-04-2007

The ZoneAlarm forum has a thread running at the moment on these attacks saying that they are not really attacks but occur as a result of IP spoofing.
OK, but the only way I can keep the large numbers out of my otherwise interesting router logfiles is block their IP range and not to log the 'attacks'. It is interesting to note that Shaw is the only company to apparently have their IP addresses spoofed in connection with this particular type of 'attack' using ports 1026, 1027 and 1028 consecutively.
The PlusNet firewall is useless as it cannot be fine tuned sufficiently to block just these three ports, especially if you run your own servers etc. If Shaw cannot get any further dealing with the problem I can only say, it is their loss, as others are blocking them because of this abuse of their IP addresses.

mcgurka · ‎09-10-2007

Quote from: Peter
It comes with the territory and there is nothing you can do - emailing the ISP is a waste of time by the way.

I would disagree here, Ive had plently of good responses from ISP's but it does depend entirely on the ISP to be fair.
For example Virgin Media, Enta, BT and Thus have all been incredibly helpful when I complain of hacking attempts (yes, I do report them) and even plusnet were when I reported a user constantly trying to hack my connection a while back...
Some of the ISP's literally dont care, and to be honest, it could just be a holding name! Just take solice in the fact your firewall is catching them out, after all, it is background noise!

Overnight port-scans: anyone else experiencing?

Overnight port-scans: anyone else experiencing?

Re: Overnight port-scans: anyone else experiencing?

Re: Overnight port-scans: anyone else experiencing?

Re: Overnight port-scans: anyone else experiencing?

Re: Overnight port-scans: anyone else experiencing?

Re: Overnight port-scans: anyone else experiencing?

Re: Overnight port-scans: anyone else experiencing?