cancel
Showing results for 
Search instead for 
Did you mean: 

Rogue probers

gosforth
Grafter
Posts: 109
Registered: 11-10-2007

Rogue probers

My firewall is detecting a lot of probing activity. Does plus.net block persistant offenders?

Chris
6 REPLIES
N/A

RE: Rogue probers

> My firewall is detecting a lot of probing activity. Does plus.net block persistant offenders?
>
> Chris

Welsome to the wonderful world of the internet.

For the past 4 years now, every ISP has seen probes from clinets every second of the day, and at alarming rates.

Over the 4 DSL connections I have access to (all at different sites. 2x plus.net, 2x BTOW), I would very easily run a whole ream of paper, to print the logs of offenders probing the machines.

Most of the trafic is harmless. They come from either legitimate connections, using auto-relink systems, like VPN's and so forth, other include keep-alive programs, that pick a random IP address to ping, so the ISP doesn't kick them off.

Our of the rougue probes that hit people, there is a very very remote chance that the probe will be taken further, than the return packet (or block) made by your computer.

The scanners are designed to pick out the most easy targets. IE, if it's wide open, then report it. Otherwise your IP address is discarded. or placed in a log they never read (becuase it's easier to wait for a possative).

To cut off persistant offenders, would allmost block out a great portion of the internet.

Remember, most ISP's (included Plus.net, when you havn't picked the static IP option) use dynamic IP addresses. Meaning the offenders IP changes, with a simple Release and renew, or a redial.

To block out a user, you would have to block a great portion of the IP space for a ISP.

The only way you are going to get around this, is to buy a dedicated firewall solution, and run it on your own end. Not cheap to say the least.
gosforth
Grafter
Posts: 109
Registered: 11-10-2007

RE: Rogue probers

I have employed the free version of ZoneAlarm which seems to be working well. At work we have a policy of blocking persistant offenders, I was just interested in finding out if plus.net do the same thing.

Chris

> > My firewall is detecting a lot of probing activity. Does plus.net block persistant offenders?
> >
> > Chris
>
> Welsome to the wonderful world of the internet.
>
> For the past 4 years now, every ISP has seen probes from clinets every second of the day, and at alarming rates.
>
> Over the 4 DSL connections I have access to (all at different sites. 2x plus.net, 2x BTOW), I would very easily run a whole ream of paper, to print the logs of offenders probing the machines.
>
> Most of the trafic is harmless. They come from either legitimate connections, using auto-relink systems, like VPN's and so forth, other include keep-alive programs, that pick a random IP address to ping, so the ISP doesn't kick them off.
>
> Our of the rougue probes that hit people, there is a very very remote chance that the probe will be taken further, than the return packet (or block) made by your computer.
>
> The scanners are designed to pick out the most easy targets. IE, if it's wide open, then report it. Otherwise your IP address is discarded. or placed in a log they never read (becuase it's easier to wait for a possative).
>
> To cut off persistant offenders, would allmost block out a great portion of the internet.
>
> Remember, most ISP's (included Plus.net, when you havn't picked the static IP option) use dynamic IP addresses. Meaning the offenders IP changes, with a simple Release and renew, or a redial.
>
> To block out a user, you would have to block a great portion of the IP space for a ISP.
>
> The only way you are going to get around this, is to buy a dedicated firewall solution, and run it on your own end. Not cheap to say the least.

N/A

RE: Rogue probers

Something very alarming happened on my PC last night. My young children were playing a game when a System Message appeared with the following content:
---------------------------------------
Message from Kelly to 212.159.79.129

Hi, my name is Kelly, and I need some excitement, if you're free please send me a text message, and we could chat a while, maybe even meet.

Text KELLY to xxxxx (I'm not going to publish the number)

I'm waiting to chat with you now.

Vodaphone, O2, Orange & T-Mobile 18+ Only
--------------------------------------------------

Now, the fact that they were able to send this unsolicited to my IP address means they must be doing it to many people. I'm not quite sure how this works but I assume my ports would have been scanned and the message sent through a local vulnerability.

I've now installed Zonealarm in the hope that this can be stopped. I've also reported this to ICSTIS (the telecomms watchdog).

Be warned!!!!

Paul.


> > My firewall is detecting a lot of probing activity. Does plus.net block persistant offenders?
> >
> > Chris
>
> Welsome to the wonderful world of the internet.
>
> For the past 4 years now, every ISP has seen probes from clinets every second of the day, and at alarming rates.
>
> Over the 4 DSL connections I have access to (all at different sites. 2x plus.net, 2x BTOW), I would very easily run a whole ream of paper, to print the logs of offenders probing the machines.
>
> Most of the trafic is harmless. They come from either legitimate connections, using auto-relink systems, like VPN's and so forth, other include keep-alive programs, that pick a random IP address to ping, so the ISP doesn't kick them off.
>
> Our of the rougue probes that hit people, there is a very very remote chance that the probe will be taken further, than the return packet (or block) made by your computer.
>
> The scanners are designed to pick out the most easy targets. IE, if it's wide open, then report it. Otherwise your IP address is discarded. or placed in a log they never read (becuase it's easier to wait for a possative).
>
> To cut off persistant offenders, would allmost block out a great portion of the internet.
>
> Remember, most ISP's (included Plus.net, when you havn't picked the static IP option) use dynamic IP addresses. Meaning the offenders IP changes, with a simple Release and renew, or a redial.
>
> To block out a user, you would have to block a great portion of the IP space for a ISP.
>
> The only way you are going to get around this, is to buy a dedicated firewall solution, and run it on your own end. Not cheap to say the least.

N/A

RE: Rogue probers

I think you'll find your answers for what happened here:

http://www.theregister.co.uk/content/55/29121.html
and
http://www.theregister.co.uk/content/archive/27634.html

Thanks Microsoft!

> Something very alarming happened on my PC last night. My young children were playing a game when a System Message appeared with the following content:
> ---------------------------------------
> Message from Kelly to 212.159.79.129
>
> Hi, my name is Kelly, and I need some excitement, if you're free please send me a text message, and we could chat a while, maybe even meet.
>
> Text KELLY to xxxxx (I'm not going to publish the number)
>
> I'm waiting to chat with you now.
>
> Vodaphone, O2, Orange & T-Mobile 18+ Only
> --------------------------------------------------
>
> Now, the fact that they were able to send this unsolicited to my IP address means they must be doing it to many people. I'm not quite sure how this works but I assume my ports would have been scanned and the message sent through a local vulnerability.
>
> I've now installed Zonealarm in the hope that this can be stopped. I've also reported this to ICSTIS (the telecomms watchdog).
>
> Be warned!!!!
>
> Paul.
>
Community Veteran
Posts: 5,878
Registered: 04-04-2007

RE: Rogue probers

I got this too.
It is easy to turn off in
Control Panel > Administrative Tools> Services > Messenger (simply disable the Windows Messenger feature). It won't affect MSN or Yahoo or anything like that.

You can also forward the port elsewhere.

For instance I forwarded port 139 (it's native port) to the PlusNet nameservers so no one will be able to spam you like this again if you do that.

Chris
N/A

RE: Rogue probers

I would also suggest you download LanGuard Network Security Scanner from www.gfi.com (free for personal use) and do a port scan on your computer from another one to see what ports you have showing.

You may be surprised what isn't blocked by default.


> I got this too.
> It is easy to turn off in
> Control Panel > Administrative Tools> Services > Messenger (simply disable the Windows Messenger feature). It won't affect MSN or Yahoo or anything like that.
>
> You can also forward the port elsewhere.
>
> For instance I forwarded port 139 (it's native port) to the PlusNet nameservers so no one will be able to spam you like this again if you do that.
>
> Chris


--
Come on Boro!
http://www.waynessa.co.uk/boro.htm