cancel
Showing results for 
Search instead for 
Did you mean: 

Firewall warnings

N/A

Firewall warnings

Hello,

I am using a static IP and ZoneAlarm. It periodically pops up and tells me that it has blocked an attempt at access from a source IP differing from my address only in the 4th number (e.g. d in a.b.c.d).

Presumably these are probes from plusnet (spitroast.force9.co.uk, partylegends.plus.com and so on) and I don't need to worry?

BUt - should I actually not be blocking them?
Tim
8 REPLIES
BoneMan
Grafter
Posts: 150
Registered: 01-08-2007

RE: Firewall warnings

> Hello,
>
> I am using a static IP and ZoneAlarm. It periodically pops up and tells me that it has blocked an attempt at access from a source IP differing from my address only in the 4th number (e.g. d in a.b.c.d).
>
> Presumably these are probes from plusnet (spitroast.force9.co.uk, partylegends.plus.com and so on) and I don't need to worry?
>
> BUt - should I actually not be blocking them?
> Tim

Tim,
IMO you have every right to be concerned about other machines probing your PC. It is after all, *your* PC and you are entitled to say who and/or what conncts to it and when. Also, just because they are with +Net doesn't mean they are not infected with a virus/worm and/or up to no good.

My suggestion is that you gather as much information from your ZA logs as you can and forward it via a "Contact Us" to +Net Customer Support as a *possible* abuse. I believe that is the advise previously given by CS in such cases.

BTW you may like to know [if you don't already Smiley] that there is a nifty program for analysing ZA reports called VisualZone which you can get from http://www.visualizesoftware.com/.

Regards,

BoneMan
N/A

RE: Firewall warnings

> Hello,
>
> I am using a static IP and ZoneAlarm. It periodically pops up and tells me that it has blocked an attempt at access from a source IP differing from my address only in the 4th number (e.g. d in a.b.c.d).
>
> Presumably these are probes from plusnet (spitroast.force9.co.uk, partylegends.plus.com and so on) and I don't need to worry?
>
> BUt - should I actually not be blocking them?
> Tim


Hi Tim,

If you have any queries with regards to port scanning and you suspect the scans to be originating from one of our IP addresses, please send the firewall logs in a email that outlines your issue to: abuse@plus.net.uk and we will be happy to investigate further.

Best Regartds,

Dave.

--
| David Watson. Unmetered & ADSL solutions
| Technical Support. for Home & Business
| PlusNet Technologies Ltd. @ http://www.plus.net
+ ----- My Referrals - It pays to recommend PlusNet ----- +
N/A

RE: Firewall warnings


> BTW you may like to know [if you don't already Smiley] that there is a nifty program for analysing ZA reports called VisualZone which you can get from http://www.visualizesoftware.com/.

Thanks BoneMan,
I'll grab that and send the analysis in - good thinking!
Tim

N/A

RE: Firewall warnings


> If you have any queries with regards to port scanning and you suspect the scans to be originating from one of our IP addresses, please send the firewall logs in a email that outlines your issue to: abuse@plus.net.uk and we will be happy to investigate further.

Hi Dave,

I've turned blocking back on and I shall send the logs in as, surely, they must be your IP addresses?

Tim
N/A

RE: Firewall warnings

Hi Tim,

> I've turned blocking back on and I shall send the logs in as, surely, they must be your IP addresses?

Our IP ranges are:

212.159.*.*
212.56.128-256.*
195.168.*.*

You will recieve legitimate probes from some of our IP addresses (such as our DNS servers) but the ones that you mention above are from other customers machines. The best way to tell is if the IP address reverses to something.plus.com rather than something.plus.net.uk then it is a customer of ours and most likely not a legitimate probe of your IP address.

Hope that helps

Regards

Josh
--
| Josh Berry.......................Unmetered & ADSL solutions
| Technical Support.......................for Home & Business
| PlusNet Technologies Ltd.............@http://www.plus.net
+ ----- My Referrals - It pays to recommend PlusNet ----- +
N/A

RE: Firewall warnings

Hi Josh

Thanks for this...

> You will receive legitimate probes from some of our IP addresses (such as our DNS servers)
> Hope that helps

Yes it does - one question though, what happens if ZoneAlarm blocks your legitimate probes?

Tim
N/A

RE: Firewall warnings

Since I enabled a firewall I've blocked all probes, on the basis that I don't know what they're for and so (as far as I'm concerned) none are legitimate.

If PlusNet originate such probes, it would be useful to have it on the Help part of the portal (alongside setting up your connection, setting up your firewall) identifying:

Valid originators of such probes
The purpose of such probes
The impact of blocking the probe

I've not noticed any impact from blocking everything, but presumeably PlusNet have a legitimate purpose in probing their users' ports.

If we enable a probe from a plus.net.uk address, will that IP always be an internal PlusNet one and not a customer one?

TIA

Aid

> Hi Josh
>
> Thanks for this...
>
> > You will receive legitimate probes from some of our IP addresses (such as our DNS servers)
> > Hope that helps
>
> Yes it does - one question though, what happens if ZoneAlarm blocks your legitimate probes?
>
> Tim

N/A

RE: Firewall warnings

Hi there,
Likewise, since installing Zone Alarm I have blocked all probes. I dont understand tho, what they are. My log shows that there have been nearly 100 probes of various ports on my system since yesterday (Sunday). What are they ? A previous post from Support advised that we should forward the log file to abuse@plus.net. Forgive my ignorance but having looked at ZA I cant see how to do this. Any pointers ?

Regards

Mark