cancel
Showing results for 
Search instead for 
Did you mean: 

Port Scans ?

N/A

Port Scans ?

my firewall has been going mad the last two days now with constant port scans from another plus.net user.

How best do I deal with this ?

As its becoming a slight annoyance.
19 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Port Scans ?

Raise a contact us ticket with details of the logs you have and IP address of the offending system.

In the contact us screen select technical support -> Contact PlusNet Abuse Team then fill in the details of your logs and any additional comments and PlusNet will look into the matter.
N/A

Port Scans ?

I've had the exact same thing, I noticed yesterday that my firewall logs were full of port scans and DOS attacks, I wiped it clean to see whether I'd get any more...

I've had 161 DOS attacks over night, all from IP numbers beginning 80.229.x.x - that's a Plus.net IP is't it?

I've been reading a handful of other threads describing similar issues, could this be one of the many email viruses we seen floating about?

Paul
N/A

Port Scans ?

I would suggest using SocketLock, made by Gibson Research Corporartion. Look here if you want more info -- this is a piece I wrote on my own message forum about stealthing your PC:

http://digitalvertigo.proboards7.com/index.cgi?board=DVKB&action=display&num=1077433939

Download SocketLock:

http://www.ninjastyle.plus.com/downloads/GRC.SocketLock.zip
N/A

Port Scans ?

your board cannot be accessed by guest users to see the article. Cool
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Port Scans ?

Quote

I've had 161 DOS attacks over night, all from IP numbers beginning 80.229.x.x - that's a Plus.net IP is't it?
Paul


More likely you have had 161 Pings from one user not a Dos aka Denial of Service, if you are being Dos'd then most if not all incomming bandwidth is swamped to your router/modem, so you basically you have No useable connection.

So if you are being dos'd dont bother raising a ticket phone it in if its a PN user, if not report that said user/s via abuse@plus.net or via the contact us ticket route.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

Port Scans ?

Their definitely being logged as DOS's by the firewall on my router. Should I be calling PN then?

Moderators note (John) Full quote from previous post removed as its unnecessary
N/A

Port Scans ?

I think what is being meant is that the router will recognise the packet as a DOS attack and log it accordingly. However, 161 instances overnight is not a real "attack". If someone wants to do a real job on you, there will be constant DOS instances (which can amount to thousands in a minute) on your firewall using up most of your bandwidth - that is what is known as a real Denial of service attack.
What you are getting is occasional instances from someone who has a virus.

Report it via abuse as mentioned above.
N/A

Port Scans ?

Okay, clarification; 161 was the number of DOS attacks I received overnight, not the port they were hitting. Sorry about that Shockedops:

Moderators note (John) Full quote again removed. Please do not quote the previous post to your in its entirety. It is not needed and makes posts harder to follow.
N/A

Port Scans ?

I've noticed these scans are becoming more numerous, and from different plusnet users mainly. Is this a virus, and if it is, has anyone any idea which one ?.
The scans are happening so often now that I have stopped reporting them. They are simply too many different user addresses. I just keep the firewall on high and it rejects them all.
Regards, John Taylor.
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Port Scans ?

@jjtaylor if your firewall has a text log output and you can sort the users. Then all you need to do is sort them by IP first and then export that text file into a spreadsheet and then remove the multiple enteries for each user, but leave the dates.

So doing so you build up a list of those infected and can submit them in one go. I do that over a 2 week period as some get cleaned before I submit them to abuse dept. , hence leaving the dates in.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

Port Scans ?

http://securityresponse.symantec.com/avcenter/nis_ids/sigs/MS_DCOM_RPC_HEAP_BO.html

.........is the intrusion attempt my firewall reports many times a day.
N/A

Port Scans ?

On a technical standpoint, the fact that the new ERX doesn't support the port 135 detection system that the Redbacks do, seems to be coming to haunt PlusNet now.

There is little you or PlusNet can do but contact and inform the customer they have a possible infection.

Is there honestly nothing that can be done on the ERX or in proximity to it?
N/A

Port Scans ?

As stated previously, so long as my firewall continues to prevent such intrusion attacks, i have no cause for concern. Beyond my firewall, my OS is patched against this vulnerability (so far, until the next exploit anyway).

Education is the answer.
N/A

Port Scans ?

Indeed, little concern when your patched, but from an ISP and business perspective, the fact that this threat is increasing is very alarming.

This is a year old now since the first issues where spotted, yet the threat increases. What is more, with protection on the network borders from outgoing and incoming traffic, every ounce of this threat is coming from your handy dandy PlusNet/Force9/Free-online customer base.