Ping Sweeps

[oompahloompah 0]

Lately I've been getting scanned from a group of IP addresses from the same subnet xxx.xxx.xxx.yyy/24 everytime I log online. I'm guessing they must be targetting my subnet since they seem to appear on my logs a short while after I appear online each time.

 

While my usual reaction has been to simply just ignore them (I don't know what else I can do anyway), this has been slowing my computer down tremendously due to excessive logging. Would it be wise simply disabling logging for these IP addresses? Is there any extra precautions/steps I may take against such scanners?

 

I really don't want to get my computer compromised. Any help would be much appreciated.

[TCH-Rob 0]

Sorry you have not recieved a response to this yet. I have not had this happen so I cannot give an answer that would help. Give a little more time and we will see if someone comes along with an answer.

[Madmanmcp 0]

oompahloompah, sorry I didn't answer when this was first posted, I meant to but had to get to work and then forgot.

 

I assume you are reading the firewall logs to get your information and if so would suggest that you just turn logging off. Your firewall is doing its job and is blocking the traffic and as you say the slowdown is caused by the logging feature.

 

Logs are just a tool you can use to identify and track the activity of the firewall, if it causes a problem like it is now, just turn it off. Once the attacks stop you can turn it back on, or just leave it off until you actually need to use it.

[Madmanmcp 0]

also,

I'm guessing they must be targetting my subnet since they seem to appear on my logs a short while after I appear online each time.

 

Do you have an updated virus scanner, run a scan (after you download the latest signatures).

 

What firewall are you using, does it block outgoing traffic as well as inbound? You could have a trojan which starts broadcasting when you log on that is attracting these scans.

 

Is your computer secure and are your ports all secured. Try GRC.com to check your system and help explain how to close them. start here:

h_tps://www.grc.com/x/ne.dll?bh0bkyd2

[TCH-Rob 0]

I second GRC, Steve has some great tools.

[oompahloompah 0]

Bob, thank you for the answer. My antivirus scanner is updated and the scan didn't turn up anything. My firewall blocks traffic both way - I am using ZoneAlarm. As far as I know, I don't have any trojans on the computer.

 

My computer's secure according to GRC. My ports are closed and ping does not pass through.

 

My firewall logging is off at the moment although I do feel 'blind' now.

 

Is there any utility, hardware or software that would be able to counteract such attacks without compromising the speed of the computer and still allow one to view what's going on? Maybe I'm asking for utopia here but it doesn't hurt to ask.

[TCH-Rob 0]

Define counteract? If you log them expect to have resources used for that purpose.

[TCH-Dick 25]

Sweeps like that happen every day to just about every person thats connected to the internet. If your PC is secure you dont have much to worry about. It's not an attack. I used to log everything that came in to my pc, finally I just turned logging off, my pc is secure and I dont worry about it anymore.

[Madmanmcp 0]

I agree with Mike. At first I used to log and play with those logs and investigate everyline, but that was long ago with very few probes. Lately these attacks and probes have gone off the charts and its imposible to look at them all and there is actually no reason to look at them. Bottom line, your firewall is blocking them so you don't have to worry.

 

Counterattack? You do understand that this is illegal?

[oompahloompah 0]

Thanks Mike and Bob, that makes a lot of sense but how do you tell if you've got a trojan or adware working on your PC sending traffic outside if you've turned off logging?

 

And speaking of firewall log tools (SNMP) and IDS, what do you guys use by any chance?

 

Rob, counteract in perhaps having a selective logging utility that stops log floods by ignoring a particular IP after the port probes have gone on over a pre-specified number of ports, say 10 ports or more within 5 minutes for example. Not counterattack. Naughty

 

Also, another side effect (less but still happens when logging is turned off) is my Internet connection gets jammed after awhile, speaking from a layman point of view, it's as if all those port probes from multiple hosts (it's the same port probe but from multiple computers) have jammed up my computer Internet connection that legal packets trying to get out of my computer is having taking forever. Is this possible or am I understanding it wrongly?

[Madmanmcp 0]

And speaking of firewall log tools (SNMP) and IDS, what do you guys use by any chance?

Nothing, as I said the logs are off and there is no reason to look at them at the moment.

 

my Internet connection gets jammed after awhile,

 

Not sure what to tell you here since this is conjecture at this point. Yes this could slow things down but there is not much you can do about it. It would be up to your ISP to filter out the IP's at their routers...if this was an actual ddos attack. So I would start with them, call them and see what they can find out for you. If you are under attack or if its the normal port probes that all of us are seeing.

[oompahloompah 0]

Mmm thanks. Well I've turned logging off now and I'll just sit tight and hope for the best that I don't get disconnected again.