TCP port attacks - Tech Support

TCP port attacks: Posted by Mike Franklin on November 9th, 2003; Hi I wonder if anyone can help me with this.

I have noticed recently that someone is scanning my system on an
almost constant basis (every 5 secs or so). The accesses are being
blocked by my Kerio personal firewall and their report looks a little
like this (I have taken out the time and date to make it smaller):

Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1945, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1945, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1983, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP,
66.220.17.151:80->localhost:1983, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1975, Owner: no owner

Now I believe the 127.0.0.1 should be a loop back from my own machine,
but there is nothing going out from my machine at all - it is just
receiving. So I figure that the scanner/attacker has somehow masked
their address. The port number is changing all the time. I have also
noticed that there are often accesses from 66.220.17.151:80 in between
the others and that typically this will be the same port as the
previous "loop back" one. I have checked out this address which is
something to do with the infamous www.lop.com, but I have little other
idea about what is happening and my ISP doesn't seem to want to know.
I have disconnected and reconnected several times (so getting
different IP addresses from my ISP) and the scans/attacks keep coming.

Can anyone help?

Mike; Posted by Chuck on November 9th, 2003; On 9 Nov 2003 09:13:36 -0800, mike.franklin@btinternet.com (Mike
Franklin) wrote:

Mike,

Since you're concerned, the logical thing would be to look for malware
- Lop for instance. Get / update Spybot S&D and HijackThis - both
free. Start with this article:
http://forums.spywareinfo.com/index.php?showtopic=5187

Do you have a router, or are you just protected by Kerio?

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.; Posted by Robin T Cox on November 10th, 2003; mike.franklin@btinternet.com (Mike Franklin) wrote in
news:eee61b4f.0311090913.44efa0c2@posting.google.c om:

In Kerio, logging suspicious packets in Advanced > Miscellaneous view will
generate the "ack" packets logs.

See:
http://www.dslreports.com/forum/rema...erio~mode=flat; Posted by Mike Franklin on November 11th, 2003; Hi Chuck,

Thanks for you response

I'll have to have a look at that - just got to find the time!

don't have a router - just a simple dial up connection with Kerio
running. I live in the remote highlands of Scotland and it's going to
be a while before I get any kind of broadband connection to make me
even think about a more sophisticated set up!

The annoying thing is that the continuous tickle to my connection
stops my system from doing an idle timeout and hanging up the line.

Cheers Mike; Posted by Mike Franklin on November 11th, 2003; Robin T Cox <robin2803@hotmail.com> wrote in message
Yup that's how I got the report. Set it to log suspicious packets as I
was trying to see who or what was continously scanning me. I am just
wondering what these could be and if there is anyway of stopping them
doing it.

Mike; Posted by Chuck on November 11th, 2003; On 11 Nov 2003 10:52:06 -0800, mike.franklin@btinternet.com (Mike
Franklin) wrote:

Mike,

I'm not sure, but I'd suspect a router blocking the constant tickle
might be more responsive to your wanting to hang up the line when
you're idle.

Routers that support PPP dialup are available - they're not as cheap
as broadband routers (my SMC PPP router cost $80 for the equivalent of
a $50 broadband only Linksys). They do take the load off the cpu by
blocking the crappy traffic AND by letting me remove DUN (RAS). Come
to think of it, RAS was a considerable drain on the cpu by itself (I
last used RAS on a PII 450).

The biggest benefit of the router, for me, was removing the proxy
server (that you don't need with just 1 computer). But the two weeks
I spent early this year, on dialup, waiting for my DSL to be
transferred to my current ISP, was not nearly as traumatic for me with
my SMC to manage my dialup connection than it would have been with RAS
and a proxy server. My dialup connection was waaay more stable with
the router than I ever remember it under RAS.

Unfortunately, all dialup services are NOT PPP compatible. My mother
is on MSN - it requires their custom client software - I spent a week
there this year (and wasted about $200) trying to get an SMC dialup
router to work on her MSN. (

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.; Posted by Robin T Cox on November 12th, 2003; mike.franklin@btinternet.com (Mike Franklin) wrote in
news:eee61b4f.0311111054.5868d20e@posting.google.c om:

I think the suggestion in the link I quoted is that the Kerio setting
itself simply generates a lot of false positives, and so nobody is actually
scanning you.; Posted by Mike Franklin on November 13th, 2003; Chuck <cacrollthespam@yahoo.com> wrote in message >
Thanks for that Chuck very interesting I'll have to investigate a
router - I confess I'm not very knowledgable about networks and stuff
and had always thought such things were for much larger setups.

Mike; Posted by Mike Franklin on November 13th, 2003; My profound apologies - I missed the link altogether in your post
(doh) and have now had a look at it and it does seem very interesting.
I have now applied most of the ideas discussed in that thread and it
now looks more like the traffic on my connection is primarily echo
requests from my own isp

Mike; Posted by Robin T Cox on November 14th, 2003; mike.franklin@btinternet.com (Mike Franklin) wrote in
news:eee61b4f.0311130500.3b8b6879@posting.google.c om:

No problem - I must confess that when I first came across this it seemed
very odd!

Robin; Posted by Gigi on November 14th, 2003; On 9 Nov 2003 09:13:36 -0800, mike.franklin@btinternet.com (Mike
Franklin) wrote:

When the "Microsoft Update" and "undeliverable message" stuff started
making the rounds the uninvited traffic count blocked by my firewall
went from about 24 individual (different IPs) packets per hour to
about 900 per hour. Maybe once a day I get a port scan attack. Usually
from the same IP. 95% or more of these come from users of my ISP,
nationwide, probably from users who opened the attachments. The rest
come from IPs from around the world. Several from China and South
America. Often these do not respond to a ping by my trace program. I
am running Windows 98 2nd Edition with McAfee software. I have had
only one response to several e-mails to different members of my ISP.
That was 13 computer responses with different case #s acknowledging
receipt of my e-mail. Obviously they are bugged. Which is possibly one
of the aims of the attacks.
Gigi

Similar Posts

The 'lsass' attacks (Computers & Technology) by Bad Disciple
Re: Serious IE hole opens PCs up to attacks (Computers & Technology) by Kadaitcha Man
Fussy attacks are going too far (Software & Applications) by Kram
NFilter and sporge attacks (Software & Applications) by Zenobia
Need help to find web server attacks signature (Computer Security) by Maxime Ducharme