Xmas Port Scan Attack

[+shift. MVC]

page 1 of 28

Time Message

Sep 18 16:34:04 Xmas port scan attack from WAN (ip:222.152.234.171) detected.

Sep 18 16:33:52 Xmas port scan attack from WAN (ip:202.166.204.9) detected.

Sep 18 16:33:15 Xmas port scan attack from WAN (ip:81.178.94.132) detected.

Sep 18 16:31:53 Xmas port scan attack from WAN (ip:202.166.204.9) detected.

Sep 18 16:31:34 Xmas port scan attack from WAN (ip:82.238.17.115) detected.

Sep 18 16:29:00 Xmas port scan attack from WAN (ip:65.54.195.185) detected.

Sep 18 16:28:59 Xmas port scan attack from WAN (ip:65.54.195.185) detected.

Sep 18 16:28:55 Xmas port scan attack from WAN (ip:142.165.165.20) detected.

Sep 18 16:28:52 Xmas port scan attack from WAN (ip:83.28.137.30) detected.

Sep 18 16:28:22 SYN-ACK port scan attack from WAN (ip:80.162.40.155) detected.

Thats page 1 of 28.

2 of 28

Sep 18 16:35:22 Xmas port scan attack from WAN (ip:82.238.17.115) detected.

Sep 18 16:35:15 Xmas port scan attack from WAN (ip:81.178.94.132) detected.

Sep 18 16:34:45 Xmas port scan attack from WAN (ip:222.152.234.171) detected.

Sep 18 16:34:18 Xmas port scan attack from WAN (ip:65.23.219.50) detected.

Sep 18 16:34:04 Xmas port scan attack from WAN (ip:222.152.234.171) detected.

Sep 18 16:33:52 Xmas port scan attack from WAN (ip:202.166.204.9) detected.

Sep 18 16:33:15 Xmas port scan attack from WAN (ip:81.178.94.132) detected.

Sep 18 16:31:53 Xmas port scan attack from WAN (ip:202.166.204.9) detected.

Sep 18 16:31:34 Xmas port scan attack from WAN (ip:82.238.17.115) detected.

Sep 18 16:29:00 Xmas port scan attack from WAN (ip:65.54.195.185) detected.

Sep 18 16:28:22 SYN-ACK port scan attack from WAN (ip:80.162.40.155) detected.

Thats on page 3.

Is my router blocking those attacks? Or am I being hacked? I have no idea. Can someone please advise.

[Bi0haZarD]

those are just portscans, meaning they're looking for specific ports like 80, 21, 23, 25, 1025, etc... if they found something like port 80 (HTTP Web Server) they'd check to see if its running IIS, or what, and see if there's any vulnerabilities..

if you're not hosting anything then it shouldn't be a problem.

[+shift. MVC]

Well. I have Zone Alarm now. And it's registered just over 4100 blocked access attempts since install (and I installed it about 5 hours ago) while my dads Zone Alarm has been installed for over 6 months and only has around 250 blocked access attempts.

[+BudMan MVC]

Sounds like someone is running P2P ;)

[+shift. MVC]

Well I have Battle.net running, and I occassionally download from BitTorrent. But I don't leave it on.

[+BudMan MVC]

And what you think once you shutdown BT.. the traffic to your machine just stops?

And what Battle.net does not create traffic to and from your machine?

[+shift. MVC]

I didn't think it would be 28 pages of port scan attacks. But thanks for increasing my....internet security awareness.

[+BudMan MVC]

I highly doubt they are port scan attacks.. I would guess they are just your router misreporting the traffic as an attack ;)

an XMAS port scan has to do with flags being set on the packet, ie the FIN, PSH, and URG flags are set.. ie lighting the packet up like a xmas tree. Hence the name ;)

But yes running BT will creates loads of traffic to your machine for days to come!

I show 369 hits a couple of days ago from BT..

And last time I ran it was like the 16th -- today I still show 203 hits from BT.. Have not ran it since the 16th..

Why do you think quite a few router have issues with BT? They have very limited amounts of ram.. And default to leaving connections open for like 5 days or something. This can suck up the ram of the device very quickly ;) And also depending on the router, they can most of the time misinterpret the traffic as an attack.. and fill up their logs very quickly as well.

I doubt your router has the ability to customize what is logged and what is just dropped, etc. But do you really think your getting port scanned from all those different IPs in the short amount of time you posted.. what like 5 minutes -- 10 different IPs.. most likely from all over the planet..

That 81.178.94.132 is UK, that 222.152.234.171 is NZ, shoot 65.54.195.185 is Microsoft.. You think they are xmas port scanning you ;)

[+shift. MVC]

Ooh. Okay, thanks. Yeah my routers a D-Link DL-524.