A quick post for those more in the know than I: Since early April I'm being constantly bombarded by 4-5 intrusion attempts, and dozens of lesser communication inbounds, from Chinese IP 125.45.109.166 a day. A quick look on Google seems to indicate that this is occurring to more than a few people.
It seems Norton is blocking everything, but I'm very leery of attacks that have gone on this long, or if one occurs if Norton is down for some reason. Is there anything that can be done about this? Is there any security agency that monitors/responds to this type of prolonged attack? Most importantly, are there any setting I should adjust to further protect myself?
You could send an email to the abuse email address of the ISP responsible for the IP address to explain what is happening.
Here is the result of the whois lookup
inetnum: 125.40.0.0 - 125.47.255.255 netname: UNICOM-HA descr: China Unicom Henan province network descr: China Unicom country: CN admin-c: CH1302-AP tech-c: WW444-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-HA mnt-routes: MAINT-CNCGROUP-RR status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: 20051011 changed: 20051020 changed: 20090507 changed: 20090508 source: APNIC
route: 125.40.0.0/13 descr: CNC Group CHINA169 Henan Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: 20060118 source: APNIC
Thanks mdturner. I saw on Google several people had done that, but it doesn't hurt to add one more to the mix I guess. It's kind of depressing that hackers in China can run large-scale, constant portscan-vulnerability attacks for months with absolutely no real blow-back.
For anyone in the know, are there any settings I should tweak, or just let Norton continue to handle it? Thanks.
In a previous incarnation I was a Systems Adminstrator and often emailed abuse contacts to advise when my systems were being targetted. The response rates are about 50% so don't hold your breath - you may, however, get one of the good site administrators.
The Norton firewall will always block this type of traffic regardless of the frequency of the attacks. Even so, if thoughts of portscans still keep you awake at night you could buy an inexpensive router. Routers use Network Address Translation, one benefit of which is that no unsolicited traffic can get through to your computer. The router effectively hides your computer from the internet and drops portscans before your PC ever sees them. If you are looking to maximize your security against these types of attacks a layered approach with the addition of a router provides an affordable and proven way to enhance your protection.
re > Routers use Network Address Translation, one benefit of which is that no unsolicited traffic can get through to your computer. The router effectively hides your computer from the internet and drops portscans before your PC ever sees them.
How is NAT different or better than Norton's Stealth Blocked Ports.
When you turn on Stealth Blocked Ports, all ports on your computer are blocked from responding to incoming connection attempts. This feature also blocks unused ports.
Stealth Blocked Ports can also open some ports to listen to connections from other computers. This way, it prevents active ports from responding to connection attempts with incorrect source or destination information.
The Stealth Blocked Ports feature ensures that blocked ports and inactive ports do not respond to connection attempts.
As SendofJive mentioned, only the IP address of the router shows on the internet, and it comes complete with its own firewall and settings. Your personal IP address remains hidden. In this case, the user is concerned by what he is seeing, and with a NAT he would no longer be bothered by a great deal of what goes on on the internet.
I haven't actually given it much thought, but I have been behind a router for years, and have never had a port scan. It just reduces the need to rely on one form of protection.
re > only the IP address of the router shows on the internet.
With my modem only the IP address of the modem shows on the internet. So, I do understand the basics of an NAT router having it's own FW and settings ...and I'll consider adding a basic NAT router. But, a basic NAT with/without SPI would still show my IP on the Internet. Interesting, that you are behind a router and never have portscans. My understanding is that my modem (no FW) with Norton Stealth Blocked Ports should by definition make my ports stealth. GRC ShieldsUp always reports 100% Stealth. My IP is broadcast (i'm not using OpenDNS or VPN) but my ports are invisible.
My understanding is that my portscans are random noise (not aimed at me or my specific ports)....that all users even users behind a router receive portscans.
For most home users a router assigns individual private IP addresses to the local computers connected to it. When one of these computers connects to a site on the internet the communication is sent out by the router using the public IP address assigned by your ISP. When the reply packets arrive the router needs to assign them back to the proper private IP address of the computer that initiated the connection. In other words, the router needs to match up the incoming traffic with the PC that requested it.. If the router cannot determine which computer asked for the packets it simply does not allow them through. Since a portscan arrives without the communication having originated from a PC on the local network the router has no idea what to do with it - so it drops it. Your public IP address that portscans would target is actually the address of the router. Any computer connected to the router will have an individual private IP address that cannot be directly accessed via the internet. A hacker therefore needs to get through the router to attack your PC, and in a sense, the router can't figure out how to let that happen. So portscans might show up in a router log, but they never reach your computer or the Norton Firewall.
I just logged back in to edit update my message to delphinium...with the following (below) when I read your reply.
Maybe behind a router the portscans are blocked at the router and with just my modem the portscans are blocked at my computer...hence, I see them at my computer and delphinium never see's them.
I realize now this was all explained earlier...I was just stuck on hold and needed to get slapped.
Actually, I was addressing your earlier question about NAT vs. Norton Stealth but it took me so long to compose my simplified NAT explanation that you slipped in another comment before I was able to post. Therefore the slap was purely coincidental. But I suppose even an unintended slap is welcome if it gets you unstuck.
A big tip o' the cap for all who replied, double tip to SendofJive for the router explanation.
I was going to purchase a wireless router in the next few weeks as it happens, I take it those fit the bill of what you were discussing? Does Norton need any settings adjusted/have conflict issues with setting up a router, or is it pretty seamless?
Any router will do. There is nothing special you need to do with Norton, but you might want to study some of the Help topics concerning the Norton Network Security Map, which will help you manage the computers connected to the router. The most important things to do are to change the default password on the router and use WPA or WPA2 encryption for your Wi-fi. A short list of security measures to take, along with tutorials on each for different brands of routers can be found here:
It would appear likely. The term "gateway" means that it is the access point and handles the distribution of traffic. Unless you have some other form of complex connection set up, using two network adapters, it is possible. Have you opened IE and typed 192.168.1.254 into the address. This is a common address for accessing the settings on your router or gateway to make adjustments? You may find a whole new world of ways to screw up your internet connection.
So yes, your Motorola is serving many of the same purposes as an actual NAT. It drops unsolicited traffic, and distributes required traffic, which does add an extra layer of security.
I don't recommend adding a full-featured NAT to the mix, unless you intend to replace the Motorola. Some users have found it nearly impossible to get internet access because of a double-NAT error. You could contact your ISP and see if they provide routers free of charge, as mine does.
I ended up with a NAT originally because I required wireless access for a second computer, and received the router along with an internet upgrade to allow multiple machines. It was a great bargain.
