TCP port attacks

Hi I wonder if anyone can help me with this.

I have noticed recently that someone is scanning my system on an
almost constant basis (every 5 secs or so). The accesses are being
blocked by my Kerio personal firewall and their report looks a little
like this (I have taken out the time and date to make it smaller):

Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1945, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1945, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1983, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP,
66.220.17.151:80->localhost:1983, Owner: no owner
Rule 'TCP ack packet attack': Blocked: In TCP, power
[127.0.0.1:80]->localhost:1975, Owner: no owner

Now I believe the 127.0.0.1 should be a loop back from my own machine,
but there is nothing going out from my machine at all - it is just
receiving. So I figure that the scanner/attacker has somehow masked
their address. The port number is changing all the time. I have also
noticed that there are often accesses from 66.220.17.151:80 in between
the others and that typically this will be the same port as the
previous "loop back" one. I have checked out this address which is
something to do with the infamous www.lop.com, but I have little other
idea about what is happening and my ISP doesn't seem to want to know.
I have disconnected and reconnected several times (so getting
different IP addresses from my ISP) and the scans/attacks keep coming.

Can anyone help?

Mike

Mike Franklin

On 9 Nov 2003 09:13:36 -0800, (Mike
Franklin) wrote:

>Hi I wonder if anyone can help me with this.
>
>I have noticed recently that someone is scanning my system on an
>almost constant basis (every 5 secs or so). The accesses are being
>blocked by my Kerio personal firewall and their report looks a little
>like this (I have taken out the time and date to make it smaller):
>
>Rule 'TCP ack packet attack': Blocked: In TCP, power
>[127.0.0.1:80]->localhost:1945, Owner: no owner
>Rule 'TCP ack packet attack': Blocked: In TCP, power
>[127.0.0.1:80]->localhost:1945, Owner: no owner
>Rule 'TCP ack packet attack': Blocked: In TCP, power
>[127.0.0.1:80]->localhost:1983, Owner: no owner
>Rule 'TCP ack packet attack': Blocked: In TCP,
>66.220.17.151:80->localhost:1983, Owner: no owner
>Rule 'TCP ack packet attack': Blocked: In TCP, power
>[127.0.0.1:80]->localhost:1975, Owner: no owner
>
>Now I believe the 127.0.0.1 should be a loop back from my own machine,
>but there is nothing going out from my machine at all - it is just
>receiving. So I figure that the scanner/attacker has somehow masked
>their address. The port number is changing all the time. I have also
>noticed that there are often accesses from 66.220.17.151:80 in between
>the others and that typically this will be the same port as the
>previous "loop back" one. I have checked out this address which is
>something to do with the infamous www.lop.com, but I have little other
>idea about what is happening and my ISP doesn't seem to want to know.
>I have disconnected and reconnected several times (so getting
>different IP addresses from my ISP) and the scans/attacks keep coming.
>
>Can anyone help?
>
>Mike

Mike,

Since you're concerned, the logical thing would be to look for malware
- Lop for instance. Get / update Spybot S&D and HijackThis - both
free. Start with this article:
http://forums.spywareinfo.com/index.php?showtopic=5187

Do you have a router, or are you just protected by Kerio?

Cheers,


Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck

(Mike Franklin) wrote in
news: om:

> Hi I wonder if anyone can help me with this.
>
> I have noticed recently that someone is scanning my system on an
> almost constant basis (every 5 secs or so). The accesses are being
> blocked by my Kerio personal firewall and their report looks a little
> like this (I have taken out the time and date to make it smaller):
>
> Rule 'TCP ack packet attack': Blocked: In TCP, power
> [127.0.0.1:80]->localhost:1945, Owner: no owner
> Rule 'TCP ack packet attack': Blocked: In TCP, power
> [127.0.0.1:80]->localhost:1945, Owner: no owner
> Rule 'TCP ack packet attack': Blocked: In TCP, power
> [127.0.0.1:80]->localhost:1983, Owner: no owner
> Rule 'TCP ack packet attack': Blocked: In TCP,
> 66.220.17.151:80->localhost:1983, Owner: no owner
> Rule 'TCP ack packet attack': Blocked: In TCP, power
> [127.0.0.1:80]->localhost:1975, Owner: no owner
>
> Now I believe the 127.0.0.1 should be a loop back from my own machine,
> but there is nothing going out from my machine at all - it is just
> receiving. So I figure that the scanner/attacker has somehow masked
> their address. The port number is changing all the time. I have also
> noticed that there are often accesses from 66.220.17.151:80 in between
> the others and that typically this will be the same port as the
> previous "loop back" one. I have checked out this address which is
> something to do with the infamous www.lop.com, but I have little other
> idea about what is happening and my ISP doesn't seem to want to know.
> I have disconnected and reconnected several times (so getting
> different IP addresses from my ISP) and the scans/attacks keep coming.
>
> Can anyone help?
>
> Mike
>

In Kerio, logging suspicious packets in Advanced > Miscellaneous view will
generate the "ack" packets logs.

See:
http://www.dslreports.com/forum/rema...erio~mode=flat

Robin T Cox

Hi Chuck,

Thanks for you response

> Since you're concerned, the logical thing would be to look for malware
> - Lop for instance. Get / update Spybot S&D and HijackThis - both
> free. Start with this article:
> http://forums.spywareinfo.com/index.php?showtopic=5187

I'll have to have a look at that - just got to find the time!

> Do you have a router, or are you just protected by Kerio?

don't have a router - just a simple dial up connection with Kerio
running. I live in the remote highlands of Scotland and it's going to
be a while before I get any kind of broadband connection to make me
even think about a more sophisticated set up!

The annoying thing is that the continuous tickle to my connection
stops my system from doing an idle timeout and hanging up the line.

Cheers Mike

Mike Franklin

Robin T Cox <> wrote in message
> In Kerio, logging suspicious packets in Advanced > Miscellaneous view will
> generate the "ack" packets logs.

Yup that's how I got the report. Set it to log suspicious packets as I
was trying to see who or what was continously scanning me. I am just
wondering what these could be and if there is anyway of stopping them
doing it.

Mike

Mike Franklin

On 11 Nov 2003 10:52:06 -0800, (Mike
Franklin) wrote:

>Hi Chuck,
>
>Thanks for you response
>
>> Since you're concerned, the logical thing would be to look for malware
>> - Lop for instance. Get / update Spybot S&D and HijackThis - both
>> free. Start with this article:
>> http://forums.spywareinfo.com/index.php?showtopic=5187
>
>I'll have to have a look at that - just got to find the time!
>
>> Do you have a router, or are you just protected by Kerio?
>
>don't have a router - just a simple dial up connection with Kerio
>running. I live in the remote highlands of Scotland and it's going to
>be a while before I get any kind of broadband connection to make me
>even think about a more sophisticated set up!
>
>The annoying thing is that the continuous tickle to my connection
>stops my system from doing an idle timeout and hanging up the line.
>
>Cheers Mike

Mike,

I'm not sure, but I'd suspect a router blocking the constant tickle
might be more responsive to your wanting to hang up the line when
you're idle.

Routers that support PPP dialup are available - they're not as cheap
as broadband routers (my SMC PPP router cost $80 for the equivalent of
a $50 broadband only Linksys). They do take the load off the cpu by
blocking the crappy traffic AND by letting me remove DUN (RAS). Come
to think of it, RAS was a considerable drain on the cpu by itself (I
last used RAS on a PII 450).

The biggest benefit of the router, for me, was removing the proxy
server (that you don't need with just 1 computer). But the two weeks
I spent early this year, on dialup, waiting for my DSL to be
transferred to my current ISP, was not nearly as traumatic for me with
my SMC to manage my dialup connection than it would have been with RAS
and a proxy server. My dialup connection was waaay more stable with
the router than I ever remember it under RAS.

Unfortunately, all dialup services are NOT PPP compatible. My mother
is on MSN - it requires their custom client software - I spent a week
there this year (and wasted about $200) trying to get an SMC dialup
router to work on her MSN. (

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck

(Mike Franklin) wrote in
news: om:

> Robin T Cox <> wrote in message
>> In Kerio, logging suspicious packets in Advanced > Miscellaneous view
>> will generate the "ack" packets logs.
>
> Yup that's how I got the report. Set it to log suspicious packets as I
> was trying to see who or what was continously scanning me. I am just
> wondering what these could be and if there is anyway of stopping them
> doing it.
>
> Mike

I think the suggestion in the link I quoted is that the Kerio setting
itself simply generates a lot of false positives, and so nobody is actually
scanning you.

Robin T Cox

Chuck <> wrote in message >
> Mike,
>
> I'm not sure, but I'd suspect a router blocking the constant tickle
> might be more responsive to your wanting to hang up the line when
> you're idle.
>
> Routers that support PPP dialup are available - they're not as cheap
> as broadband routers (my SMC PPP router cost $80 for the equivalent of
> a $50 broadband only Linksys). They do take the load off the cpu by
> blocking the crappy traffic AND by letting me remove DUN (RAS). Come
> to think of it, RAS was a considerable drain on the cpu by itself (I
> last used RAS on a PII 450).
>
> The biggest benefit of the router, for me, was removing the proxy
> server (that you don't need with just 1 computer). But the two weeks
> I spent early this year, on dialup, waiting for my DSL to be
> transferred to my current ISP, was not nearly as traumatic for me with
> my SMC to manage my dialup connection than it would have been with RAS
> and a proxy server. My dialup connection was waaay more stable with
> the router than I ever remember it under RAS.
>
> Unfortunately, all dialup services are NOT PPP compatible. My mother
> is on MSN - it requires their custom client software - I spent a week
> there this year (and wasted about $200) trying to get an SMC dialup
> router to work on her MSN. (
>
> Cheers,
>
> Chuck

Thanks for that Chuck very interesting I'll have to investigate a
router - I confess I'm not very knowledgable about networks and stuff
and had always thought such things were for much larger setups.

Mike

Mike Franklin

> I think the suggestion in the link I quoted is that the Kerio setting
> itself simply generates a lot of false positives, and so nobody is actually
> scanning you.

My profound apologies - I missed the link altogether in your post
(doh) and have now had a look at it and it does seem very interesting.
I have now applied most of the ideas discussed in that thread and it
now looks more like the traffic on my connection is primarily echo
requests from my own isp

Mike

Mike Franklin

(Mike Franklin) wrote in
news: om:

>> I think the suggestion in the link I quoted is that the Kerio setting
>> itself simply generates a lot of false positives, and so nobody is
>> actually scanning you.
>
> My profound apologies - I missed the link altogether in your post
> (doh) and have now had a look at it and it does seem very interesting.
> I have now applied most of the ideas discussed in that thread and it
> now looks more like the traffic on my connection is primarily echo
> requests from my own isp
>
> Mike
>

No problem - I must confess that when I first came across this it seemed
very odd!

Robin

Robin T Cox