View Full Version : Zone Alarm vs BlackIce

06-12-00, 06:37 AM
I became very paranoid reading some postings and decided to install both ZoneAlarm and BlueIce. I have a cable modem Internet connection.

In the past 60 minutes, ZoneAlarm gave me 5 alerts, such as:

"The firewall has blocked Internet access to your computer (UDP Port 6970) from g2.prima.com.ar ( (UDP Port 20858)."

while BlueIce none.

I wonder why is this happening? Any idea?

06-12-00, 07:44 PM
Perhaps there is a pecking order as to which program sees the scan first? If ZoneAlarm blocks it then Black Ice does not see it at all? Test would be to right click on ZA, then shutdown, and see if Black Ice picks them it. Here is the WhoIs (http://www.arin.net/whois/index.html) info on the IP you gave:

Lima 1261
Buenos Aires, 1138

Netname: PRIMA-BLK-1
Netblock: -
Maintainer: PRIA

Fernandez, Miguel (MF127-ARIN) mfdez@PRIMA.COM.AR

Domain System inverse mapping provided by:


Record last updated on 15-Mar-2000.
Database last updated on 12-Jun-2000 17:48:06 EDT.


06-12-00, 09:10 PM
What you said makes a lot of sense. Thanks again Ron.

I took note of the WhoIs link as well.

Now, having the information provided by WhoIs, what would be the next step? Is there a place where to report it?

06-13-00, 06:12 PM
Here are some of my thoughts. I have used BlaceIce, ZoneAlarm, Norton Internet Security 2000 & another.

I get numerious «attacks» no mater which one I use. I have noticed, in six months, that 98% of the so called attacks happen during normal business hrs. I seldom, in six months, have been "attacked" in the early AM hrs., late PM hrs. or on weekends.

I have started to think, that, in addition to the hacker/slackers out there, there is internet «noise» and/or echos....whatever.

Just like some e-mail goes to never-never land & never gets received...I think some of these signals are just background stuff.

Six months ago, I wanted to call the FBI on all of them...too many...I'd be on the phone now & not be typing this.

They get blocked...fine with me...let the hacker/slackers have at it.

My 2˘

06-13-00, 07:23 PM
Chacmool is right. While it is interesting to find out where they are coming from, you are likely wasting your time to report it. At each WhoIs hit there is a person to e-mail to report concerns. For the IP you reported it would be mfdez@PRIMA.COM.AR (Miguel Fernandez). The other thing you can check is the port they have scanned. In your case it was UDP Port 6970. At this link (http://packetstorm.securify.com/papers/firewall/firewall-seen.htm) there are a number of other links to track down the significance of the port and whether or not it is one used by a trojan. Network Ice report this information for your Port 6970 (http://advice.networkice.com/advice/Exploits/Ports/6970/default.htm). Does not appear likely to be a real threat, and could be one of those lost packets.


06-13-00, 07:43 PM
Thank you guys for your comments. I really appreciate them.

Needless to say that I am a newby here, and this is the first time that I am taking my computer's security seriously.

When you read about the harm that can be done to people through the Internet, it pays off to be informed and to take minimal measures to protect yourself.

Again, thank you guys for your help and suggestions.