I was fed up with the constant scanning of my ports by the @home tech freaks, so I decided to scan back, then I sat back to watch some TV and my modem lights started blinking wildly (flashing RED too!) and since then my modem is less than half as fast. I thought to complain, but we all know how far I will get with that, so its DSL time for me.
"The Services may not be used to breach the security of another user" ... "Use or distribution of tools designed for compromising security, such as password guessing programs, cracking tools, packet sniffers or network probing tools, is prohibited."
MmmHmm...so, you're saying *you* deliberately violated your AUP, and this is somehow @home's fault.
Ooooookay. Let me ask, if you go speeding through stoplights, and dealing crack, is it the police's fault for arresting you too?
I mean, at what point are YOU going to accept responsibility for YOUR actions?
I would suspect that they have put you behind a firewall and are monitoring your traffic in order to protect other customers, and see if there's a case for booting you off @home for running a BO server or other nasties. I'm sure other customers appreciate their doing so in order to keep you from probing their system ports on the @home network.
Enjoy your xDSL. See you in 3 weeks to two months when they finally get it installed.
Regards,
-Bouncer-
------------------
"Yeah Baby, YEAH!!!"
[This message has been edited by Bouncer (edited 04-14-2000).]
The day before this nonsense started, my firewall was constantly going BEEP everytime I did anything, browse the web, check my mail, the firewall said it was the proxy site ICPM nuking me over and over, this never happened before, and all of a sudden I have to listen to this BONG alert over and over again. So I started watching the firewall, and I saw my ports were being scanned, so I scanned back. I fail to see how that is wrong. I have never tried port scanners or any such thing in my life, it is not in my nature, but when my firewall says I'm being attacked by my own ISP, for no reason, what should I do, call tech support? I tried, nobody answers the phone. I dont run an ftp, I dont play net war, why pick on me? There are so many others causing so many problems, why me? Honestly I don't understand.
All I did was scan back, so @home can scan me day after day for no reason, but I get punished for scanning ONCE.
You had also better consider the fact you should watch out who you go pissing off... there are some lunatics out there that might spend all of thier time scanning you for the rest of thier lives.
Also, don't get ticked until you are sure it is an attempt to break in, and you are sure it's not your computer. I tripped my own damn wall. Windows is nice enough when it see another windows site to probe on it's own.
On port 137, My log has one ISP scan, one unknow probe (which I assume is the same as above in the opposite of above) and one to two per day of my computer doing the request on 137.
Another point to consider:
If someone scans your ports for a trojan or simply pings for pcanywhere or just plain is pinging a series of IP's cause they can(kids w/ toys), then you really have nothing to worry about UNLESS you have a trojan installed. If you don't have file & print sharing installed or the Client for MS Networks installed(network neighborhood) then the guys scanning & pinging won't even know you exist! Responding to their probes, one way or the other TELLS them that YOU ARE THERE! You have now made yourself a target!
There are network engineers that can do just about anything w/ the right tools to compromise your system. But those guys don't go around sniffin your box. (no pun intended!) They have good jobs & have some ethics. Besides, they're busy pingin & probin the networks they manage.
I have RR & they periodically run scans for FTP ports, some trojans, etc. And some firewalls will mis-interpret the modem refresh as a port scan by the ISP!
As for the scans, heck, I ignore most of em. Why let em know I'm here & a potential target for a DoS or some other nuke job. They're just LOOKING for something. They can look all they want. When they SEE something then I will worry! And if they FIND something then I'll find out who they are & then get their email & sign em up for free porn subscriptions! Then I'll tell their mommy.
Wow, lots of help here, OK so here it is more cleary, from my perspective
Everything was fine, then one day (yesterday) my Firewall went bong (here is the relevant bit) every time I hit a web page or checked my mail or anything. It said the IP in question was ICMP'ing me, no big deal like Bouncer said, but this had never happened before, ever. At first I assumed that my isp had made some sort of change as the IP resolved to a proxy server. But then it kept happening, every single click I made to the net would result in this ICMP (ICPM?) hit, and the firewall went BONG!, so I started watching the FW log, and I noticed that 'hidden' in was what looked like a port scan coming synchronously from a set of other IP's, right in sync with my page hits and other activity, as if to say 'we are scanning your ports, but we're gonna do it right in sync with your actions so you dont notice your modem blinking for no reason'. I could not resolve the port scanners IP's without dropping the firewall, anyways I didnt care. Scan my ports all you want, there is nothing to find, but dont try to hid that fact, just do it, quickly, (I am pretty sure it was a coordinated port scan because several IP's were involved, each one stealthily checking one port, then the next, and so on, it looked automated) but what bothered me was the ICMP hit and the resultant BONG alert, which is fine, I could make a rule to accept it from that proxy ip, but why all of a sudden? and why never before? and why relentlessly? so then I searched for a war tool, and of course easily found some pinger, so I pinged the hell out of those ip's, this seemed to accelerate the port scan, so then I searched for a port scanner, ran it 6 instances parallel, and scanned the hell out of those IP's, all the while my firewall going BONG BONG BONG...
After 10min or so of that, the BONGing stopped cold. I waited a moment and then killed the port scanning, then I started to watch some tv, about 30min later my modem went offline and blinked wildly... i kept watching tv, about 30min after that it did it again (both times acting as if I had unplugged it) red lights and green lights flashing wildly...
So I dont know anything about TCP and even less about attacks ans such, I was being hammered and it 'seemed' to be coming from @home, but I don't know.
There was nothing I did that could have prompted the attack 'if thats what it was' I dont mess with that bologna.
Anyways, thanks all for your thoughts, all is quite again
I was having the SAME Problem with @Home... So I actually called them, here is the conversation:
"Are you scanning my machine TCP ports?"
"Yes, we do this on all customers"
"Please refrain from this, if you continue to do this I will give you plenty good reasons not to."
"Yes Sir, we will remove you from the list"
There you go, all these people who suck-up to the cable companies saying 'its your fault' are just wussies... you PAY for the service, and therefore you are the MOST important link in the chain.
(screeching sound)
Wait a second...you're saying you were getting ICMP messages from your proxy server?
Sigh...ICMP is ping.
Do you have your firewall set on paranoid?
What's most likely happening is someone using gamespy or some other ping tool is simply trying to see if you are playing a game online like Half-Life/Quake/Unreal etc.
They are outside the firewall doing a ping sweep, and the firewall simply passes that ping to you. You are gonna hear this all day, everyday, forever, unless you do something about it. It's probably not @home at all.
Does your firewall not have the ability to turn the audio alarm off, or the ability to not alarm on ping messages?
I'm also a little confused here. I'm not being picky, but how did you "scan back" if you've never tried scanners before in your life?
The statements seem contradictory to me, unless what you're saying is that you went out, found some sort of port scanner, used it, and then your cable modem went nuts.
You are still responsible. Period. I'm not even sure @home is doing anything to you at all since from what you've said, you responded to an outside ping source.
Even if they are, you may have an option though. Effectively, you'll need to turn off your modem (unplug it) for about four hours, and then reinitialize. You'll then have to basically NOT scan ANYTHING for about a month. They're probably simply logging you because you set off an intrusion alarm. If there's no repeat of the activity, they'll stop logging in a few days or weeks.
Turning off the modem lets it clear any cache, and hopefully will clear any collision issues that may be occuring because of a sudden routing switch (to put you behind a firewall).
As for @home, I wonder if you'd be as upset, if someone were trying to run a BO scan on your system, and @home swooped down and made the bad man dissapear. I doubt there'd be any complaints about privacy then. It's a relative issue. Users want more security, they give up some privacy. Nature of the beast. It's not personal, you know.
Regards,
-Bouncer-
------------------
"Yeah Baby, YEAH!!!"
[This message has been edited by Bouncer (edited 04-14-2000).]
Yes, exactly, I searched the net (reluctantly for the first time ever) for war tools and found a port scanner, ran it 6 times side by side and scanned the 'attacker' like a mad man (I was mad . I knew it was wrong, but as I said earlier, I was 'defending' myself.
Thank-you for your suggestion regarding the modem cache. I hope it works for 'my' Terayon. And I have no intention to do port scanning, of course I have better things to do with all this bandwidth...
And thank-you for your attention, up until this incident, I can honestly say I have NO complaints with @home (im not sure why so many other people complain about their speed ect. my speed has been outstanding without exception, 99% uptime) except for the SPAM problem...
That is right Bouncer. I used to run Blackice and also was told by Blackice that
my proxy was trying to get me. Ridiculous.
I had mine set to nervous. It also said that ICQ was trying to get me as well. Stupid.
The only port that is open (unless you are running a server or network) is Netbios port
139. And, your computer cannot be accessed, the only thing that can be gotten is your computer name and ip address. And, they can get that anyway. I got tired of the blue screens of death when I would shut down and the constant warnings that someone was trying to get me. Pcanywhere pings, proxy,
ICQ...etc. Ridiculous.
Actually I have had a similar experience with @home and continue to do so... Every day actually about 4 times a day or more my black ice and/or jammer goes off saying that
24.0.94.130, authorize-scan.security.home.com
is doing a TCP port scan. It wouldn't bother me so much but it happens like I said about 4-12 times a day. I have the logs to prove it. A warning to anyone that uses Black Ice though. It is good but it does it's job to good. You will get many false reports it is way to sensitive even to have it set at the lowest trusting setting you will have false reports. Just be knowledgable about the diffrent types of attacks and know what Black Ice and other programs like Jammer do and report back to you. Knowledge is key. But I agree it gets a bit annoying and childish when they Port Scan whether is is TCP, NNTP, or whatever you to death. Granted NNTP is just Network News. Knock it off @home LOL.
Setting in my corner feeling crappy for myself.
Krugar
I went to home.net; found out it's @home; got pissed at the "bastards" (more because of all neg. press they get here on this board than the probes) and called them in Calif. (I live in DFW, TX) area.
Anyway, I did NOT ask to talk to tech support, I asked for someone in their internet security fraud dept. The @home "bastard" was not one & was quite helpfull. He worked with me, over the phone and assured me it wasn't @home.
Take a look at an eariler post, to you, from VALENTINEDWV concerning www.arin.net because... the @home guy walked me through what he was doing (my @home security buddy and I- can't call him a bastard anymore- were on the net at the same time) and we wound up at the above site. Found the IP is some outfit in AZ, not @home. They have the above IP which is one of an entire block of IP's registered in their name.
So that's my input. Just some additional info for you. Maybe it's not all what it appears to be...I don't know.
[This message has been edited by chacmool (edited 04-16-2000).]
[This message has been edited by chacmool (edited 04-16-2000).]
[This message has been edited by chacmool (edited 04-16-2000).]
I hope that you people are starting to understand that you do not need Blackice!
There are only a select few of you that actually need a port watching/firewall program. I believe that these programs are almost completely useless. The ports that are being probed are NOT opened anyway. All you are doing is stressing yourself out. Do what I did, remove Blackice from your computer! That is the sure fire way of never seeing those irritating flashing red Blackice attack icons in the system tray again! If you want to continue to be obsessive/compulsive about this, then go ahead, feel free to run your port watching/firewall program. But, I for one know that the only port open (unless you are running a server or network at your house with file and print sharing turned on) is port 139. Also, remember that it is to the advantage of software companies to tell you that you are in danger on a cable modem so that they can sell you useless software. I fell for it for 2 months, then I finally got tired of the bsod's and false attacks.
Or better yet, use ZoneAlert! which is entirely free and lets you set permission to certain programs like ICQ. That means when someone messages you on ICQ, ZA doesn't freak out and think it's an attacker.
Cox@Home around here (Phx area) performs NNTP port probes. I had 2 techs try to tell me that they were necessary to verify connectivity. Bull. They need only run a ping to verify that. Bunch of crap.
Watch out!! @tech boys will nuke your modem
Reply With Quote
Bookmarks