April 25, 2010
recently I am dealing with a big issue. My IP has been scanned several times by Google and Yahoo. I looked up the scanning IP' s with whois and what came up it was this IP 18.104.22.168 related to Google and some more from the range 22.214.171.124 - 126.96.36.199 (Yahoo) and 188.8.131.52 - 184.108.40.206 (Google). Do you know of any reasons why this is happening? I am using Outpost firewall Pro so if I am blocking this IP' s range I will end up having no access to search engines. All http sites are working correctly. I could allow them I guess, but I am wondering how this fits up with my security and whether this scanning thing is something normal or it is illegal.
Is this happening mostly shortly after disconnecting from a browser or webmail?
How long have you had the Outpost Firewall installed for?
Will the firewall provide details of what ports are being used by these IP's? If so, post the numbers here, that may help diagnose.
The way I see it, there are two main possibilities:
1) Your machine is actually being attacked by someone/something spoofing the IP addresses......not very likely.
2) These are orphaned or delayed packets which would (normally) simply be discarded but your firewall is being a tad over zealous and reporting these incidents. I think this is the most likely scenario.
If your connection was being saturated that would be more in keeping with an actual "attack", but seeing this is only happening here and there it is unlikely there is anything to worry about.
April 25, 2010
thanks for helping me out. I have Outpost installed for 3 years, not meaning by this that I am a pro user, I am more of a try and see what is happening guy. The problems started after I increased the security level to Maximum for Attack Detection. This was just temporary , but now I am dealing with this issue even if my Attack Detection is set to Optimal. I also had the scanning Ip to be blocked for the maximum period of time since this is something happening on a regular basis for my last 2 weeks. I cleared recently my log files so the IP' s I am providing are not all of those that scanned my network.
Ok, now this being told here are the bad guys: 220.127.116.11 and 18.104.22.168 for the moment and I am having another one from my country that just started.
1:18:08 PM 22.214.171.124 Host blocked for 60 min SCAN (38412, 58124, 57868, 59916, 60684, 60940, 61196)
12:51:52 PM 126.96.36.199 Host blocked for 60 min SCAN (49670, 51206, 51462, 51718, 51974, 52230, 52742)
6:16:58 PM 188.8.131.52 Host blocked for 60 min SCAN (58128, 60688, 64784, 1553, 15889, 22801, 23057)
4:47:44 PM 184.108.40.206 Host blocked for 60 min SCAN (44037, 45573, 48645, 48389, 48901, 51205, 51717).
Blocking the Google IP's will let me with no favorite search engine. When this it happens, it is followed usually another IP scanning (Yahoo) and I have to drop Yahoo Search as well.
Thank you again
Hey coolczone - OK, first two IP addresses are definitely coming up Google and Yahoo. The bottom two though are leading me to site in Romania which is reported to be running an automated forum spambot script.
This is now getting outside my realm of expertise/knowledge. I'm going to pass on this information to Dave and Ziggie and see what they can come up with.....stand by!
In the meantime will you please answer the following question to help with diagnosis:
How are you connecting to the internet; DSL, cable, ethernet, wireless????
Sorry I couldn't be more help,
April 25, 2010
My connection is cable and I am using my laptop. I am not sure if the same IP, s were scanning me at some other location, I will try and see if this happens again in a short trip that I am planning. What if the same IP' s are scanning me in some other place?
Ciprian, I don't think the scanning will stop simply because you change your location, I imagine the scanning would be specific to your IP address.
I wouldn't be worrying too much about this mate, there are hundreds of automated bots constantly roaming the net actively seeking out somewhere to scan. I seriously doubt this is connected in any way with malware.
If it will help put your mind more at ease, why not run scans anyway....any resident security plus an on demand scanner like Malwarebytes Anti-Malware or SUPERAntiSpyware will do fine. If they do not find anything, it is most likely your system is clean.
Hopefully Dave or Ziggie will chime in soon with some better informed comments.
In the grand scheme of things it is great that you 1) noticed something like this, and 2) came looking for help, but in reality it is really nothing to worry about.
I'm guessing you don't have a router between your modem and computer. As such your computer literally "sits" on the internet and is visible to every other device on the internet. This means any device, or computer, can [i:2yxifgzm]attempt[/i:2yxifgzm] to directly access your computer and there are many out there that will try. The good news is that your firewall is blocking any attempt to access your computer that wasn't initiated by you. The bad news is that this can slow down your internet connection because each communication actually makes it to your computer and then your firewall must deal with each packet. Most recommend a router between the modem and computer, and Ken, or security guru, has also mentioned this in the past. Most routers perform many fuctions, but the two most important (in my opinion) are NAT(Network Address Translation) and a hardware firewall (often called a Stateful Packet Inspection firewall). You can read his article about [url=http://www.davescomputertips.com/articles/security/golden_rules_of_computer_security_2.php:2yxifgzm]NAT in Ken's article[/url:2yxifgzm]. Stateful Packet Inspection means that the router examines each packet sent to your IP. If the communication wasn't initiated by a computer on your network the packet is dropped immediately. No muss. No fuss. If the packet is in response to a request (go to this web page, etc) from a computer on your network the packet goes through.
April 25, 2010
Thank you all for your help.
I will definitively look int to the router thing to sped up my browsing capabilities and increase my security. I am grateful for your help, still I have another questions.
1.Should I allow Google and Yahoo to scan my Ip's ( create rule in Outpost for them)? If the answer is yes, in what way this will affect my security?
2. Is a resident firewall still needed in case I will go for the router protection?
Thanks again, and Happy New Year! to all of you.
[quote:21gyykwv]Should I allow Google and Yahoo to scan my Ip's ( create rule in Outpost for them)? If the answer is yes, in what way this will affect my security?[/quote:21gyykwv]
No, definitely not. Allow your firewall to continue blocking them.
[quote:21gyykwv]Is a resident firewall still needed in case I will go for the router protection?[/quote:21gyykwv]
That is debatable, some do not consider it necessary. It depends largely on the user and the level of risk they are prepared to take. I would always advocate both, even if just to be on the safe side.
So, I would recommend using both. If the host machine is capable of running an installed firewall without any negative impact then there is certainly no harm and possibly a lot of good.
August 11, 2011
I know I'm late to the party, but I'll throw in my two cents on the need for a software firewall:
My experience is that with a good hardware firewall in place (i.e. router or even a firewall appliance) there is not really a need for software firewalls as long as you trust the devices on your network.
As a systems administrator at work - I don't trust anyone. It's my job not to, so I assume that all computers are actively trying to hack information that they have no business having (yes, the admin's job is to be more panicky than necessary). So we run software firewalls on all of our servers, hardware firewalls between us and the internet, and each of our VLANs (Virtual LANs...a way to run multiple networks across the same hardware) only cross over through a firewall.
That's a corporate environment.
At home - I'm much more lax. Only people I trust come onto my network, and everything on my network has open access to talk to each other. There's a nice hardware firewall blocking access onto the network, a nice WPA2 protected hash key on my wireless, and everything runs a-ok. I don't like to waste resources on a software firewall on my home network.
When I take my laptops out of the house, the firewall comes on. Inside the house, no big deal.
And that was probably way more information than you were looking for.
1.Should I allow Google and Yahoo to scan my Ip's ( create rule in Outpost for them)? If the answer is yes, in what way this will affect my security?[/quote:3423nxkh]
Your firewall is blocking them. If you haven't lost any access to Google, Yahoo, etc then I see no need to change your firewall rules.
2. Is a resident firewall still needed in case I will go for the router protection?[/quote:3423nxkh]
Well. In most cases it isn't required, but I like to have them. Why? A good firewall will prompt you for every inbound and outbound connection, which gives several benefits (especially for those who aren't techy types):
1. You learn which programs are trying to access the internet - you'll be surprised how many programs do and wonder why some do when you can't think of any need for them to have access.
2. Outbound connection requests. After you've used the computer for a week or two, and have rules set for most programs that you are familiar with, it becomes an "early warning system" and a great way to catch malware. As an example you download something labeled as a theme, pdf, simple program, or doc. As soon as you try to run or view the download your firewall jumps up with a warning about an outbound connection. If the download was not a reputable product downloaded from a reputable site it would be a good time to do some scanning and searching on the web. Seem far fetched? Running AV software? I've seen it happen.
3. If the computer is portable. When you join someone's network that you don't have control of (Starbucks, McDonalds, air port, etc) you need a software firewall.
April 25, 2010
sorry for my late replay, I am in the process of moving out and at my new place I do not have internet access yet.
Dave, one of the problems is that once I am being scanned, my firewall is blocking the IP. So my browsing search is way more difficult since Google is my 1st choice, and Yahoo the 2nd. Now I am blocking the IP's individually. From time to time it seams like they are giving me a brake, but after a while everything is aggressive again. What I was able to see is that the scanning occurs once I am trying to move to some other page just looking for more info, or when I am opening my browser, since Mozilla is set to Google as my home page. I even installed again my OS, but the scanning is still on. Will changing my MAC help solve this problem?
Most Users Ever Online: 271
Currently Browsing this Page:
Guest Posters: 10
Administrators: Jim Hillier, Richard Pedersen, David Hartsock, Marc Thomas
Moderators: dandl, Jason Shuffield, Jim Canfield, Dick Evans, Sergey Grankin