dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
57686

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Wildcatboy

MVM

to Wildcatboy

Re: Windows is less efficient with RST than stealth?

YES! I would gladly 'break the Internet' in this manner if it meant I was more secure!;) Address spoofing certainly is not a new idea and I think it could be done in this fashion.

I am not sure that the router is going to care what the "source" IP address is. It is just a number that gets passed along in the IP header. Certainly I would avoid using the LAN 10.x.x.x address but I would recommend using the WAN address.

I guess I over-interpreted this paragraph as representing one concept:
said by WCB:
Although the word stealth has been a newly coined term for personal firewalls, the feature of not responding to SYN or responding to them selectively has been around for a long time in professional firewalls and routers. It's mostly done by selective routing and it hasn't broken down the Internet. In fact RFC 1812 section 4.3.2.8 suggests that you do limit the ICMP unreachable.
JVM - I am then equally confused about your prior posts -- how are you testing the ports?? Certainly you are not trying to send pings to port 21 and port 80??

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

said by R2:
. . . . JVM - I am then equally confused about your prior posts -- how are you testing the ports?? Certainly you are not trying to send pings to port 21 and port 80??
I'm not doing this really well, am I? Visual Route has an option to allow you to probe a specific port/service, while doing the traceroute.

The traceroute itself obviously relies on ICMP, but if one specifies a port, VR also tends to run a TCP probe against the specified port. For example, if I specify 207.46.197.102:80 in my personal copy of VR 5.2b, then I get the following analysis:
quote:
Report for 207.46.197.102

Analysis: Connections to HTTP port 80 on host '207.46.197.102' are working, but ICMP packets are being blocked past network "Microsoft" at hop 26. It is a HTTP
server (running Microsoft-IIS/5.0). Node 207.46.129.51 at hop 26 in network "Microsoft" reports "The destination network is unreachable".
Does that help? In other words, VR isn't a pure traceroute utility; it can contain some probe specs also.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

I am sorry, I don't use Visual Route -- I have too many toys on my computer as it is!:)

So when you "probe" a port, a ping is also sent. The "Connections... are working" implies the port is OPEN -- I suspect.

So -- if I am not completely off base -- in your report, you tend to be reporting back only the ICMP (ping) responses and not the SYN probe responses. Is that correct?



When I look at your 'stealth.htm' results sheet, the only results I can find are is the "VR Summary". This sections does not give any information at all as to how the port responded. It only tells us the results of the ping (ICMP probe). The actual port results are not included.
[text was edited by author 2002-06-10 15:01:11]

SYNACK
Just Firewall It
Mod
join:2001-03-05
Venice, CA

SYNACK to jvmorris

Mod

to jvmorris
Yes, the traceroute trick can work with any kind of packets, just using successive probes with incrementing TTL. Whatever hop expires the packet will send a TTL-exceeded ICMP (type 11).

Only the last hop will probe the actual port, and if stealth, will get the traceroute go on forever or until the max# of hops is exceeded.

MS tracert: uses ICMP echo requests(type 8). Intermediate hops send ICMP type 11, target ICMP echo reply (type 0)

Unix traceroute: uses UDP to high ports. Intermediate hops reply with ICMP(type 11), target with ICMP(3,3) because it uses a very high port that is unlikely serviced by the target.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to R2

MVM

to R2
said by R2:
. . . .The "Connections... are working" implies the port is OPEN -- I suspect.
Yep, that's the way I interpret it. Once upon a time, I used to actually test (e.g., with a browser)
quote:
So -- if I am not completely off base -- in your report, you tend to be reporting back only the ICMP (ping) responses and not the SYN probe responses. Is that correct?
Yep, it must have got lost in the postings. Both WildCatBoy and I noticed that the web-based demo version of VR 6.0a at London UK does not appear to do the port probes, only the ICMP pings, when we each probed ourselves. The firewall events logs that we each have confirm this; we weren't getting the TCP probes, at all.
quote:
When I look at your 'stealth.htm' results sheet, the only results I can find are is the "VR Summary". This sections does not give any information at all as to how the port responded. It only tells us the results of the ping (ICMP probe). The actual port results are not included.
Again, correct. The quoted port results are from my running my personal copy of VR 5.2b directly from my own machine. The port probing functionality is definitely there; I can see it in the firewall event log (if I log the outbound) and it agrees with the reported result displayed in the VR application itself.
jvmorris

jvmorris to SYNACK

MVM

to SYNACK
said by SYNACK:
...
MS tracert: uses ICMP echo requests(type 8). Intermediate hops send ICMP type 11, target ICMP echo reply (type 0)

Unix traceroute: uses UDP to high ports. Intermediate hops reply with ICMP(type 11), target with ICMP(3,3) because it uses a very high port that is unlikely serviced by the target.
SYNACK,

I got a quick chuckle when I read this. I kept thinking about all the people who've decided that they're invisible because their firewall 'stealths' them and then go gleefully about running pings and traceroutes.

Now, you come along and tell me that not only are they potentially revealing their IP address, they may well be telling the guy on the other end what kind of OS they're using!

CrazyM
Premium Member
join:2001-05-16
BC Canada

CrazyM to jvmorris

Premium Member

to jvmorris

Re: Closed vs Stealthed Ports

How difficult would it be for developers to provide the option of user defined response to unsolicited inbound traffic? I know from lurking in the Netgear/Zyxel forum the Zywal 10 has the option to stealth or respond closed.

Would this be a major undertaking, or something fairly simple for developers to provide this option? Is a closed response a more "normal" response for firewalls with stealth (no response) something that has been added (for whatever reason)?

Could the current packet filter firewalls and NAT router/gateways accomplish this as is, or would it require true Stateful Packet Inspection (as in the Zywal)?

CrazyM

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

R2 and SYNACK, I believe, discussed this very early on in the thread. I thought it was a neat idea and can see all sorts of potential for it.

Maybe some vendor will pick up on it as a user-selectable option.

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to R2

Mod

to R2

Re: Windows is less efficient with RST than stealth?


R2, I don't think the result in JV's report sheet are a good indication of our situation. JV and I tried a few port scans to create a better and more accurate chart but unfortunately due to a few glitch we encountered (and hopefully will be resolved soon) we weren't able to finish the job.

It seems that there are too many settings in NIS that need to be considered before we actually are sure of the result. For example a feature that JV had enabled in his firewall, automatically put me in the ignore list after the first scan attempt so regardless of the overall setting in NIS/NPF the firewall would drop all packets coming from me anyway so JV was still stealth to me regardless of the settings. We also had some problems related to the stealth feature that we are hoping to resolve. For some reason we couldn't make the firewall on his machine to respond as close even though all setting indicated that it should.

I think for a more accurate result we either need to solve those problems first or perhaps someone with a firewall and perhaps a sniffer and some extra time to spare could volunteer to go through a few scan tests in different modes, Then we can be certain about the implications of being stealth or not.

For the time being I tend to stick to my belief that being stealth would increase the number of port scans but nothing significant. For example NMAP tries 6 times if the port is non-responsive but it will do only one or two if the port responds as closed. But that is as far as it gets. I don't believe being stealth would really increase the Network communication by a significant margin and I do believe that the firewall will still handle the hits far more efficiently than the OS does.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to CrazyM

MVM

to CrazyM

Re: Closed vs Stealthed Ports

CrazyM -- I would think it would be highly possible for all Software Firewalls to respond in either a 'closed' or 'stealth' manner. I believe that is exactly what JVM can do with his NIS firewall (correct?). But, ZoneAlarm is not able to do this -- they seem to only give you the stealth option in "High Security".

One of the users above stated that his firewall can be set up to send ICMP responses to a SYN probe, but he/she never came back to verify that. WCB seems to be against this choice anyway -- but I'll take any option I can get!:)

It appears that the only concern left is whether or not Stealth vs. Closed leads to increased Internet traffic...

[text was edited by author 2002-06-10 17:31:42]

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

said by R2:
CrazyM -- I would think it would be highly possible for all Software Firewalls to respond in either a 'closed' or 'stealth' manner. I believe that is exactly what JVM can do with his NIS firewall (correct?). ....

R2,

Well, frankly, I'm getting a bit baffled here myself as to what the situation is with regards to NIS, especially 3.0 FE on Win 98 SE. As WildCatBoy indicates (and I will confirm after having seen the raw logs), there's absolutely nothing different in the NMAP log if I run Unstealthed and PERMIT the ICMP Echo Request/Reply and if I run Stealthed and BLOCK the ICMP Echo Request/Reply. The NIS firewall event logs are effectively identical in either case, also.

So, that leaves an interesting question: At the moment, just what does the "Stealth Blocked Ports" option accomplish?

According to the NIS 3.0 Help file,
quote:
Stealth Blocked Ports. Causes blocked ports to not respond at all to inquiries from the Internet. When your computer receives an inquiry on a blocked port, it can respond that the port is closed, or it can not respond at all. If your computer responds that the port is closed, it passes an important piece of information to the inquiring computer: that there is a computer there. If your computer does not respond at all (stealth), the inquiring computer learns nothing.
Well, that's certainly the way my system used to respond, but it's not the way it responding right now.

At the moment, I even come up 'stealthed' at GRC's "Probe My Ports", regardless of which setting I choose. This certainly isn't what used to happen and I honestly don't know what's different at the moment.
jvmorris

jvmorris

MVM

Oh, cool! Now, I get to talk to myself!

Okay, not absolutely positive about this, but it rather looks like the change might have occurred somewhere during the updates from NIS/NPF 2.5 to 2.54. (Yes, that was a long time ago in Internet years.) It rather looks like 'fixing' some problem regarding stealthing pretty much stealthed everything -- almost.

For example, I find the following in the KnowledgeBase at »service4.symantec.com/SU ··· 10274036 :
quote:
When you "stealth" an IP port, you not only close that port, but the port also does not respond to any probes or scans from the outside, making that port on your computer essentially invisible. In Norton Internet Security (NIS) or Personal Firewall (NPF) you cannot directly configure a port for "stealth" rather than "blocked." There is no button to click or setting you can change.

By default, Norton Internet Security (NIS), Norton Personal Firewall (NPF), and Symantec Desktop Firewall (SDF) silently block (stealth) unused IP ports. Ports that are being used (listened on) are either open or closed by a specific rule. Those that are closed cannot be stealthed without making adjustments. Those adjustments depend on the rule and the service listening on a port. In most cases, removing the rule suffices. In other situations, such as those involving protocols, stealthing the port is more involved....
Anyone who cares to reconcile this with the current statement in the Help File with NIS 3.0, be my guest!

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to jvmorris

Premium Member

to jvmorris
said by jvmorris:
At the moment, I even come up 'stealthed' at GRC's "Probe My Ports", regardless of which setting I choose. This certainly isn't what used to happen and I honestly don't know what's different at the moment.
Could you be coming up stealth at Shields-UP because you have ICS/ICF enabled? In that case, you should still come up stealth, even with NIS totally disabled.

SYNACK
Just Firewall It
Mod
join:2001-03-05
Venice, CA

SYNACK

Mod

I am not sure if this has come up, but here is another mechanism that indirectly breaks your stealth stance.

We all know that MS reverse DNS lookups will generate a direct 137-137/UDP probe to the target if a regular DNS lookup fails. This means that if your firewall software does any kind of DNS translation to make the logs more readable, you should make sure to block all outgoing 137/UDP to actually be stealth.

Otherwise, the prober senses full stealth at your IP, but then gets hit on the forehead with a 137 probe from your IP, proving that you are "(1)up & (2)running & (3)logging & (4)using an Microsoft OS" ...all priceless information!

(This could also be used as deterrent, depending on your goals )

maximus_808
Proud Veteran
Premium Member
join:2001-08-27
Rainier, WA

maximus_808 to jvmorris

Premium Member

to jvmorris
With stealth block ports unchecked i still get an all stealth report at GRC...if i disable NIS totaly i get blocked status.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Randy Bell

MVM

to Randy Bell
said by Randy Bell:
Could you be coming up stealth at Shields-UP because you have ICS/ICF enabled? In that case, you should still come up stealth, even with NIS totally disabled.
Yeah, WCB and I discussed that; I think not. You see, I dropped NIS when he was probing me with NMAP and came up with closed on the three ports I selected (80,21, and 1433). That, obviously was with ICS still enabled. (As I mentioned to you before, it's sheer hell to drop it and then get it back up here.)

Hey, Randy, doncha love it when you spend about four days arguing with some guy about stealth vs closed, only to find out the other guy can't unstealth at all?!!
jvmorris

jvmorris to maximus_808

MVM

to maximus_808
Yep, that's what I'm currently seeing. It looks like you're running NIS 4.0 on Win XP and I'm running NIS 3.0 on Win 98 SE.

Still nothing back at this end from Symantec. I really would like to know why it used to show closed at GRC, but now shows stealthed regardless of what I do.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to jvmorris

MVM

to jvmorris
said by jvmorris:
Hey, Randy, doncha love it when you spend about four days arguing with some guy about stealth vs closed, only to find out the other guy can't unstealth at all?!!
'Love' wasn't the first word that came to my mind...;)

So we are now to believe that NIS does not really offer the ability to set ports to 'stealth' or 'closed' -- like ZA you are stuck with stealth like it or not??

maximus_808
Proud Veteran
Premium Member
join:2001-08-27
Rainier, WA

maximus_808 to jvmorris

Premium Member

to jvmorris
I havent had the time to read all of this thread but from what i have read i feel better about my computers security. I feel for what i need it to do NIS is a good firewall even if it cant pass the stealth test at pc flank.If i am wrong in this assumtion please let me know. You guys have showed me alot just in your discussions back and forth ..thanks.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to jvmorris

MVM

to jvmorris
Ok, ok. I've been following this thread from the beginning...or should I say reading it. Following it is by no means something that I am capable of doing at this point. Please, 'splain, in layman's terms, should I should or should I shouldn't set my firewall in the High setting, known familiarly as stealth, or not?

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to jvmorris

Mod

to jvmorris

By the way I keep hearing that ZA won't let you be stealth unless you run at high Internet Security mode. People are saying this like there's an inherent disadvantage to this and you are losing something else besides the stealth feature. But can you tell me what the difference is between running in high security and medium Internet Security in ZA? As far as I know Nothing. Except of course for the lack of Stealth feature in Medium there's nothing else that ZA doesn't do in medium that it does in high, is there?

Medium Security in the local Zone allows Local Network access to Windows Services and Shares but in the Internet zone, it still blocks external access to Windows services and shares so there's really no significant difference between Medium and High in the Internet zone except for the stealth feature. So clicking on medium is just like choosing to respond as close and clicking on high is like choosing to be stealth. Nothing more and nothing less. Please do tell me if I'm wrong.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to jaykaykay

MVM

to jaykaykay
said by jaykaykay:
Ok, ok. I've been following this thread from the beginning...or should I say reading it. Following it is by no means something that I am capable of doing at this point. Please, 'splain, in layman's terms, should I should or should I shouldn't set my firewall in the High setting, known familiarly as stealth, or not?
Oh, goody! You direct this question to me just after I end up with egg all over my face! Okay, okay, lemme give it a try.

First, when I originally posed the question it was a quite sincere question in my mind. This struck me as the right forum. It has a large, diverse, and polite crowd of respondents. It struck me as the right time -- well after all the original hoopla about stealth has long since subsided. And we've also gotten to the point that just about every major PSF in particular (not to mention many NAT/routers and hardware firewalls) offer stealth, anyway. So, it wasn't going to turn into another "My firewall is better than your firewall" discussion simply because one offered stealthing and the other didn't. My expectations, in this regard, have been amply rewarded. I've learned a lot from this humongous thread and it appears that many others have also. Indeed, there are things I would never have known if I hadn't started this thread (including, for example, the fact that NIS/NPF now apparently stealths all unused ports by default, I regret to say).

And, even now, I really see no overwhelming reason to run stealthed (whatever it does or doesn't mean). Your mileage may vary, of course, and you'll note that I long ago told Randy that I have absolutely no problem with him running stealth. I just don't see that it particularly does anything to enhance my security (even though I apparently no longer have any say in whether I use or don't use it).
I believe you're a ZA user, also, aren't you? Well, as I recall, a ZA (free) user can't run in high security if he or she desires to use ICS (or ICF, for that matter). You have to run in medium security (or upgrade to ZA Pro). On the other hand, with ZA (free), you can only be 'stealthed' in 'high security'. If that's the only difference (and it isn't), I wouldn't hesitate to stick with ZA (free) rather than upgrade to ZA Pro, simply because I wanted to use something like MS' ICS to run a small home LAN. (I would, however consider upgrading to ZA Pro to get the finer control over the firewall settings; I don't like the ZA (free) settings at all.)

Second, I certainly don't see 'stealth' as being the critical determinant as to which PSF I would use; there are far more critical features that are far more important to me. And, in particular, there is no way that I would pick a PSF exclusively on the basis on how well it does on the PC Flank Stealth Test. I asked (and unless I missed the response buried somewhere back in the bowels of the thread), there doesn't seem to be any documented exploit that uses those features tested by PC Flank's Stealth Test in any sort of malicious manner.

Again, well back in the thread, WildCatBoy made the comment that a 'truly' stealthed firewall would also block ICMP echo reply. I gather from talking to WildCatBoy that this is inescapable if you run ZA (free) stealthed. Randy obviously likes that, also. Well, I have no problem with that, either. However, I do like the option to choose how I handle ICMP, regardless of whether I choose to run Stealth or not. I can easily envision situations in which I'd like to be able to get a remote ping or traceroute to my box -- and I'd like to be able to do that without needing to drop out of stealth, if it came to that, for TCP probes.

SYNACK has made numerous (short, very short, I'm jealous) postings regarding how someone may be misled into thinking they're invisible simply because they're running 'stealthed', only to find out that it's really not making them invisible, like they'd like to think. I would maintain that his postings in this thread are worthy of far more pondering than some have given them.

R2 has, on several occasions, discussed alternatives to 'no response' that I find most appealing, especially if they're user-selectable. (Oh, okay, make 'stealth' the installation default, just give me the others, also.)

It's really unfair (and I'm probably going to get shouted at for saying it), but it really does seem to me that sometimes the whole advocacy of 'stealthing' boils down to that line one always used to hear in WW II movies, just before the Marines hit the beach. "If you got 'em, smoke 'em." Well, that's not quite good enough for me, and that's why I asked the question in the first place.

Now, does that answer your question? (Probably not)

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to jaykaykay

Mod

to jaykaykay

Sorry JKK, there's no clear cut answer for you at this time. You need to read the whole thing and make your own judgment.

At this time there's no evidence that there's a significant difference between hits you get whether you're stealth or not. In JV's experiment the number of log entries recorded are either due to the more events that were being logged or just a mere coincident because unlike what JV thought, he was running stealth in both occasions. So when he told us he had less hits when he was responding as close he wasn't really responding as close anyway.

Until we find a volunteer to test this thoroughly we can't even tell you if there's a significant increase in hits when being scanned while stealth.

As far as I am concerned there are inherent advantages when you run in the stealth mode and this is not due to what the hacker would think or guess but basically due to the fact that if you don't respond to SYN packets you spend less memory and CPU time during a SYN flood attack, your IP can't be successfully used as a decoy to scan others and you make it much harder for intruders to fingerprint your machine, Also methods that use ICMP unreachable messages from your computer to map your Internal network by incremental changes to TTL and constantly probing you, will not succeed if they don't get a response at all.

The disadvantages are that if you don't know what you are doing you may cause problems with your connection to your ISP and you'll make it more difficult for them to troubleshoot the problem.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Wildcatboy

MVM

to Wildcatboy
Hey, what am I tonight -- self-chopped liver? (Geez, a guy makes a simple, teeny, tiny mistake of absolutely no significance and you guys are all over me like flies on s***! )
said by Wildcatboy:

By the way I keep hearing that ZA won't let you be stealth unless you run at high Internet Security mode. People are saying this like there's an inherent disadvantage to this and you are losing something else besides the stealth feature. But can you tell me what the difference is between running in high security and medium Internet Security in ZA? As far as I know Nothing. Except of course for the lack of Stealth feature in Medium there's nothing else that ZA doesn't do in medium that it does in high, is there?
Well, you weren't hearing that from me. Indeed, that was sort of the thrust of one of the points that I made in response to jaykaykay (or is my sentence structure getting so convoluted that it's hard to tell?).

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy

Mod


That was a general question pointed at everyone in this thread and not directly at you JV. It shows as a response to you because I simply responded to the thread (which of course was started by you).

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel to R2

MVM

to R2

Responding with ICMP...

said by R2:
One of the users above stated that his firewall can be set up to send ICMP responses to a SYN probe, but he/she never came back to verify that. WCB seems to be against this choice anyway -- but I'll take any option I can get!:)
I can indeed send 'ICMP Deny' packets, but I am not sure which type of ICMP they are. I am hoping to have a machine able to tell me in about a week. I am guessing they are 3,3 or 3,1 responses.

Here is the funny thing. Even if I am in this mode on my firewall and I do a stealth scan on one of the popular sites I come back as stealthed. I think they are assuming that the target is stealthed if they don't receive an RST/ACK; they don't even seem to consider an ICMP response.


jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to jvmorris

MVM

to jvmorris

Re: Closed vs Stealthed Ports

Don't worry, JV. I won't take anything personally said by anyone and have thoroughly enjoyed this thread. I had pretty much made up my own mind in the first place, even before asking my question, but I thought it needed to be brought back to the every day user without some of the expertise that was quickly overtaking the entire thread and perhaps leaving some of the newer users out in the cold.

Personally, I don't use ICS or ICF so that has never been a problem for me. I also like the idea of blocking all ICMP echo replies and if need be, add specific IPs if such is needed such as Line Monitoring from DSLR. I also don't have much need to remotely ping my box, so that's not a problem either. As to my ISP, we've not butted heads as of yet, and whenever there's a need for it, I either turn down my setting or, God forbid, turn off the firewall for a short time altogether.

I guess, if there isn't any huge difference, cut and dried, it still comes down to what "floats your boat", so I will continue with mine floating upstream happily as is for the time being. The many tests and comments that were made have been terrific though, and the amazing part is that nobody YELLED at anyone and agreed or disagreed with sound basis for their thoughts. Once again, it proves that this site and the people in are unusually civil and can have this long long thread with many different thoughts on the same subject. I am delighted you asked the question and I have learned a lot......I think. And, no, you're not chopped liver, but come to think of it, what's wrong with chopped liver?

dja
Happy to Help
Premium Member
join:2002-03-25
Niagara

dja to jvmorris

Premium Member

to jvmorris
To update you all on the behavioral side of this, I am now down to 12 alerts over the last 24 hours (cable 24/7) with ZAF set: 'Local' and 'Internet' both, to 'Medium'. A record low!

Over the week since this debate originated, I've gone from an average of 600/day, (with high days over 2000) down to 12.

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy

Mod


I don't think those are typical results. I've never had 2000 or even 600 alerts a day ever, even during the height of the Code Red and Nimda saga. They are most likely due to misconfiguration or an application you are running that's no longer logged as a result of a medium security and by no means can be attributed to lower number of Attacks or port scans. I seriously doubt that a typical number of attacks people get would differ that much.

dja
Happy to Help
Premium Member
join:2002-03-25
Niagara

dja to jvmorris

Premium Member

to jvmorris
For a period of two weeks about a month and a half ago, I was hit more than 1000 times a day each from two IPs, one in England and one in Sweden. At the height of worm/virus activity I was always over 2000. I often have to clear the alerts log in ZA because it max's out at 500 hits.

When you're getting hit in a dedicated manner (even by automated scanners) you can easily be hit once a second every second 24 hours a day. That would be over 80,000. So, 2000 is only 1/40th or (1)hit/per 40 seconds. (which is very realistic with a STATIC IP that starts with a 24.

Most of the scans were on very high numbered ports >40000 and at least 25% of all alert activity was from ISP and network servers that required acknowledgment from a 'stealthed' device and weren't getting any. All such servers and gateways etc are now in a lower zone, eliminating more alerts.

No changes to software or security other than dropping to 'observable' status in ZA have occured on my device. I 'clean' out old apps and dlls etc in the registry, NOT with software. I ERASE all free space and run SFC and Defrag three or four times a week. And I don't think ZAF can be misconfigured. It's 'on' or 'off' or 'high' or 'med'....etc

Say what you will... I've gone from the hundreds to the dozens, apparently by becoming 'visible'.