SYN Port Scan Attack

[Guest]

Every 5 minutes for about a week now, I'm getting a SYN Port Scan attack
blocked by my firewall (McAfee). Does anybody know about these things enough
to walk me through getting rid of whatever is trying to get into my system?
I'm going nuts! I click on the visual tracer but don't know what I'm looking
at. I've reviewed the log in firewall, and it seems to be coming from the
same remote address but to different remote ports. HELP!

 

[Andrei Ungureanu]

I think you should contact your ISP and report to them this problem.

 

[R. McCarty]

For any Broadband connection, it's useful to occasionally
disconnect and then reconnect to obtain a new IP address.
Many Bot tools will continuously bang on a known IP and
by renewing you can get temporary relief. The longer an
IP Address is leased/used the more attacks are likely to
happen.

 

[Guest]

How do I disconnect and reconnect? Do I shut down, remove cable connection,
boot up without cable connection, shut down, reconnect cable connection, boot
up?

 

[R. McCarty]

That depends on your hardware connection. If you have a cable
modem or DSL modem, both have a Web interface you can log
into. Once inside you can disconnect and re-connect from the
unit's maintenance or status screen.

Most times your unit's IP address is either 192.168.1.1 or perhaps
192.168.2.1. Check your manual and it will have instructions on
how to access the setup utility page.

You can always determine the correct IP Address to use by doing
the following:

Click Start, Run (Type) IPconfig/all [Press Enter] jot down or note
the Gateway address, that's the IP you enter in Internet Explorer.
example http://192.168.1.1

Most all modems and routers use a default account and password
of admin (non case-sensitive).

 

[Guest]

I hate to sound ignorant, but I am about this! We didn't get a manual with
our equipment from the cable company. How do I get to the Web interface, and
then to the maintenance or status screen? I tried typing in the IPconfig/all
in Run, but got an error msg that Windows could not find it.

That depends on your hardware connection. If you have a cable
modem or DSL modem, both have a Web interface you can log
into. Once inside you can disconnect and re-connect from the
unit's maintenance or status screen.

Most times your unit's IP address is either 192.168.1.1 or perhaps
192.168.2.1. Check your manual and it will have instructions on
how to access the setup utility page.

You can always determine the correct IP Address to use by doing
the following:

Click Start, Run (Type) IPconfig/all [Press Enter] jot down or note
the Gateway address, that's the IP you enter in Internet Explorer.
example http://192.168.1.1

Most all modems and routers use a default account and password
of admin (non case-sensitive).

How do I disconnect and reconnect? Do I shut down, remove cable
connection,
boot up without cable connection, shut down, reconnect cable connection,
boot
up?

 

[R. McCarty]

Nancy, I'm sorry I left out a step, the instructions should have been
Start, Run, (Type) Command, then inside the box type Ipconfig/all.
Once you've noted the information, type Exit & Press enter to exit
the command prompt box.
If you just have a cable modem the easiest way to get a new IP is
just unplug the round power cable from the modem, wait a couple
of seconds and then re-insert the power plug. The modem will get
a new IP from the Server. To verify, just check the IP address
before you unplug and then again afterwards.

I hate to sound ignorant, but I am about this! We didn't get a manual with
our equipment from the cable company. How do I get to the Web interface,
and
then to the maintenance or status screen? I tried typing in the
IPconfig/all
in Run, but got an error msg that Windows could not find it.

That depends on your hardware connection. If you have a cable
modem or DSL modem, both have a Web interface you can log
into. Once inside you can disconnect and re-connect from the
unit's maintenance or status screen.

Most times your unit's IP address is either 192.168.1.1 or perhaps
192.168.2.1. Check your manual and it will have instructions on
how to access the setup utility page.

You can always determine the correct IP Address to use by doing
the following:

Click Start, Run (Type) IPconfig/all [Press Enter] jot down or note
the Gateway address, that's the IP you enter in Internet Explorer.
example http://192.168.1.1

Most all modems and routers use a default account and password
of admin (non case-sensitive).

How do I disconnect and reconnect? Do I shut down, remove cable
connection,
boot up without cable connection, shut down, reconnect cable
connection,
boot
up?
:

For any Broadband connection, it's useful to occasionally
disconnect and then reconnect to obtain a new IP address.
Many Bot tools will continuously bang on a known IP and
by renewing you can get temporary relief. The longer an
IP Address is leased/used the more attacks are likely to
happen.

I think you should contact your ISP and report to them this problem.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

Every 5 minutes for about a week now, I'm getting a SYN Port Scan
attack
blocked by my firewall (McAfee). Does anybody know about these
things
enough
to walk me through getting rid of whatever is trying to get into my
system?
I'm going nuts! I click on the visual tracer but don't know what
I'm
looking
at. I've reviewed the log in firewall, and it seems to be coming
from
the
same remote address but to different remote ports. HELP!

 

[NobodyMan]

This may work, but probably won't. A vast majority of cable providers
use leases that last at least 90 days. Just rebooting the computer,
or the modem, won't change the address as the DHCP server at the cable
provider stores the IP address against the cable modem MAC address.
So when the modem comes back on line, the cable DHCP server checks the
MAC address tramsmitted, then checks the IP allocation table. If the
lease hasn't expired, then it is just reassigned. Even when the lease
expires, the server will attempt to renew the same address to the same
MAC address (in other words, keep your IP address the same) if at all
possible.

I've used the same IP with my cable provider now for over two years.
The leases are good for 90 days. That means that every ninety days,
the cable DHCP server just rolls over the lease.

Nancy, I'm sorry I left out a step, the instructions should have been
Start, Run, (Type) Command, then inside the box type Ipconfig/all.
Once you've noted the information, type Exit & Press enter to exit
the command prompt box.
If you just have a cable modem the easiest way to get a new IP is
just unplug the round power cable from the modem, wait a couple
of seconds and then re-insert the power plug. The modem will get
a new IP from the Server. To verify, just check the IP address
before you unplug and then again afterwards.

I hate to sound ignorant, but I am about this! We didn't get a manual with
our equipment from the cable company. How do I get to the Web interface,
and
then to the maintenance or status screen? I tried typing in the
IPconfig/all
in Run, but got an error msg that Windows could not find it.

That depends on your hardware connection. If you have a cable
modem or DSL modem, both have a Web interface you can log
into. Once inside you can disconnect and re-connect from the
unit's maintenance or status screen.

Most times your unit's IP address is either 192.168.1.1 or perhaps
192.168.2.1. Check your manual and it will have instructions on
how to access the setup utility page.

You can always determine the correct IP Address to use by doing
the following:

Click Start, Run (Type) IPconfig/all [Press Enter] jot down or note
the Gateway address, that's the IP you enter in Internet Explorer.
example http://192.168.1.1

Most all modems and routers use a default account and password
of admin (non case-sensitive).

How do I disconnect and reconnect? Do I shut down, remove cable
connection,
boot up without cable connection, shut down, reconnect cable
connection,
boot
up?
:

For any Broadband connection, it's useful to occasionally
disconnect and then reconnect to obtain a new IP address.
Many Bot tools will continuously bang on a known IP and
by renewing you can get temporary relief. The longer an
IP Address is leased/used the more attacks are likely to
happen.

I think you should contact your ISP and report to them this problem.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

Every 5 minutes for about a week now, I'm getting a SYN Port Scan
attack
blocked by my firewall (McAfee). Does anybody know about these
things
enough
to walk me through getting rid of whatever is trying to get into my
system?
I'm going nuts! I click on the visual tracer but don't know what
I'm
looking
at. I've reviewed the log in firewall, and it seems to be coming
from
the
same remote address but to different remote ports. HELP!

 

[Guest]

It didn't work. The same address was assigned again. I'm at a loss. Of
interest, the syn port scan attack is actually coming from the cable company
that we use. I guess I need to deal with them directly. Any other
suggestions, anyone? Thanks for those given so far.

This may work, but probably won't. A vast majority of cable providers
use leases that last at least 90 days. Just rebooting the computer,
or the modem, won't change the address as the DHCP server at the cable
provider stores the IP address against the cable modem MAC address.
So when the modem comes back on line, the cable DHCP server checks the
MAC address tramsmitted, then checks the IP allocation table. If the
lease hasn't expired, then it is just reassigned. Even when the lease
expires, the server will attempt to renew the same address to the same
MAC address (in other words, keep your IP address the same) if at all
possible.

I've used the same IP with my cable provider now for over two years.
The leases are good for 90 days. That means that every ninety days,
the cable DHCP server just rolls over the lease.

Nancy, I'm sorry I left out a step, the instructions should have been
Start, Run, (Type) Command, then inside the box type Ipconfig/all.
Once you've noted the information, type Exit & Press enter to exit
the command prompt box.
If you just have a cable modem the easiest way to get a new IP is
just unplug the round power cable from the modem, wait a couple
of seconds and then re-insert the power plug. The modem will get
a new IP from the Server. To verify, just check the IP address
before you unplug and then again afterwards.

I hate to sound ignorant, but I am about this! We didn't get a manual with
our equipment from the cable company. How do I get to the Web interface,
and
then to the maintenance or status screen? I tried typing in the
IPconfig/all
in Run, but got an error msg that Windows could not find it.

:

That depends on your hardware connection. If you have a cable
modem or DSL modem, both have a Web interface you can log
into. Once inside you can disconnect and re-connect from the
unit's maintenance or status screen.

Most times your unit's IP address is either 192.168.1.1 or perhaps
192.168.2.1. Check your manual and it will have instructions on
how to access the setup utility page.

You can always determine the correct IP Address to use by doing
the following:

Click Start, Run (Type) IPconfig/all [Press Enter] jot down or note
the Gateway address, that's the IP you enter in Internet Explorer.
example http://192.168.1.1

Most all modems and routers use a default account and password
of admin (non case-sensitive).

How do I disconnect and reconnect? Do I shut down, remove cable
connection,
boot up without cable connection, shut down, reconnect cable
connection,
boot
up?
:

For any Broadband connection, it's useful to occasionally
disconnect and then reconnect to obtain a new IP address.
Many Bot tools will continuously bang on a known IP and
by renewing you can get temporary relief. The longer an
IP Address is leased/used the more attacks are likely to
happen.

I think you should contact your ISP and report to them this problem.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

Every 5 minutes for about a week now, I'm getting a SYN Port Scan
attack
blocked by my firewall (McAfee). Does anybody know about these
things
enough
to walk me through getting rid of whatever is trying to get into my
system?
I'm going nuts! I click on the visual tracer but don't know what
I'm
looking
at. I've reviewed the log in firewall, and it seems to be coming
from
the
same remote address but to different remote ports. HELP!

 

[Guest]

Hi Nancy:
This may or may not help...but I use dial up...so..it helped me..

try using "Shields Up" to check your ports..
http://www.grc.com/default.htm

Good luck!

 

[NobodyMan]

If this is a scan that is actually coming from your cable provider,
there is very little you can do. They have every right to scan their
network.

It didn't work. The same address was assigned again. I'm at a loss. Of
interest, the syn port scan attack is actually coming from the cable company
that we use. I guess I need to deal with them directly. Any other
suggestions, anyone? Thanks for those given so far.

This may work, but probably won't. A vast majority of cable providers
use leases that last at least 90 days. Just rebooting the computer,
or the modem, won't change the address as the DHCP server at the cable
provider stores the IP address against the cable modem MAC address.
So when the modem comes back on line, the cable DHCP server checks the
MAC address tramsmitted, then checks the IP allocation table. If the
lease hasn't expired, then it is just reassigned. Even when the lease
expires, the server will attempt to renew the same address to the same
MAC address (in other words, keep your IP address the same) if at all
possible.

I've used the same IP with my cable provider now for over two years.
The leases are good for 90 days. That means that every ninety days,
the cable DHCP server just rolls over the lease.

Nancy, I'm sorry I left out a step, the instructions should have been
Start, Run, (Type) Command, then inside the box type Ipconfig/all.
Once you've noted the information, type Exit & Press enter to exit
the command prompt box.
If you just have a cable modem the easiest way to get a new IP is
just unplug the round power cable from the modem, wait a couple
of seconds and then re-insert the power plug. The modem will get
a new IP from the Server. To verify, just check the IP address
before you unplug and then again afterwards.


I hate to sound ignorant, but I am about this! We didn't get a manual with
our equipment from the cable company. How do I get to the Web interface,
and
then to the maintenance or status screen? I tried typing in the
IPconfig/all
in Run, but got an error msg that Windows could not find it.

:

That depends on your hardware connection. If you have a cable
modem or DSL modem, both have a Web interface you can log
into. Once inside you can disconnect and re-connect from the
unit's maintenance or status screen.

Most times your unit's IP address is either 192.168.1.1 or perhaps
192.168.2.1. Check your manual and it will have instructions on
how to access the setup utility page.

You can always determine the correct IP Address to use by doing
the following:

Click Start, Run (Type) IPconfig/all [Press Enter] jot down or note
the Gateway address, that's the IP you enter in Internet Explorer.
example http://192.168.1.1

Most all modems and routers use a default account and password
of admin (non case-sensitive).

How do I disconnect and reconnect? Do I shut down, remove cable
connection,
boot up without cable connection, shut down, reconnect cable
connection,
boot
up?
:

For any Broadband connection, it's useful to occasionally
disconnect and then reconnect to obtain a new IP address.
Many Bot tools will continuously bang on a known IP and
by renewing you can get temporary relief. The longer an
IP Address is leased/used the more attacks are likely to
happen.

I think you should contact your ISP and report to them this problem.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

Every 5 minutes for about a week now, I'm getting a SYN Port Scan
attack
blocked by my firewall (McAfee). Does anybody know about these
things
enough
to walk me through getting rid of whatever is trying to get into my
system?
I'm going nuts! I click on the visual tracer but don't know what
I'm
looking
at. I've reviewed the log in firewall, and it seems to be coming
from
the
same remote address but to different remote ports. HELP!

 

[Guest]

Thanks for all the support, but as mysteriously as it began, it seems to have
stopped. It seemed to begin shortly after doing an ad aware scan, then has
stopped since doing another. Very strange.