Windependent Posted July 30, 2004 Report Share Posted July 30, 2004 Well, it has been an interesting day. Ever since mid-afternoon I've been subjected to a barrage of PORTSCANS from an array of machines located at IP addresses that belong to AKAMAI TECHNOLOGIES, a large computer security firm. My home LAN is on a DSL connection that has an el-cheapo firewall/routing appliance acting as the first level of defense against the outside world. The model is a D-Link DI-604 broadband router that has firewall features including SPI and the option to block ranges of IP addresses. During the entire time that I've had a broadband connection (which has to be over 6 months now) I've NEVER had the PC-based firewall software report an incoming event. The little PNP router has done a fantastic job of keeping everyone out. If I go to DSLREPORTS.com and do a scan, all of my ports are closed and I get a report that the system is completely healthy, with all TCP and UDP packets filtered. Just to be on the safe side, I've still installed a second layer of defense by deploying firewall software on all of my PCs. On the Win machines, this has included ZoneAlarm, McAffee Personal Firewall, or both. For reasons that are unclear, suddenly a bunch of computers residing in the IP ranges of 205.161.4.156 to 205.161.4.172 have been able to get past my firewall appliance. As a result, my PC-based firewalls are for the first time reporting sequential portscans that have persisted throughout the course of the day. All of the IP addresses trace back to AKAMAI TECHNOLOGIES. So this raises a few questions: 1. Why does AKAMAI bother to portscan my LAN in the first place? 2. How do they get past my hardware firewall when I have the IP range of 205-161-4-0 to 205-161-4-255 blocked? Looking at the hardware firewall logs, it is successfully blocking some of the incoming packest from that IP range, but others are getting through. 3. Does "Trusted Computing" include backdoors, like the ability of some firms to get past hardware firewalls, or am I just paranoid? At any rate, if you have a broadband connection, I would not settle for just hardware or software protection. You may need both. Quote Link to comment Share on other sites More sharing options...
tyme Posted July 30, 2004 Report Share Posted July 30, 2004 have you attempted to contact them? Quote Link to comment Share on other sites More sharing options...
Windependent Posted July 30, 2004 Author Report Share Posted July 30, 2004 (edited) have you attempted to contact them? <{POST_SNAPBACK}> yes, but its after hours and nobody answers phone calls or emails. i spent the later part of the afternoon trying to trace the portscans and secure my network, and by the time i was finished it was past 5 pm ET. i did manage to contact their service host (Sprint) to lodge a complaint. i won't be able to call Akamai until tomorrow. Edited July 30, 2004 by Windependent Quote Link to comment Share on other sites More sharing options...
bvc Posted July 30, 2004 Report Share Posted July 30, 2004 tell them I said hello -root Quote Link to comment Share on other sites More sharing options...
Gowator Posted July 30, 2004 Report Share Posted July 30, 2004 This is probably their servers being hijacked since they host microsoft.com (on linux for MS) and the present mydoom hangers on are attacking this and looking for mydoom infected hosts to add to the attack... you probably had a windows machine with mydoom ?? or someone else did with your present IP ?? Quote Link to comment Share on other sites More sharing options...
ac_dispatcher Posted July 30, 2004 Report Share Posted July 30, 2004 (edited) I would agree with Gowator. I think yours or someone on your local net was infected. Just recently I was hit pretty hard wiht the my doom virus. I had to turn off firewall remote logginf because it was filling up. I woulld consider a Windows computer in you local net getting the virus via email or something. EDIT: Added note here. Do you have port fowarding turned on at your Firewall? Edited July 30, 2004 by ac_dispatcher Quote Link to comment Share on other sites More sharing options...
Windependent Posted July 30, 2004 Author Report Share Posted July 30, 2004 you probably had a windows machine with mydoom ?? or someone else did with your present IP ?? <{POST_SNAPBACK}> Hmm. That's an interesting thought, but I don't know that it would apply to me. The only Win boxes that I have are two Windows 2000 Pro PCs on the network, both of which are up to date with the latest updates, and neither of which has any mail client configured on it. (I don't use any Windows PC for e-mail.) Both PCs are running McAffee VirusScan, McAffee Personal Firewall, and ZoneAlarm, which are checked for updates automatically. I guess it could be a virus/trojan, but I wonder how I could have picked it up, as both of these PCs have been freshly installed on formatted drives direct from the installation CDs within the past week. Each had Firewalls and AntiVirus software installed on them prior to the initial WAN hookup. No internet downloads have ever been installed/executed on them except from MSFT, McAfee, and ZoneLabs. Nothing has changed and nobody else has used them. I know that this is the case because I am the only person who has access to these boxes. So if I have been struck by a virus/trojan, it had to be one crafty mother. Hmmmm. FWIW, I have been thorough enough to cripple my user account so that software install privs are not included. The Admin/Root account is never used unless absolutely necessary, and when it is, the SU is promptly logged off and the regular user is logged back on. So if I have been hit by a virus/trojan, it has to be from one slick exploit as I have not been running around with my pants down -- Oh, wait a minute. I am running MS Windows. On the subject of trying to reach Akamai -- I can't get past their voicemail firewall. Quote Link to comment Share on other sites More sharing options...
ac_dispatcher Posted July 30, 2004 Report Share Posted July 30, 2004 Sorry off topic here: Found this cool website that may give some since security info: http://www.firewallguide.com/ Quote Link to comment Share on other sites More sharing options...
Windependent Posted July 30, 2004 Author Report Share Posted July 30, 2004 Sorry off topic here: Found this cool website that may give some since security info: http://www.firewallguide.com/ <{POST_SNAPBACK}> thanks for the link. looking at the primer and the reviews, it seems that i'm not overlooking anything, but the probability remains that i've picked up some sort of malware. even though the malware scanners are "up to date," and are giving my PC a clean bill of health, its always a possibility that the bad guys are one step ahead of them. although i havent' used email on either of these boxes, one of them has the current version of MS Media Player 9 on it -- I'm wondering if I could have been caught by one of the exploits in the MPEG player. at any rate, YaST is now running on the PC that I expect is the source of the problem -- formatting the entire disk subsystem for use with Linux. I've decided that one Win PC is enough for me. Quote Link to comment Share on other sites More sharing options...
Windependent Posted July 30, 2004 Author Report Share Posted July 30, 2004 (edited) Added note here. Do you have port fowarding turned on at your Firewall? <{POST_SNAPBACK}> I've scanned myself using Steve Gibson's SHIELDS UP!! and I've found that all of my ports on the NAT router are stealthed... with the exception of Port 113 which replies with CLOSED. Optimally, I'd like to forward scans on Port 113 to a non-existent IP address, but I don't see that port forwarding is even available on my NAT firewall router. Edited July 31, 2004 by Windependent Quote Link to comment Share on other sites More sharing options...
Windependent Posted August 2, 2004 Author Report Share Posted August 2, 2004 UPDATE: Akamai remains unreachable. Their VoiceMail system has proven to be the most effective information firewall on the planet. To solve the problem, I just decided to reset my DSL modem and DHCP into a new IP address. That seems to have worked for the moment... at least their servers aren't attacking me anymore. As an added security measure, I've reformatted the disk subsystem on the Win box and installed Suse 9.1 instead. Quote Link to comment Share on other sites More sharing options...
Gowator Posted August 2, 2004 Report Share Posted August 2, 2004 I was getting heavy port scanning over the weekend ... and reset my router. My dnbs entry changes every 24 hrs from ISP and I think I was being scanned becuase the person with the IP before me had some malware... I have NO WINDOWS .... and havent ever since I moved in except my friends GF is staying at the moment and using her win lapdog.... over my WiFi... so Im wondering if she could have been the cuase. The mydoom variants apparently leave backdoors ( i dont follow win security until someone asks me to clean their PC) and these are bing used to execute a massive DOS on microsoft.com ... except MS moved microsoft.com to akamai hosting... (who says MS dont take security seriously.. they use linux :D so let that be a lesson to their customers :D ) By replacing a Winblows PC you have got rid ogf the Windows trojan anyway :D which is always a good thing.... I cant actually see why anyone would want a Win2K machine ??? (Win98 or XP for gaming yea but Im curious what a Win2k machine would actually do? that cant be done better in *nux/*bsd?) Quote Link to comment Share on other sites More sharing options...
Windependent Posted August 4, 2004 Author Report Share Posted August 4, 2004 I cant actually see why anyone would want a Win2K machine ??? (Win98 or XP for gaming yea but Im curious what a Win2k machine would actually do? that cant be done better in *nux/*bsd?) <{POST_SNAPBACK}> I don't do gaming, so gaming compatability is not an issue for me. So WHY would I want a Win2k machine? Well, ultimately its because I have no other choice! :lol: I hate to admit it, but I have several custom/legacy Win 95/98 applications that have to be supported. So I am forced to keep a Windows box running to keep those applications available. The good news is that all new applications are being deployed on Linux, so there's hope that eventually the Windows dependence problem will correct itself via attrition. But until then I'm forced into multiplatform support. The migration to Win 2000 was made because of reliability problems in Win98. We had significant problems with memory leaks and hardware compatability issues under Win98 that completely disappeared once Win 2000 Pro was installed. From a practical perspective, 2000 Pro is a bulletproof version of 98 -- its everything that 95 was supposed to have been. The problem with XP is that it is grossly incompatible with software that was designed for previous versions of Windows. If you don't use software that bears the "designed for XP" logo, you're in for trouble. For example, I have 95/98 programs that I am supporting on Windows 2000 Professional without any problems. They absolutely will not run on Windows XP Professional. XP made quite a few changes in file handling, including hidden/uneditable flags on file permissions that irreversibly render the data files for some applications that predate the "designed for XP" paradigm as Read Only. The concept of user security in XP came as an afterthought, and as a result, the file permission system is totally screwed. It gets even worse if you deploy NTFS. The solution, of course, is a software upgrade. That makes absolutely no sense when you're trying to migrate away from Windows because of TCO concerns. Quote Link to comment Share on other sites More sharing options...
Windependent Posted August 4, 2004 Author Report Share Posted August 4, 2004 I was getting heavy port scanning over the weekend ... and reset my router. My dnbs entry changes every 24 hrs from ISP and I think I was being scanned becuase the person with the IP before me had some malware... <{POST_SNAPBACK}> unless i reset my modem, i will hold the same IP address indefinitely. i will get a new one, however, if something goes awry at the head office, or if i recycle my modem. the good news is that my IP address remains fairly static, so I can run an FTP server. every time it changes, everyone on the outside needs to know the new IP address. Quote Link to comment Share on other sites More sharing options...
Gowator Posted August 4, 2004 Report Share Posted August 4, 2004 This is why I use dyndns... so outside they can refer to it by fqdn not IP... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.