Help With Firewall Attacks

Hi,

I opened CIS GUI and I noticed 400+ intrusions blocked by a custom policy I have to BLOCK IP in from IP any to MY MAC ADDRESS Where Protocol is ANY.

I noticed the blocked intrusions where almost one per second. I attached a screenshot to see if you can tell me if this is a real intrusion or a bad configuration. I have to say that I always create this rule when I install CIS and this had never happened before. It started an hour ago. I turned off the wireless, scanned the PC with CAV, KAV and Superantispyware and the three found nothing. I turned on the wireless again and immediately it started blocking intrusions. At count of 14, it stopped and I have had none since(that was 15 mins ago). Now everything is back to normal.

The funny part here are the IP addresses that attacked my PC. Random IPs. I erased the log because I had close to 1000 attacks at the end so I can only show you the last 14 attacks.

Thanks

EDIT: I have no problems with MS Updates with this rule so I can say that is not it. I checked the running apps on COMODO and everything was fine. No malware that I can tell.

EDIT: I traced to IP addresses and one was from Hong kong and the other from Germany…WTF??
thanks

[attachment deleted by admin]

Off the top of my head, I’d say you were being probed, particularly given that it started suddenly and ended just as suddenly.

Cheers,
Ewen :slight_smile:

Pardon my french and ignorance but what does that means?? Probed?

Thanks for your reply!

Correct me if I’m wrong, but isn’t probing scanning someones ports to see if there’s one open or so ?

Xan

OMG!

Oh well. At least I have CIS installed and that wonderful Rule of blocking anything from outside!

Do people need any more proof that CIS is THE WAY TO GO!!!
(S)

Thank you guys!

NP :wink:

By the way, if you are behind a router and these probes are getting to your PC, it would be worth your while to have a look at the firewall setup on your router. You can configure it so these probes would never reach your PC but be stopped by the routers firewall.

Cheers,
Ewen :slight_smile:

Thanks for the recommendation. Will do that but not now.
It was at work that I got the attacks. Ok, we have the internal network and a DSL line for external PCs which we do not connect to the work network of course. So, my co-worker have KIS installed on his Personal laptop and he always gets infected. KIS detects the threats but they reach his PC. I’m trying to make him move to CIS as he saw the reviews at remove-malware.com and stuff. He saw todays attack and he was shocked!! So I’ll wait a while to see how much ■■■■ he can get into hes PC, hehehehe!! I know is DARK but he’s got to learn!!! hehehe

Thanks a lot guys!!!
Happy Holidays!!

If it was on a work LAN, then there could be other things in play causing this. The LAN admins could have been running an audit, it may have been a backup agent attempting to sync, they could have been trying something new that ran amok - the list is almost endless.

If you are installing CIS on a work PC not owned by yourself, please double check with your IT Crowd that it’s OK and conforms to their current policy. :wink:

Cheers,
Ewen :slight_smile:

P.S. If your co-worker keeps getting infected, be very careful, since he is assumedly on the same subnet as you and you may have rules in place to allow local LAN traffic.

thanks panic. confirmed, it was an attack. all the ips where from china, germany, australia and UK.

Thanks all!!!

cool… you have an international fan base :slight_smile:

Melih

LOL

I’d never seen anything like this. It was so cool watching CIS blocking attacks! IT was scary but worth it! LOL

Melih, one more time thank you and your DEV team for such a great product!
(S)

forgive my ignorance, but what does this rule do?
I’ve read it and I’m trying it and it blocks lots of IPs, but the internet connection in going well (like before this rule).
so, what does it block?
thank you guys! (:KWL)

It blocks all incoming traffic (inbound connections).

but internet goes well. for example, I can use p2p with no problems at all.

Because you don’t need inbound connections for your internet to work. Browsing the internet, downloading files from a p2p, etc uses outgoing requests from your PC to the destination. With that rule, no one can connect to your PC (e.g. no one can download files from your PC from a p2p, etc.)

I use that global rule too. :slight_smile:

Neat! (Nobody has ever attacked me :-[) It would be nice if you could send something back like “sorry, I’m too smart for you”. ;D

It’s normal. some worms are scannig IPs 24/24 to find vulnerable Machine.Also, some services are scanning IPs to find spam and proxy servers and blacklist them.

http://www.dronebl.org/

Indeed this rule will block any incoming traffic. Because the attacks where using protocol UDP it was trying to connect to the OS directly in some way, it is kinda difficult to understand(I still dont in some way). hehe

But that was it.
The internet will work great with this rule because your are blocking only incoming connections. Besides, you have the application based rules so you are good to go!!

Thanks COMODO

Yea. I have no need for inbound connections so I use that rule too (and I still have a firewalled router). I also allow all outgoing (but since CFP checks application rules first on outgoing, nothing can phone home. :slight_smile:

:BNC