Question About Intrusion Attempts

Could be your internet address changed because of something ? maybe the real ip+port was used by someone else before and now that “public ip” is assigned to your internet connection ?

But as it’s blocked i’d say there is nothing to worry about, except for the fact that your router allows this traffic to enter if you only use fixed ports i’d setup the router to only allow those ports in to your pc.

So you’re suggesting I set up two rules in the router keeping the two specific ports I use open all the time and another one blocking all other ports completely? Don’t I need port 80 to be open for the internet?

If a port scanner then found either of these ports when they are open and in use could someone then just pour anything through them? Or does it not work like that?

Well i think we are confusing two things here in directions.

The two specific ports are used for incoming traffic to allow traffic FROM the internet to arrive on your pc.
Browsing the internet is traffic TO the internet on port 80/443 (http/https).

A normal router Firewall setup is to allow all outgoing traffic and to block all incoming traffic (setup from the outside that is). So if you setup port-forwarding to only those 2 ports that should work fine.

Sorry if I’m asking too many questions, I’m trying to understand this network security lark.

So if I set up those two rules in the router, which I know how to do, will it not leave those ports vulnerable to attack all the time from someone using a port scanner etc?

When I access the Internet it’s outgoing traffic but, when I want to view a webpage, does the information not have to be downloaded to my PC and would that not then be incoming traffic? Or am I getting this all wrong?

No problem

So if I set up those two rules in the router, which I know how to do, will it not leave those ports vulnerable to attack all the time from someone using a port scanner etc?
Only if you have the application running else the system will block the "probes"
When I access the Internet it's outgoing traffic but, when I want to view a webpage, does the information not have to be downloaded to my PC and would that not then be incoming traffic? Or am I getting this all wrong?
That's the asks of a "stateful" firewall, it allows traffic out, records the details in the statetable and then allows the return (incoming) traffic based on the fact that it knows you initiated this traffic.

A session normally starts with a handshake like

PC → SRV = SYN (For synchronize)
SRV → PC = SYN+ACK (Acknowledge Syn request)
PC → SRV = ACK (Ack)

Only now data can start to be send, so if the SYN request is coming from the internet it will be blocked because the firewall know’s it’s coming from internet and starting a connection based on the SYN flag.

So if I have the application running and have those two rules in place then I’m completely open to attacks from anyone with a port scanner? If they happen to find that port open, what sort of damage can they do? Does it give them full access?

Thanks for the info on the session and handshakes, that makes a lot more sense. Thanks for your patience too Ronny.

Well a port scanner is not an attack, it’s more like a tool to see if the port is active or not.
If you set 2 port-forwards and have the application(s) active he/she will be able to determine the ports are active on your system, but then they still have to find out what application is running on that port and once they have that, the application needs to be vulnerable for them to be able to attack it.

Depending on the vulnerability in the application they could crash it, or in worst case take over your system if the application really has a high risk vulnerability. That’s one of the reasons you should always upgrade to the latest version, and use a tool like Secunia’s PSI to scan your system on “old/vulnerable” applications.

It also depends on if you are you using your computer with an Administrator account or not, big chance is that a vulnerable application run under a limited account is not fully exploitable by them because it lacks permissions on some point.

You can also check out certain software on their site for known vulnerabilities About Secunia Research | Flexera

Yeh, I see what you mean. I meant attack as in if someone’s going to run a port scanner and find a vulnerable port then they are obviously going to try and attack it or they wouldn’t have been running the port scanner in the first place, I can’t really see it being an enjoyable activity myself!

I keep up to date with all applications I use, or at least try to.

It’s all done as adminstrator since I’m the only one who uses the PC (well, apart from my girlfriend now and then for skype and email). Is it worth going through the bother of setting up a non-administrator account and having to change accounts every time I want to install something new?

Thanks for the links, I’ll give Secunia’s PSI a run now.

You’ve all (Quill, Ronny & Endymion) been great, thanks for your help, think I’m finally starting to understand it all! :slight_smile:

Well those who do enjoy it are most times searching for a “default” port for a vulnerable application.
Like 22 for ssh, 80 for http etc… if you chose a few high ports like higher than 50000 most port scanners won’t include that in their default ports list and won’t find you because of that.

Only if someone is targeting your ip address specifically and would risk a full scan of all ports they will find your 2 ports, and then they still have to probe those ports with special packets to see what application is behind it.

So i wouldn’t worry to much about that…

Well i don’t know if you install new stuff everyday but it’s one of the best practices to do.
Almost 80/90% of the current malware/virusses don’t survive running a normal account, they simply don’t have enough permissions to get some hook on a automatic startup…

But you can always use DropMyRights from Microsoft to Drop your browsers and email applications to normal user, even if you are logged on as administrator, you can find more information about it here: