Security Basics mailing list archives

Re: IP flood?

From: "Pat Moffitt" <pmoffitt () wrv com>
Date: Wed, 17 Sep 2003 15:00:55 -0700

Port scans seem to be a fact of life...

Some of the viruses and worms are scanning to find victims right now.  The
amount our 5 addresses are getting scanned has gone up by orders of
magnitude in the last month.

Pat Moffitt
MIS Administrator
Western Recreational Vehicles, Inc

----- Original Message -----
From: "Eric Brown" <ericbrow () ziplip com>
To: <security-basics () securityfocus com>
Sent: Wednesday, September 17, 2003 9:01 AM
Subject: IP flood?

Hello all,

I've been watching the list for quite a while now, and I've run across a

problem where I can't find a solution.


My neighbor got cable internet a few months ago.  He's got a Win98 machine

that's running the latest version of Zone Alarm.


Two weeks ago, he started getting pings that appeared to be from many

different IP's, all within the cable ISP's IP range.  He likes to see any
kind of hits he gets, so he has Zone Alarm set to pop up a window each time.
The pings are not steady.  He might get one in a 10 second window, then a
dozen in the next second.


He call tech support, and they changed his dynamic IP to a different one,

and this stopped the activity for about an hour.  I uninstalled an older
version of Zone Alarm, and installed the newest one, and the activity
stopped for about 2 hours.  His Norton's anti-virus is fully updated.  I've
run NMap and LANguard network scanner.  With zone alarm on, he doesn't show
up.  Without zone alarm, no ports other than what you would expect on a
Win98 machine (no 31337).  I ran grc.com's Shields Up and got nothing.


Can we stop the IP flood?  Can or should the ISP?  Or should he just shut

off notification in Zone Alarm so he doesn't see the messages.


Thanks,
Eric Brown


To do is to be.  -Socrates
To be is to do.  -Satre
Do be do be do.  -Sinatra

--------------------------------------------------------------------------

Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
--------------------------------------------------------------------------

--


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

IP flood? Eric Brown (Sep 17)
- Re: IP flood? Brad Arlt (Sep 17)
- Re: IP flood? Pat Moffitt (Sep 17)
- <Possible follow-ups>
- RE: IP flood? Wright, Jeremy (Sep 17)
- RE: IP flood? Chris Merkel (Sep 17)