repeated connection attempts blocked by firewall

Hello!
I woke up this morning, started my DSL modem (takes new IP from DHCP), and
started my PC (behind hardware firewall). I noticed a lot of in-bound
traffic filtered by the firewall.
And so, I checked the firewall log file:
http://gfc.my.contact.bg/tests/2007-...all-log-01.txt
and noticed that a few hosts are trying to access some service - mostly
TCP:12824 that is filtered by the firewall. Being filtered means that they
cannot determine if there is a host, unless they send a PING for it.

My question is:
is the client software that stupid to repeat connection every quarter of a
second?
or is that some attack against the previous owner of that IP?
or is that some Trojan client trying to access server on previous owner of
that IP?
or why is that behaviour?
It makes no sense repeating the connection attempt that frequently, unless
trying to flood the other side. Which also does not make sense because this
IP is being assigned to clients of the ISP and not to a server, and flood
attacks are usually used to prevent access to a specific server.

My action was to reset the DSL modem again and take a new "clean" IP for the
DSL modem.

I am also going to ask my ISP to configure the modem not to respond to ICMP
packets.



Thank you for any information and shared knowledge!

George Valkov

Hi
If you are referring to traffic trying to come in, it is probably regular
Internet and ISP noise and as long as it does not impede your connection it
can be ignored.
Jack (MVP-Networking).

"George Valkov" <(E-Mail Removed)> wrote in message
news:emPt%(E-Mail Removed)...
> Hello!
> I woke up this morning, started my DSL modem (takes new IP from DHCP), and
> started my PC (behind hardware firewall). I noticed a lot of in-bound
> traffic filtered by the firewall.
> And so, I checked the firewall log file:
> http://gfc.my.contact.bg/tests/2007-...all-log-01.txt
> and noticed that a few hosts are trying to access some service - mostly
> TCP:12824 that is filtered by the firewall. Being filtered means that they
> cannot determine if there is a host, unless they send a PING for it.
>
> My question is:
> is the client software that stupid to repeat connection every quarter of a
> second?
> or is that some attack against the previous owner of that IP?
> or is that some Trojan client trying to access server on previous owner of
> that IP?
> or why is that behaviour?
> It makes no sense repeating the connection attempt that frequently, unless
> trying to flood the other side. Which also does not make sense because
> this
> IP is being assigned to clients of the ISP and not to a server, and flood
> attacks are usually used to prevent access to a specific server.
>
> My action was to reset the DSL modem again and take a new "clean" IP for
> the
> DSL modem.
>
> I am also going to ask my ISP to configure the modem not to respond to
> ICMP
> packets.
>
>
>
> Thank you for any information and shared knowledge!
>
> George Valkov
>
>

Yes it is and since my PC is firewalled id can be ignorred, except the part
thet it fills the firewall's entire log-file pretty fast. Resetting the DSL
modem to take a new IP as also an easy game...

Next time I'll let it go into the Network protocol analyzer, to see what's
iside :-)



"Jack (MVP-Networking)." wrote:
| Hi
| If you are referring to traffic trying to come in, it is probably regular
| Internet and ISP noise and as long as it does not impede your connection
it
| can be ignored.
| Jack (MVP-Networking).
|
| "George Valkov" <(E-Mail Removed)> wrote in message
| news:emPt%(E-Mail Removed)...
| > Hello!
| > I woke up this morning, started my DSL modem (takes new IP from DHCP),
and
| > started my PC (behind hardware firewall). I noticed a lot of in-bound
| > traffic filtered by the firewall.
| > And so, I checked the firewall log file:
| > http://gfc.my.contact.bg/tests/2007-...all-log-01.txt
| > and noticed that a few hosts are trying to access some service - mostly
| > TCP:12824 that is filtered by the firewall. Being filtered means that
they
| > cannot determine if there is a host, unless they send a PING for it.
| >
| > My question is:
| > is the client software that stupid to repeat connection every quarter of
a
| > second?
| > or is that some attack against the previous owner of that IP?
| > or is that some Trojan client trying to access server on previous owner
of
| > that IP?
| > or why is that behaviour?
| > It makes no sense repeating the connection attempt that frequently,
unless
| > trying to flood the other side. Which also does not make sense because
| > this
| > IP is being assigned to clients of the ISP and not to a server, and
flood
| > attacks are usually used to prevent access to a specific server.
| >
| > My action was to reset the DSL modem again and take a new "clean" IP for
| > the
| > DSL modem.
| >
| > I am also going to ask my ISP to configure the modem not to respond to
| > ICMP
| > packets.
| >
| >
| >
| > Thank you for any information and shared knowledge!
| >
| > George Valkov
| >
| >
|
|

I'll let it talk to a netcat server, just to make it even more realistic ;-)

"Jack (MVP-Networking)." wrote:
| Hi
| If you are referring to traffic trying to come in, it is probably regular
| Internet and ISP noise and as long as it does not impede your connection
it
| can be ignored.
| Jack (MVP-Networking).
|
| "George Valkov" <(E-Mail Removed)> wrote in message
| news:emPt%(E-Mail Removed)...
| > Hello!
| > I woke up this morning, started my DSL modem (takes new IP from DHCP),
and
| > started my PC (behind hardware firewall). I noticed a lot of in-bound
| > traffic filtered by the firewall.
| > And so, I checked the firewall log file:
| > http://gfc.my.contact.bg/tests/2007-...all-log-01.txt
| > and noticed that a few hosts are trying to access some service - mostly
| > TCP:12824 that is filtered by the firewall. Being filtered means that
they
| > cannot determine if there is a host, unless they send a PING for it.
| >
| > My question is:
| > is the client software that stupid to repeat connection every quarter of
a
| > second?
| > or is that some attack against the previous owner of that IP?
| > or is that some Trojan client trying to access server on previous owner
of
| > that IP?
| > or why is that behaviour?
| > It makes no sense repeating the connection attempt that frequently,
unless
| > trying to flood the other side. Which also does not make sense because
| > this
| > IP is being assigned to clients of the ISP and not to a server, and
flood
| > attacks are usually used to prevent access to a specific server.
| >
| > My action was to reset the DSL modem again and take a new "clean" IP for
| > the
| > DSL modem.
| >
| > I am also going to ask my ISP to configure the modem not to respond to
| > ICMP
| > packets.
| >
| >
| >
| > Thank you for any information and shared knowledge!
| >
| > George Valkov
| >
| >
|
|

On Sat, 26 May 2007 12:17:52 +0300, "George Valkov" <(E-Mail Removed)> wrote:

>Hello!
>I woke up this morning, started my DSL modem (takes new IP from DHCP), and
>started my PC (behind hardware firewall). I noticed a lot of in-bound
>traffic filtered by the firewall.
>And so, I checked the firewall log file:
>http://gfc.my.contact.bg/tests/2007-...all-log-01.txt
>and noticed that a few hosts are trying to access some service - mostly
>TCP:12824 that is filtered by the firewall. Being filtered means that they
>cannot determine if there is a host, unless they send a PING for it.
>
>My question is:
>is the client software that stupid to repeat connection every quarter of a
>second?
>or is that some attack against the previous owner of that IP?
>or is that some Trojan client trying to access server on previous owner of
>that IP?
>or why is that behaviour?
>It makes no sense repeating the connection attempt that frequently, unless
>trying to flood the other side. Which also does not make sense because this
>IP is being assigned to clients of the ISP and not to a server, and flood
>attacks are usually used to prevent access to a specific server.
>
>My action was to reset the DSL modem again and take a new "clean" IP for the
>DSL modem.
>
>I am also going to ask my ISP to configure the modem not to respond to ICMP
>packets.
>
>
>
>Thank you for any information and shared knowledge!
>
>George Valkov
>

George,

Whenever I see an access attempted against a specific port, I look it up in the
ISC / SANS database.
http://isc.sans.org/port.html?port=12824

That shows 2 things:
1) There is an increasing amount of traffic against that port, being reported.
2) Nobody knows what it is (If an attack port is known it will be identified
here, if anywhere).

Bottom line is, you aren't alone. Watch the ISC page for updates.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

"Chuck" wrote:
| On Sat, 26 May 2007 12:17:52 +0300, "George Valkov" <(E-Mail Removed)> wrote:
|
| >Hello!
| >I woke up this morning, started my DSL modem (takes new IP from DHCP),
and
| >started my PC (behind hardware firewall). I noticed a lot of in-bound
| >traffic filtered by the firewall.
| >And so, I checked the firewall log file:
| >http://gfc.my.contact.bg/tests/2007-...all-log-01.txt
| >and noticed that a few hosts are trying to access some service - mostly
| >TCP:12824 that is filtered by the firewall. Being filtered means that
they
| >cannot determine if there is a host, unless they send a PING for it.
| >
| >My question is:
| >is the client software that stupid to repeat connection every quarter of
a
| >second?
| >or is that some attack against the previous owner of that IP?
| >or is that some Trojan client trying to access server on previous owner
of
| >that IP?
| >or why is that behaviour?
| >It makes no sense repeating the connection attempt that frequently,
unless
| >trying to flood the other side. Which also does not make sense because
this
| >IP is being assigned to clients of the ISP and not to a server, and flood
| >attacks are usually used to prevent access to a specific server.
| >
| >My action was to reset the DSL modem again and take a new "clean" IP for
the
| >DSL modem.
| >
| >I am also going to ask my ISP to configure the modem not to respond to
ICMP
| >packets.
| >
| >
| >
| >Thank you for any information and shared knowledge!
| >
| >George Valkov
| >
|
| George,
|
| Whenever I see an access attempted against a specific port, I look it up
in the
| ISC / SANS database.
| http://isc.sans.org/port.html?port=12824
|
| That shows 2 things:
| 1) There is an increasing amount of traffic against that port, being
reported.
| 2) Nobody knows what it is (If an attack port is known it will be
identified
| here, if anywhere).
|
| Bottom line is, you aren't alone. Watch the ISC page for updates.

Hello Chuck!
A few months ago, a link on you web site
http://nitecruzr.blogspot.com/
already led me to
http://isc.sans.org/
And there is also the Shields up at
https://www.grc.com/
These three are great places! :-) Thank you very much! :-)

George Valkov