Hi, I recently installed Sygate personal firewall, and I noticed that my ISP scans the following ports 3127, 6129, 139, 2745 and 445 roughly 20 times today (I did an IP trace turns it was my ISP). I’m just curious about why they would do this and if it’s normal. I’m thinking about calling them and asking.
I work for an ISP. We do not scan our customers pcs. There is no reason for us to do that. I would think it’s being done by someone else as the others have mentioned to you.
After I restarted it appeared to stop. I did a google search on it and found about 5 other people who’ve had the same problem (supposedly Bell Sympatico my ISP scanning their ports!) I think it is my ISP and I’m going to call them tomorrow.
That can explain the difference in being “scanned” often or not. And it is definatly a indication that it is not your ISP doing this. eg the sasser worm is trying to spread itself to ip-addresses which are:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.
Since your IP changes everytime, you also will see different amounts of “scanning”
One feature of Sygate that is not published is the ability to stop all active responses from your computer…which effectively makes it “dead” to the scanning computer.
Open up the Sygate Security log, highlight the traffic line and right click. Choose Stop active responses.
“Active Response Protection—Active response is a feature that automatically blocks all communication from a source host once an attack has been detected. For example, if the Personal Firewall detects a DoS attack originating from a certain IP address, the Personal Firewall will automatically block any and all traffic from that IP for the duration specified in the seconds field. The user can now stop a current active response session.”
From the Sygate help file
Setting “Stop Active Responses” makes it so sygate no longer blocks traffic from that ip
You are doing it backward
This would tend to confirm that it was not your ISP but some attempt by a port scanning bot trying to find computers that are responding to queries (pings etc.), once any port on your computer answers an inbound request, this is likely to lead to further attempts during that connection period.
With a dynamic IP address the next time you connect the process of finding you again would be lessened. But the poor hick that gets the randomly assigned IP address that was port scanned (your previously assigned IP) could be in for a surprise if he isn’t protected by a firewall.