ISP Repeatedly Scanning my Ports..

Hi, I recently installed Sygate personal firewall, and I noticed that my ISP scans the following ports 3127, 6129, 139, 2745 and 445 roughly 20 times today (I did an IP trace turns it was my ISP). I’m just curious about why they would do this and if it’s normal. I’m thinking about calling them and asking.

Thanks,
-Staind.

It doesn’t have to be your provider. It can also be other people who are using the same provider.

Maybe, the IP is:

Bell Canada BELLNEXXIA-10 (NET-65-92-0-0-1)
65.92.0.0 - 65.95.255.255
Bell Nexxia (High Speed) HSKITCH-CA (NET-65-93-96-0-1)
65.93.96.0 - 65.93.159.255

=> note, the scans seem to now be every 10 seconds, then they stop for about 10 mins.

I also would think the same…
People using the same ISP as you and doing port scans around your ISP’s assigned IP range.

I work for an ISP. We do not scan our customers pcs. There is no reason for us to do that. I would think it’s being done by someone else as the others have mentioned to you.

After I restarted it appeared to stop. I did a google search on it and found about 5 other people who’ve had the same problem (supposedly Bell Sympatico my ISP scanning their ports!) I think it is my ISP and I’m going to call them tomorrow.

Thanks for your suggestions,
-Staind.

I get the occasional scan from my ISP (dial-up connection), these are all blocked by my firewall Outpost.

I have pretty much identified that these are more to do with checking a connection is not idle, rather than something more sinister.

Yea, but last night these scans began to occur every 10 seconds. :frowning: They stopped after restart though and I haven’t had one all day.

Just a thought I have… But do you have a static or a dynamic IP address?

Dynamic.

That can explain the difference in being “scanned” often or not. And it is definatly a indication that it is not your ISP doing this. eg the sasser worm is trying to spread itself to ip-addresses which are:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.

Since your IP changes everytime, you also will see different amounts of “scanning”

One feature of Sygate that is not published is the ability to stop all active responses from your computer…which effectively makes it “dead” to the scanning computer.

Open up the Sygate Security log, highlight the traffic line and right click. Choose Stop active responses.

The scans should stop for the session.

I have the same trouble with ATT.

Good luck

Techie, can we configure Agnitum Outpost for that? 8)
Is pk reading this forum? ::slight_smile:

Techie
And ZA also???

Scans have totally stopped (for 2 days). This is a little weird, one day of constant port scans then nothing…?

“Active Response Protection—Active response is a feature that automatically blocks all communication from a source host once an attack has been detected. For example, if the Personal Firewall detects a DoS attack originating from a certain IP address, the Personal Firewall will automatically block any and all traffic from that IP for the duration specified in the seconds field. The user can now stop a current active response session.”

  • From the Sygate help file

Setting “Stop Active Responses” makes it so sygate no longer blocks traffic from that ip
You are doing it backward

This would tend to confirm that it was not your ISP but some attempt by a port scanning bot trying to find computers that are responding to queries (pings etc.), once any port on your computer answers an inbound request, this is likely to lead to further attempts during that connection period.

With a dynamic IP address the next time you connect the process of finding you again would be lessened. But the poor hick that gets the randomly assigned IP address that was port scanned (your previously assigned IP) could be in for a surprise if he isn’t protected by a firewall.

Does anybody knows how to set Outpost to behave with an ‘Active Response Protection’? ::slight_smile:

I found it myself 8)
Glad to be protected ;D