Zone Alarm has blocked 552 intrusions in the last 3 hours!

Yes, the change to a new ISP IP can produce more hits. Even if you changed to a new IP with your previous ISP, that could produce more hits. That IP could have been used by a machine that was attracting traffic.

If you're on a BB or DSL connection, then you might want to invest in NAT router, which cost no more or even less in the long run than ZA you might be paying for. A NAT router is an effective border device that will stop the scans and attacks in front of the machine.

If the NAT router is stopping it infront of the machine, ZA and the O/S will not spend computer resources blocking them.

You can get a router that Wallwatcher can use and sit back and look at the traffic that's being blocked and not even worry about it.

Duane :)

very good

By the way. I don't see anybody else uses this term "Border Device". A NAT router sites between the comps on your LAN and your ISP's router->network. It's pretty much between 2 networks. Imagine if the switch was separate from it. So your LAN is on one side, the ISP's router->network on the other side.

to call it a "border device" because one end is a WAN , is just odd and misleading.

It's a border device. It sits at the border of the untrusted network -- the Internet the WAN and trusted network the LAN.

The only reason and I mean the only reason I am not ripping you apart is you showed a little respect.

But I forewarn you, if you step wrong, the EOR will be on the scene.

Duane

I installed Wallwatcher several days ago after reading one of your posts and it isn't seeing any traffic at all. I have a netgear RT314 with the latest available firmware and syslog enabled and I'm running XP Pro SP2 and it shows Wallwatcher as an exception. Shouldn't I be seeing some kind of traffic? A couple days ago I tried disabling the XP firewall and Wallwatcher still didn't see any traffic.

Tell the ISP you want another IP if you're concerned about the one you're currently using. But that's no guarantee that some machine on the Internet or another machine on the ISP's network won't lock in on that IP too.

You don't know what the previous owner of the IP had setup on a machine that was using that IP. It could have been a Web server for all you know, as an example.

By the way, 500 hit's is really below min. and I mean really below it. I have had 1,000 upon 1,000 of hit's a day the router was blocking with no concern about it.

The only reason you're concerned about it is that ZA is whining about it and it has you paranoid.

Duane :)

so I shouldn't be concerned is what you are saying. It's just that with my old service provider - Time Warner - I didn't have more than 20 in the 3 years I had the service. Just freaked me out. What does it entail getting a new IP address. Is there anything I need to do on my end or is it as easy as calling my ISP requesting one and someone pushing a button?

Duane Arnold wrote:

Yes, it does make sense; the IP you get has been in use by someon else recently, and the 'intrusion attempts' you see would moslty be valid connections to the previous customers PC, whatever services they ran.

p2p is a frequent cause of such residue traffic, as the other peers may still try to connect months after a p2p service was closed.

Anyway, if 1) you don't run the service requested, or 2) the connection is blocked, nothing more will happen.

Compare to having lived in a quiet back-street on the internet, and now you have moved to a more heavily trafficked road, you'll see more passers-by knocking on the wall; but unless the door is open, they won't come in. Zonealarm is like a little dog yapping at each passer-by.

/Rolf

Without more information on the attacks there is no telling whether you should be concerned or ZA is just aggrendizing itself. Those "attacks" could be anything from a port scan to messenger spam to a real attack (which I'd consider the least likely). What are these attacks identified as? Where do they originate from (all 552 from the IP address you mentioned above)? What's your IP address? Are you running any services that might cause this?

cu

you're right. / I agree .

Glad to see you getting nicer. I am just glad that - first and foremost

- things get clarified.

that's a very funny analogy Rolf since I just moved from a heavily trafficked street to a quiet one.

Now supposedly, some ISP's will give a new IP on what is the lease time of the IP, something like that. The ISP's I have had, I had the same DHCP IP all the time on the BB connection.

In addition, you can check for yourself if the IP is changing by going to the Command Prompt and entering IPconfig /all. If you don't see the IP changing, then you can make your own determination as to what you're being told.

I needed to change my IP from the ISP once, because the IP was giving me alot of connection problems. Some low-level tech person gave me the song and dance that the IP could be changed by them. I didn't buy it and escalated the problem with a higher level tech support person. I got that new IP.

Duane :)

You mentioned the ip. What port are these attempted connections on? it may be a standard p2p port - possibly suggesting innocence

If you have a dynamic ip and the current one is getting many connections. how about disconnecting and reconnecting - you should get a new ip.

what might make sense is you've got an old customer's static ip and he had some server '/' p2p app

as mentioned, this is nothing to worry about because you're not even running a server there (I assume!).

So you luckily were not victim of a SelfDoS attack, and you just didn't notice, that it's corrupting your network stack.

Yours, VB.

Maybe. It mostly is nonsense, what your "Personal Firewall" is alerting as an "intrusion".

Yours, VB.