AccessMyLibrary provides FREE access to over 30 million articles from top publications available through your library.
Create a link to this page
Copy and paste this link tag into your Web page or blog:
Hunt Down Those Hackers and...Ignore Them?(Questions and Answers)
I USE ZONE LABS' ZoneAlarm firewall freeware on my PC. Occasionally ZoneAlarm sends a message saying it blocked a remote computer from accessing my PC. It then lists an IP address and a TCP port, followed by four digits. Is there a way to find out to whom the IP address refers?
Jack Lozano, Tigard, Oregon
SOMETIMES IT'S worthwhile to track down miscreants who probe your computer from afar, but most of these "attacks" are benign. Running firewall software such as Network ICE's BlackICE Defender, ZoneAlarm, or Symantec's Norton Internet Security is almost always sufficient protection--although it's not as safe as disconnecting your computer from the Internet and switching off the power.
I'm not joking. If you want to ensure that crackers--Internet break-in artists--can't probe your PC's ports, you have to either physically disconnect the phone or network line running into the PC, or shut off the computer's power. (You also have to make sure that the computer's Wake-on-LAN BIOS setting, if any, is disabled.)
There's nothing illegal about people scanning your computer's ports, and not every scan is evidence of a cracker at work. Many of the most common port scans are routine checks for server software that doesn't even exist on most Windows computers. For example, your ISP may routinely scan your system to make sure you're not running servers that are disallowed under the company's terms of service. Other scans may be completely innocent as well, like the cable-modem user next door trying to install remote-control software such as PCAnywhere, or a scan by another computer on your local network. It could even be coming from your own system. FIGURE I shows BlackICE's list of port scan source addresses.
The domain names or IP addresses your firewall displays as the source of the remote scan may also be forged (or spoofed, in network parlance). Though you can report the probe to the administrator of the domain listed, it's very possible that the scan originated elsewhere. It could also be that the source address listed is genuine, but the machine doing the scanning has been taken over by a Trojan horse program implanted by a cracker.
In most cases, your PC is just one of thousands of machines the person at the remote address (spoofed or not) is scanning using an automated tool. The scanner is rarely looking for a PC running Windows, because such systems aren't that interesting to crackers. They're more interested in exploiting buggy server software to download a vulnerable trove of passwords or steal credit card numbers.