Relatively techno-illiterate looking for some help...

To make a long story short - I am running on Windows XP (I know, I know), and I use Norton personal firewall. I have run the checks on my computer through different sites, including Symantec and the Shields Up site posted, the link to which was posted here on a couple of occasions. I always get the same result - "stealth" (from Shields Up) or "safe" (Symantec).

I recently moved, and because of the limitations of my new location, I had to resort to dial-up, where I had been using a cable modem, previously. At my previous house, where I was using the modem, I never had one single security alert. In the last two days (I've been in my new place for about 3 weeks), I've had two security alerts - 273 recent intrusion attempts!

Can someone tell me why this is happening now - is it the dial-up - and how I correct my system to avoid future problems?

If so, either the ISP is doing some probing(naughty) or the new ISP has some script kiddies on his network.

and I wondered about probing on their part. This is really annoying.

Make a little noise. Do you know how to use whois from a command line? It's easy:

whois <IP number which shows in your firewall alert>. There are also good and free whois clients, for WinderZ, on http://www.webattack.com. One I recommend is Sam Spade.

Save your firewall logs and use the whois client to resolve it IPs. Keep the info generated and contact tech support with the info.

Be mannerly. You will be talking to a person who is not at fault and gets treated like crap, multiple times a day, by people who don't have two neurons capable of firing without having a 440/3Phase shoved up their butt. If you are nice, understanding of his plight and relative shortcomings, non-abusive, and supply him with info, you run a far better chance of getting positive results.

I know how to do this, so that's a plus for me. Thanks for the advice. I will be calling them, but I am also going to switch my ISP as soon as possible. I find it unacceptable that I should be paying to tolerate this kind of crap.

No need to worry about me being mannerly - I understand all too well how it is to sit on the other end of the phone taking verbal abuse for someone else's shortcomings...I work with attorneys! :evilgrin:

I am working on a campaign and the candidate is an attorney(an incredibly cool one, I might add...). I saw him dealing, on the phone, with a client in a home sale who was, to put it mildly, a leading candidate for major traquilizers. Rectally administered. With a Hilti Nail Gun set on full-auto.

You have my most sincere sympathies. ;-)

Is it a small company? You shouldn't be getting an intrusion alert if you use a dial up. Dial ups have better security in that you don't have a static IP address and you can rely partially on the ISP's security system. It sounds like they are not securing their system very well, and you are having issues because of it. I would go and get "Black Ice Defender". It is an excellent piece of security software. I use it to secure my network at work, it works very well, in that it gives you all the info on where the intrusions are coming from and what they are, You can even permanantly block intruders by blocking their IP address.

http://www.robertgraham.com/pubs/firewall-seen.html

Has some good info on how to interpret firewall logs and also mentions that some of the alerts you are getting could possibly be just a normal issue with receiving a new IP address and not a result of anything malicious.

Immediately upon dialing up to my ISP, my personal firewall starts alarming me about probes against port X.

This is common. When you dialup the Internet (including non-static cable-modem/DSL connections), you will be assigned an IP address that was recently used by somebody else. That person may have had open chat sessions or been using a peer-to-peer (P2P) application. It becomes a case of mistaken identity: they don't know that there is a new person at the IP address that is no longer running that application. Furthermore, many applications are poorly written such that they will continue to bombard you with connection attempts.

Today, the most common cause of this is peer-to-peer applications like Gnutella and Napster-clones. Unfortunately, your IP address was given out to lots of people, and it takes awhile for it to be taken off their list. You can see connection attempts many hours later.

This will come in handy...:)

If whatsisname's site shows you're stealth, you're fine. It doesn't matter how many probes you're getting, if your firewall is stealthing your system. When you're 'stealth', the probes are merely being logged, not responded to. So you're spending a little cpu power and disk space on the logging, but nothing on keeping the bad guys out--the bad guys don't even know you're there, because your system is behaving exactly as though your ip address were unassigned. They're basicly shouting up a chimney.

That is precisely what was bothering me (and it also proves that I'm technologically illiterate). I thought "they" were able to see me, and thus, the intrusion attempts. This clears it up for me a bit.

and that's if your system politely responds to attempts to make contact. It's a handshaking process. Someone trying to find a live one metaphorically runs their finger down a list of possible network addresses and sends out a ping (usually a ping) to each one. If the target system politely responds with a pong, they know they've got one and can get to work. If the target system ignores the ping, there is no way to know whether the lack of response is due to no system being there to respond, or to the system ignoring them. Either way, they can get no fingerhold.

There are only 2 ways they can know you're there other than that. One is if they can lure you to their system. Your web browser always reports your address when requesting a web page because otherwise the site has no way to supply you with the page. Traffic on the Internet is analogous to letters in the postal system--coming or going, each must have an address on it.

And the last way is if your ISP is cough...incautious...enough to reveal which ones of its allocated bloc of addresses are currently assigned. If the ISP isn't keeping them hidden, then anyone who knows how to get that list will know your address is active even though they can't 'see' you. You might ask the tech support people whether anyone can see the list of DHCP addresses that are currently assigned. (DHCP -Dynamic Host Config Protocol- is the scheme that allows them to re-use Internet addresses). Ask her/him to check with the NOC (Network Ops Center), if they sound doubtful.

Of course, even if they know you're there, if you have a good firewall then they usually can't do much except possibly waste some of your computer power. But it's nicer if they don't even know you're there.