Network threat blocked (Same IP)

[Corso 1]

I get this Network threat blocked pop-up every day almost once in a day, sometimes several times a day, or sometimes once every second day
for like months now from usually same IP 80.82.70.24.

Googling this IP to Netherlands. I have no idea what this is?
and i wonder why this is? Is it some hacker or something else?

I guess ESS9 blocks it and protects but i wanna make sure it does that?

[itman 1,659]

A known spamming source. An interesting read here: hxxp://dnsamplificationattacks.blogspot.com/2013/06/ecatel-big-source-of-directedatasia.html

 

I would just permanently block that IP address and be done with it.

[Corso 1]

Thanks for the reply!

 

How do i do to block this IP in ESS9?

[itman 1,659]

Thanks for the reply!

 

How do i do to block this IP in ESS9?

You should first try to determine why you're getting port scanned in the first place.

 

Do you connect to the Internet using a router or a router/modem combo with an integrated firewall? That device should prevent any kind of port scanning activity.  

 

Do you use a third party DNS provider like VeriSign, Norton, Google, etc.?

[Corso 1]

 

Thanks for the reply!

 

How do i do to block this IP in ESS9?

You should first try to determine why you're getting port scanned in the first place.

 

Do you connect to the Internet using a router or a router/modem combo with an integrated firewall? That device should prevent any kind of port scanning activity.  

 

Do you use a third party DNS provider like VeriSign, Norton, Google, etc.?

 

How could i do that?

I'm just using internet as usual. Not using anything special. just a browser.

Not using any third party DNS provider.

 

Just like you said it seems like a known spamming source.

I just have to figure out how to block that IP in ESS9.

Edited November 4, 2015 by Corso

[itman 1,659]

 

 

Thanks for the reply!

 

How do i do to block this IP in ESS9?

You should first try to determine why you're getting port scanned in the first place.

 

Do you connect to the Internet using a router or a router/modem combo with an integrated firewall? That device should prevent any kind of port scanning activity.  

 

Do you use a third party DNS provider like VeriSign, Norton, Google, etc.?

 

How could i do that?

I'm just using internet as usual. Not using anything special. just a browser.

Not using any third party DNS provider.

 

Just like you said it seems like a known spamming source.

I just have to figure out how to block that IP in ESS9.

 

Next time you receive the alert, click on "Change handling of this threat."

 

It should open up an "IDS Exception" screen as shown below - not sure on this since I never have received an IDS alert from Eset Smart Security. Also note that the screen shown is for ver. 8. I believe ver. 9 options are the same but formatted differently due to the new ver. 9 GUI.

 

If some reason the "IDS Exception" screen is not displayed, then cancel out of whatever is displayed. You will have to then manually create the IDS Exception using the rule details I have shown. This will prevent the alert from being displayed but still block the activity. I also checked to "log" the action so you have a record of the activity in your Eset log file. You can also use this rule to add other IP addresses for like alerts.

 

Note: you still should try to determine why your PC is being port scanned. 

 

[Corso 1]

 

 

 

Thanks for the reply!

 

How do i do to block this IP in ESS9?

You should first try to determine why you're getting port scanned in the first place.

 

Do you connect to the Internet using a router or a router/modem combo with an integrated firewall? That device should prevent any kind of port scanning activity.  

 

Do you use a third party DNS provider like VeriSign, Norton, Google, etc.?

 

How could i do that?

I'm just using internet as usual. Not using anything special. just a browser.

Not using any third party DNS provider.

 

Just like you said it seems like a known spamming source.

I just have to figure out how to block that IP in ESS9.

 

Next time you receive the alert, click on "Change handling of this threat."

 

It should open up an "IDS Exception" screen as shown below - not sure on this since I never have received an IDS alert from Eset Smart Security. Also note that the screen shown is for ver. 8. I believe ver. 9 options are the same but formatted differently due to the new ver. 9 GUI.

 

If some reason the "IDS Exception" screen is not displayed, then cancel out of whatever is displayed. You will have to then manually create the IDS Exception using the rule details I have shown. This will prevent the alert from being displayed but still block the activity. I also checked to "log" the action so you have a record of the activity in your Eset log file. You can also use this rule to add other IP addresses for like alerts.

 

Note: you still should try to determine why your PC is being port scanned. 

 

Eset IDS Exception.png

 

How would i know why beeing port scanned. There's no particularly reason.

It must be a idiot who tries to hack in.

 

Thanks for the reply and help!

[itman 1,659]

I would recommend that you purchase a router with a good built-in firewall. Just ensure it has IDS protection; most do. This way any IDS attacks are stopped at the router before they even reach your PC. Also, hardware firewalls are much harder to hack and bypass.

Repeated port scanning like you are experiencing is usually a prelude to a major attack on your system.

 

-EDIT-

 

From a posting over at www.bleepingcomputer.com, Didier Stevens who is a security guru confirms what I previously posted:

 

If your machine was the target of a port scan, I guess your machine has a public IP address.
Is this your choice, or is it the default way of working of your ISP?

If you don't need a public IP address for your machine, I recommend you use a NAT-router. This way, your machine will have a private IP address in stead of a public IP address, and it won't be the target of port scans anymore. Your NAT-router will have a public IP address, and it will issue a private IP address to your machine.
Of course, your NAT-router will be port scanned, but it has a much smaller attack surface than your Windows machine.
 

Didier Stevens
hxxp://blog.DidierStevens.com
hxxp://DidierStevensLabs.com

 

SANS ISC Handler
Microsoft MVP 2011-2015 Consumer Security

Edited November 5, 2015 by itman

[Corso 1]

 

I would recommend that you purchase a router with a good built-in firewall. Just ensure it has IDS protection; most do. This way any IDS attacks are stopped at the router before they even reach your PC. Also, hardware firewalls are much harder to hack and bypass.

Repeated port scanning like you are experiencing is usually a prelude to a major attack on your system.

 

-EDIT-

 

From a posting over at www.bleepingcomputer.com, Didier Stevens who is a security guru confirms what I previously posted:

 

If your machine was the target of a port scan, I guess your machine has a public IP address.

Is this your choice, or is it the default way of working of your ISP?

If you don't need a public IP address for your machine, I recommend you use a NAT-router. This way, your machine will have a private IP address in stead of a public IP address, and it won't be the target of port scans anymore. Your NAT-router will have a public IP address, and it will issue a private IP address to your machine.

Of course, your NAT-router will be port scanned, but it has a much smaller attack surface than your Windows machine.

 

Didier Stevens

hxxp://blog.DidierStevens.com

hxxp://DidierStevensLabs.com

 

SANS ISC Handler

Microsoft MVP 2011-2015 Consumer Security

 

 

Like you said in first post it's a known spamming source. Been googling some more.

ESS9 blocks it so theres no need for a router with firewall.

 

It's just annoying seeing same IP port scanning.

but I've blocked it now in ESS9. That's what the ESS9 firewall is for.

Edited November 6, 2015 by Corso