Router's Firewall Isn't Working

[Unkno]

Using D-Link DI-704P and i'm also running zonealarm firewall on both computers. My sister's computer is running Windows 2000, while mine is running on XP. The problem is that the router is letting packets into my computer and not hers. I can tell i'm getting incoming packets because zonealarm reports 36813 intrusions blocked (the number increases A LOT, in one day, it can increase a few hundred), while the other computer only has like 800 intrusions blocked and it's been on for several years. Before, both computers were protected by the router....but not sure why now it doesn't work...


I have tried scanning both computers for malware, updating the firmware of the router, resetting the router to default, and other things...

 

[Atheus]

Go here for a simple scan of your network. Or you can PM me your IP and i'll run nmap on you for more sophisticated results.

Sounds a bit like you have the DMZ turned on in your router, but since you say you set it to default, I dunno.

 

[Unkno]

I've checked and DMZ is turned off. And sygates says "Unable to determine your computer name!" "Unable to detect any running services!" I have also check the back ground proceses for any possible malware that isn't being detected by my anti-viruses/spyware.

According to shieldsup, my computer is stealthed on all but one port (which is closed). The exact same ports are stealthed/closed on my other computer too.

 

[JackMDS]

What about ICMP through the Router and ZA?

:sun:

 

[Unkno]

i'm not really that good at networking but i learn fast....

Where can i do a ICMP scan?

 

[mechBgon]

Possible explaination: her computer is the source of the attacks. It's inside your router's perimeter firewall, so the router won't try to stop her computer from attacking yours. Does that jive with the ZoneAlarm reports, are the attacks coming from her system's IP address?

 

[Unkno]

nope, i have tried scanning that computer for malware, and that the alerts come from a completely different ip address. I have also tried unplugging the ethernet cable from the other computer but i still get intrusion attempts.

 

[mechBgon]

Is your computer "holding the door open" by running P2P or something?

 

[RebateMonger]

n.m.

 

[Unkno]

Originally posted by: mechBgon
Is your computer "holding the door open" by running P2P or something?

I'm not entirely sure what you mean but i think you're partially right...(not sure how to check if "the door is open") but i first noticed this increase amount of intrusion attempts when i downloaded bitcomet. I have uninstalled it but there's still no difference.

 

[Unkno]

bump...

 

[Atheus]

I seriously doubt P2P is your problem... by "hold the door open" I assume he means you must have a port accessible to external clients, but there would have to be a vulnerability in the particular app you are using (unlikely) for this to constitute a security risk. Anyway, an attempt to exploit a buffer overflow would be highly unlikely to be detected by zonealarm even once let alone 30000 times.

Does zonealarm tell you exactly what it is picking up? Maybe in log files? This would be highly useful information. If it can't tell you, try running a packet siffer like ethereal until the event occurs and then post the last bit of capture. Keep in mind ethereal will grab everything, so try not to run any network apps while waiting for the zonealarm alert.

 

[Unkno]

For example, most of the block (with a different port number) says "Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (IP: Port 4513)". I've had done a port scan and the router blocks only some of the ports while zonealarm blocks the rest of them...

 

[RebateMonger]

You have tasks running on your PC that are trying to connect to the Internet to perform some function. Some of these (the ones you are seeing warnings about), are running under the Generic Host, svchost.exe.

Microsoft Support: A Description of Svchost.exe in Windows XP.

To see which tasks are running under svchost.exe, type "Tasklist /svc" at the DOS command prompt. Each of the listed processes is running under the "Generic Host" and could be trying to contact to Internet....probably for a non-evil purpose.