I want to ping back blocked incoming pings - could I use BlackIce Defender?

[IainB]

Could anyone advise please?
I want to automate a ping back for blocked incoming pings - could I use BlackIce Defender for that? Or something else?
I want to find out more about who is pinging me and where from, rather than just passively block them in my firewall or the NAT.
I still have the BlackIce Defender install in my software archive backup. Not sure if it would run on Win7-64 Home Premium.

[Stoic Joker]

Why? The only thing that could be "gained" is additional exposure of the internal machine by allowing ICMP through the network border's hardware firewall. At best you'd eat up a bunch of time answering automated services, and at worst by answering an actual attack you'd "ante up" to a pissing contest with someone that knows how to win.

If you're really just curious about the haps out on the wild web, just setup a syslog server and then forward the router's logs to it for future study. Nslookup and whois should be able to tell you everything you need to know about the blocked traffic ... Without exposing you to looking like a live one..

...It's been said that every IP address on the web gets hit with/by something every 20 seconds...and that estimate is over a decade old...

[4wd]

Depending on your router, you could set its firewall to block incoming ICMP messages and then set the System Log to report blocked connections.  Then log into the router and have a look every so often, normally the originating IP will be in there.

EDIT: Oopps! I see SJ already covered that 

[IainB]

@Stoic Joker and @4wd: Thanks for the input, and I shall take the advice for not looking like a "live one".   
The router is the one I mentioned in a separate thread in the DC Forum - TP-Link TD-8950ND 150Mbps Wireless N ADSL2+ Modem Router - where I was puzzling over how to get the client to access it up to max 150Mbps, and eventually achieved it (more or less).
The log shows stuff like in the image below:

I want to ping back blocked incoming pings - could I use BlackIce Defender?

- but it is a transient in-RAM log and I couldn't see an easy way to automate the collection of the logged data other than what is suggested above by @Stoic Joker

"setup a syslog server at a particular IP address, and then forward the router's logs to it for future study"

- but I don't think have the resources/technology available to do that.

I'm not too well up on current Internet telecomms protocols. The most technical I ever got was years back when I needed to write SALT scripts using a DOS program called Telix, to log and analyse internet traffic through a 56K modem.
When I later used BlackIce Defender on a PC with an ADSL router, there was no real need for me to understand what was going on at the IP level.

By the way, I don't recall previously seeing the critical OAM loopback response error in the log - it's usually just all intrusion alerts, once the router has rebooted. (I periodically reboot the router from within the browser.) Maybe it was a momentary drop in service levels standards by the ISP?

[4wd]

Just referring to your image above, those are all TCP protocol, do you have incoming ICMP messages blocked in the router firewall?

Re. the syslog server, your router is capable of sending the error reports to one - it looks like you have version 1 of the router going by the image in the other thread, so from the manual:

Mode - Select Local, Remote or Both. If the selected mode is Remote or Both, events will be sent to the specified IP address and UDP port of the remote syslog server. If the selected mode is Local or Both, events will be recorded in the local memory.

SJ will probably know for sure but I would have thought there was a way to have the events appear in the Windows Event Log.

Otherwise, Kiwi and PRTG both have a free version Syslog Server, (limited number of input sources), that should be able to do what you want.

[IainB]

@4wd: Many thanks for that. Yes, I had read the manual and found the notes at the bit you point to in the image above. However, not knowing anything much about these things, I took it to mean simply that the syslog server would need to be a separate, remote physical device with it's own remote IP address - which I couldn't see myself as doing. I couldn't see why they made it so hard to do.

You give me some hope if the syslog can be output to the client Windows Event Log though! That could be ideal, if feasible.
I shall follow up on Kiwi and PRTG.

As for:

... do you have incoming ICMP messages blocked in the router ...

-4wd (December 31, 2013, 09:20 PM)

I don't know, I never kept a record, and I wouldn't know the difference anyway. As far as I recall, they all look similar in format to the ones in the image.
There is some other stuff - e.g., Windows 7 Firewall Control reports a lot of this kind of thing, which is what originally started me examining the router log to see what it was stopping.


For all I know, the source of a lot of this could be US NSA or NZ GCSB pings, or other similar criminal activity...

[4wd]

You give me some hope if the syslog can be output to the client Windows Event Log though! That could be ideal, if feasible.

-IainB (December 31, 2013, 10:04 PM)

After suggesting that, I've starting playing around with AutoIt3 to see if it can receive the events, (I can already write to the Application EventLog), atm it can see the kernel log restarts from my router.  So if it works out, it'll just be a small program that sits around monitoring a port.

... do you have incoming ICMP messages blocked in the router ...

-4wd (December 31, 2013, 09:20 PM)

I don't know, I never kept a record, and I wouldn't know the difference anyway. As far as I recall, they all look similar in format to the ones in the image.

By default incoming connections should be blocked, (if the router firewall is enabled), so for ICMP messages, (pings), to be getting through there's usually a couple of places to check:

Check Incoming IP Filtering and ensure there isn't an Allow rule for ICMP protocol:



If it's only happening to one particular IP on your network, then you may also have an Allow rule set to Any, (depends on your router whether Any is a valid selection), to that IP.

And there is usually an option somewhere, (in Advanced or Administration), that says something like:

Respond to ICMP requests: Never, LAN, WAN, Both

This is purely to do with what the router does when a ping is directed towards its LAN or WAN IP.  Normally you'd set it to Never or LAN unless you have a specific need to ping your router from the internet.

A quick search through the manual for your router for ping or ICMP didn't seem to find anything but that doesn't mean it can't be controlled by logging in via telnet and issuing a command.

I am wondering why your software firewall is seeing a lot of inbound blocking activity if the routers firewall is turned on though, (it does support a SPI^w firewall which should make it reasonably intelligent).

Referring to the W7FC image, you've cut it off so does it report what protocol is being used?

Don't know if this is feasible or worth bothering with, (SJ, 40, etc would be more informed than me), you have connection attempts being blocked to processes started by svchost.exe - it might pay to try and narrow down what processes in particular.  Possibly by using Process Explorer to get the names and trying to correlate with lookups on the blocked IPs.

Addendum: Here's another SysLog Server that might be a bit simpler, LogLady - very small (2.30MB) and works quite well with my router sending messages to it.  LogLady's default port for your router to send to is 514.

Shareware, but you could use it for a short period to see what's what.

I want to ping back blocked incoming pings - could I use BlackIce Defender?

[IainB]

...Referring to the W7FC image, you've cut it off so does it report what protocol is being used? ...

-4wd (December 31, 2013, 11:09 PM)

Here's a fuller image sample (taken from SysExporter):

I want to ping back blocked incoming pings - could I use BlackIce Defender?

[IainB]

...Check Incoming IP Filtering and ensure there isn't an Allow rule for ICMP protocol...

-4wd (December 31, 2013, 11:09 PM)

==> I checked. There are no such rules set in the router. (I set up no Allow rules on Incoming IP Filtering.)

I am wondering why your software firewall is seeing a lot of inbound blocking activity if the routers firewall is turned on though, (it does support a SPI^w firewall which should make it reasonably intelligent).

-4wd (December 31, 2013, 11:09 PM)

==> "Enable SPI Firewall" is ON.

Referring to the W7FC image, you've cut it off so does it report what protocol is being used?

-4wd (December 31, 2013, 11:09 PM)

==> See above latest image of log from me. It looks like it's all TCP.

Possibly by using Process Explorer to get the names and trying to correlate with lookups on the blocked IPs.

-4wd (December 31, 2013, 11:09 PM)

==> Playing with this now...nothing obvious so far...

[40hz]

You could run an online vulnerability scanner such as GRC's ShieldsUp to get some idea of what ports are responding to WAN queries. (It does a few other things as well. Good reference info on service port numbers and what they're most commonly used for.)

Once you've identified where you may be potentially vulnerable, it becomes a lot easier to close the holes.

After you know you're secure, you can more comfortably start trying to figure out who or what is probing you.

[4wd]

You've got IPs from Amazon Web Services, Google, Akamai (CDN), Joe's Datacenter LLC (this would have to be the NSA ), etc being blocked.

I think you need to check what programs you've got installed that require contact with these services.

eg. Background updaters, sync programs, iTunes, etc, etc.

[Stoic Joker]

You can get a list of what programs have which ports open with
netstat -anob

But anything internally initiated shouldn't be getting blocked by the router. Conversely, anything blocked by the router will have been externally initiated.

The pink and orange screenshot makes me wonder if you have a PPPoE connection with its mention of VPI/VCI. Does you ADSL require a user/pass to/when it connects?

[IainB]

2014-01-11 1442hrs: Following on from the above, and thanks for the helpful comments.

Its a Saturday, and I managed to make some time to look into this some more.
I checked in the online W7FC Frequently Asked Questions, and found this:

Multiple app(1), app(2) etc entries in Programs list.
   The firewall distinguishes the applications by full path name, so C:\FolderA\ABC.EXE and C:\FolderB\ABC.EXE will be listed by the firewall separately. That is correct as the applications (executables) are different formally. However, if there are two (or more) instances of absolutely the same executable, the firewall adds (2),(3) etc suffixes listing instances of the executable separately. You can rename the applications in the list if it is required. There are some specific applications (usually installers or update checkers) those generate network active helpers for every single network access attempt. The helpers (executables) are generated randomly and named unpredictably usually, however the helpers are binary equal. As the initial access attempt is blocked by the firewall the helper is blocked accordingly (but listed), the parent application generates new helper under a different name then, the helper is blocked again and the process loops endlessly. If the activity is expected safe, the solution is creating a (temporary) applicationless rule to enable the destination for the updating/installation of any application via Blocked Events pane (check the manual for the details). The next helper generated will be permitted to reach the desired destination before the initial detection block as the result. TrayIcon/RightClick/Mode:EnableAll setting switches the firewall off finally. The update/installation can be made manually as well.
____________________________

At the Blocked Events link, it said:

   Right clicking listed event (or using the toolbar) allows composing/adding a corresponding permitting rule to the application. The rules are created and applied (if required) to the blocked application to avoid blocking of the same reason in the future. Corresponding rules can be created/applied to all the applications at once by updating "Zone for All the Applications" (check Settings tab for the details). The blocked event destination address ownership can be verified via a free online WHOIS database.
    There is a set of options to set the permitting rule for the blocked IP only, IP sub-network, with or without destination port limitations at your option.
    The permitting rule is created automatically, shown in the final zone draft, can be edited and applied to the application (or all the applications) after confirmation. The rules are applied to applications listed in the Programs pane directly.
____________________________

I then did a WHOIS  (using W7FC) to check a few (not all) of the incoming IP blocks in W7FC:


Most of those were blocks for HPWS (Host Process for Windows Services). One was for a program name (not HPWS) that I had not adequately enabled access for in the W7FC Programs authorisation list, so I fixed that one by assigning it the correct access rights via that list.
All the HPWS incoming IP blocks I checked were from valid IP addresses to reputable companies that I would expect my PC applications might want to be using via HPWS, so I enabled each as in the diagram below, building up the list that you see there of enabled incoming IP addresses:


There was a block/range of blocked IP addresses that was owned by Google: 173.194.0.0 - 173.194.255.255
Given what we now seem to know of the cynical nature of NSA and Google's apparently excessively invasive methods, post SnowdenGate, I decided not to enable all these IP addresses and am mulling it over.

This step should now start to clear up the confusion of the table of W7FC's blocked incoming items, though I am unsure of whether it will affect the pings being blocked by the router.