I think my laptop is updating an attacker with my IP?

[Zyos]

I am baffled. I have a laptop here next to me acting as a web server. It is connected to the internet using a NAT'ed router. I have a dynamic ip address which I have changed multiple time in order to get this ip here, 58.218.199.147 to leave me alone.

So far the only way I have gotten them to stop scanning my ports is to either edit pf.conf and block everything in all directions or unplug the machine entirely. I can't seem to find anything unusual showing up in pflog

If I open up the ports www, domain, and https on the server and use the router to block all access to it I still end up seeing things like this appear in it's logs several times a day.

Code:

[DoS Attack: ACK Scan] from source: 58.218.199.147, port 80
[DoS Attack: ACK Scan] from source: 58.218.199.147, port 443

If I open the ports via the router so that people can visit my website all sorts of crazy things start happening. 58.218.199.147 and one of its sister ip 58.218.199.250 or possibly 221.174.50.137 start accessing the server on a regular basis and a bunch of different ip's start attacking me. I have been WinNuked, IMAP scanned, ACK scanned, RST scanned, and Null scanned from all sorts of ip's all over the world in obvious patterns. I haven't told anyone there is a web-server here.

This computer has been compromised before when it had windows on it, but since then it's been wiped and reformatted several times. I believe my computer may still be compromised somehow, but I don't what to do about it. My other machines don't appear to do this, however one is new and the other has had its hard drive replaced.

I'm fairly new at all of this and have no idea what to do next. Does anyone know what's going on?

[jggimi]

Welcome to the Internet.

Consider if the Internet were the real world -- your IP address would be your home address. You would want to keep your doors and windows locked, and only let in people you knew, and greeted at the door yourself.

Consider what happens when you set up a service that awaits incoming activity -- you unlock your door. In this case you have a service that will respond to anyone who "knocks" at two doors on your front porch: the two marked TCP port 80 and TCP port 443.

Your experience is typical of anyone who ever opens a service on the Internet, intentionally, or unintentionally. There are script kiddies and other bad actors who set up computers to do nothing other than scan blocks of subnets by the millions -- knocking on every door -- and hoping for positive responses, and then subject those responding systems to further attack.

Your NAT router is not described. If your router is OpenBSD, PF gives you a lot of options to control access to your services, including limiting or eliminating many forms of attack, and adding attacker IP addresses to blocking tables automatically. If your NAT router is a turnkey SOHO device, you are limited to whatever that device may offer, which might be no more than NAT alone as your sole protection from the vagaries of the Internet.

You mention that you have opened "domain" services -- so you are perhaps running or plan to run a DNS server open to the Internet from this platform as well, though that doesn't make much sense to me if your Internet address is dynamic.

[Zyos]

Quote:

Originally Posted by jggimi

Your experience is typical of anyone who ever opens a service on the Internet, intentionally, or unintentionally. There are script kiddies and other bad actors who set up computers to do nothing other than scan blocks of subnets by the millions -- knocking on every door -- and hoping for positive responses, and then subject those responding systems to further attack.

Oh, I see. They're scanning everyone in my entire subnet not just tracking me lol.

Quote:

Originally Posted by jggimi

You mention that you have opened "domain" services -- so you are perhaps running or plan to run a DNS server open to the Internet from this platform as well, though that doesn't make much sense to me if your Internet address is dynamic.

That was not what I was intending to do. I'll close that off then. Thanks.