1000s 'intrusion attempts' while utorrent is working fine???

[Julius P.]

Is this really normal?

I am behind a wired router, using both the router's firewall and a software firewall.

The only port I have forwarded is for utorrent, which I run less than one hour a week. The software firewall is set up to let utorrent traffic through. The forwarded port is not the default one, and I have no problem uploading and downloading to the maximum capacity the ISP doles out (~500-600 down, 30 to 50 up).

When I look at the logs for my software firewall, I find that it has to block 'intrusion attempts' every few seconds on that one port , regardless of whether utorrent is running or not. Obviously, plenty of connections do go through that port when I am down/uploading something, but what on earth are those blocked ones?? And should I really get that many? That's sometimes over 1000 of them an hour!

Is it time to set up port triggering, so that at least this only happens when utorrent is running?

[DreadWingKnight]

It's time to ditch your overprotective firewall and get one that isn't so stupid.

It probably assumes any incoming connection attempt is an "intrusion attempt" which is wrong.

[Julius P.]

Well, the firewall does not assume that every connection attempt is an 'intrusion attempt' (talk about alarmist terminology...). When utorrent is running, hundreds of perfectly good and legit connections are being made through the port assigned to utorrent, and the firewall does NOT flag them or in any way attempts to block them.

Just some of them are blocked, and they continue even when utorrent is not even running.

[DreadWingKnight]

Just judging from the part where you mention that these entries are coming up regardless of whether or not uT is running, I'd say it is the firewall being overly paranoid.

[Julius P.]

O.K., I'll take that, but you probably underestimate my ignorance: what I really would like to know is WHAT those connection attempts being made round the clock through the uT port really are.

[DreadWingKnight]

Well, the UDP traffic is for DHT (and cannot be declared a connection attempt, since UDP is connectionless).

Anything TCP would be peers on torrents you have active (or had active) trying to connect to you.

[Julius P.]

Thanks for helping out with this. It is starting to make sense. You are saying that when uT is not running, peers who previously had a connection with uT on my machine will check out if I am available, so to speak?

But then, what of those that get blocked while uT is running? Why would the firewall allow some (most, really) and not others?

[DreadWingKnight]

You may have reached your connection limit for a particular torrent, causing uT to quickly close the connection and subsequently causing the firewall to go into "paranoid mode" and declare it an intrusion attempt because of how short the connection lasted.

[Julius P.]

mmmh.

I do notice that admin and moderators on these forums are pretty critical of most, if not all firewalls. ('critical' is the mildest I could come up with)

Maybe it is time to share your opinions of what firewall, if any, is not a POS, junk, crap, f**cking paranoid, or worse.

I will change to it in a heartbeat. No joke.

And my apologies if you have done so somewhere else already.

[Firon]

A router. Windows firewalls are all useless.

[Julius P.]

Chalk one up for clear advice.

It does seem hard to believe that firewalls are useless, doesn't it? As you know, you are not the only ones, though: see http://www.mg.co.za/articlePage.aspx?articleid=275381&area=/insight/insight_tech/ (English), Slashdoted here:

http://it.slashdot.org/article.pl?sid=06/08/24/136257&from=rss

See also here:

http://samspade.org/d/firewalls.html

and here:

http://tooleaky.zensoft.com/

and finally:

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

Cheers and thanks.

[Firon]

I don't believe -all- firewalls are useless. I've used firewalls on Linux, and they are FAR from useless, because they attempt to control only inbound stuff: packet rates, SYN floods, etc... and do a superb job at it.

I just believe Windows firewalls are, because they're poorly implemented and try to do things that just don't work, such as egress filtering. They break more than they solve, and poorly detect stuff as hack attempts with pretty little popups and flashing.

[lorax1284]

So the upshot is: if you have a hardware filewall (router) and only have ONE port open (is uPNP safe?) the worm messages thrown by NIS are bogus, even the ones that seem to be on computer on my home network trying to communicate with another computer that isn't involved in utorrent (it's on, doing nothing in particular?)

[DreadWingKnight]

Pretty much.

most software firewalls are overly paranoid and/or poorly written. Routers will protect you from 90% of threats.

The remaining 10% of the threats are dangerous enough that a software firewall wouldn't even slow them down.

[lorax1284]

is this related to use of utorrent, or in general? That is, am I MORE susceptible running utorrent than not? I haven't had any problems to date while running utorrent and having Norton Worm Protection (warning me every 30 seconds when a malicious user finds my IP addy), so are you saying that if I use utorrent WITHOUT any kind of software worm protection running on my Windows XP computer (i.e. no warnings: ignorance is not bilss), I am NO MORE EXPOSED than I would be while running utorrent WITH software Worm Protection (warnings, but not better protection)

?

[DreadWingKnight]

With or without the protection software, it doesn't matter. You're no more exposed.

The protection software families have a long enough history of false alarms that they aren't recommended for use.

[lorax1284]

Thanks very much... I'm convinced that the only safe place to be on the 'net is behind a hardware firewall under my own control... and using utorrent won't expose me unduly.

[Switeck]

There are even hacking exploits to take advantages of weakness in software firewalls. You are actually LESS vulnerable without them in those cases.

(Buffer overflows can do all kinds of crazy things.)

But a router would block basically ALL of that from reaching your computer.

The biggest problem is Web browser exploits. Your software firewall and even your antivirus software already allows your web browser probably too much access. It does little good to put a deadbolt on a screen door.