When ADSL and Cable Modem hit the streets of the UK, the world seemed to keep banging on about: ‘If you’ve got a fixed connection you need to be careful, because you’re opening yourself up to attacks from outside.’ The view was that if you have a permanent Internet connection, it means you’re always connected and therefore you’re more susceptible to attack.
Nevertheless, even if you’re a dial-up user you’re leaving yourself open to attack if you don’t employ some kind of firewall software. Although it’s true that, on average, people with dial-up connections aren’t connected to the world for as long as those with fixed links (particularly if the latter have their own mail or web server sat under the desk in the spare room and running 24x7) many of us do spend a fair amount of time surfing in the evenings and weekends when costs are cheap or calls are free. So just what are the risks of dial-up versus fixed connections?
To get an idea of the risks, we set up one machine with a dial-up connection through Tesco.net (which seems to give you an address range in NTL’s block, which suggests they’re providing the actual service) and one with an ADSL link from BT. The latter had a fixed address in our allocated Business Plus block, and the former was allocated as part of the dial-up PPP negotiation. We ran each for five hours on a Friday afternoon/evening, using Windows XP’s built-in Internet Connection Firewall to log all connection attempts to a file for analysis purposes. ICF was told in each case that the PC was running no server applications at all, and so it should drop all connection attempts.
The main connection types we saw coming into our dial-up connection from afar were those you’d expect to see arriving over the Internet. In five hours we saw a total of 104 attempted connections. Many were one-off connections, though some came from port scans – where a remote machine attempts to make connections on a number of different IP ports in search of listening services. Many used fake IP addresses – numbers in ranges that have not, as yet, been allocated to real users and which you can’t therefore trace back to their origin.
Those that could be traced, though, came from a plethora of origins – Israel, the UK, Poland, Hungary, Germany, the Netherlands, Italy, Austra and Turkey. In terms of connection types, we had:
- A handful of ‘ping’ packets, presumably remote machines probing to see if anything was answering our address. - Half a dozen NetBIOS requests – machines trying to elicit information about shared folders on our machine that might be available to rob. - Two machines sending repeated HTTP (web) requests – web server programs are commonly running without the user knowing and potentially insecure. - Vast wads of connection attempts on port 4662, which we believe is the port used by the eDonkey file sharing service. - A couple of probes to ports normally used by the SOCKS security/proxy mechanism.
Fixed link: observations
The level of incoming connections on our ADSL line was almost identical to that of the dial-up link for the same time period – a total of 102 probes and connection attempts. The distribution of countries from which we saw connections was similar too – Israel, Poland and Hungary vanished from the list and we added Spain and Switzerland. Of our 102 connections, we had:
- 28 connections on the NetBIOS ports, checking to see if we were advertising file services to the world. - 41 on ports that are often associated with Windows denial-of-service attacks. - 24 Web connections. - A solitary FTP connection attempt. - 8 associated with SOCKS or Squid proxies.
What the experts have been banging on about for years is true: you must have some kind of security mechanism on your computers or centrally on your home network if you use fixed-link Internet connectivity. But this does NOT mean that you can go without security measures on a normal dial-up connection. In just five hours we saw five types of attack from nine different countries on the dial-up connection, which our firewall caught with no great problems but which could have been an intruder’s first step inside our network.
The ‘I’m not connected for very long’ argument doesn’t hold up either – in the first ten minutes of our dial-up test we had attacks from three different locations.
The moral of the story: no matter how you connect to the Internet, get yourself a firewall.