A question...


Amy_Amp

 

Posted

OK, so I just canceled my CoH account. I had been planning to do so when the game went F2P, regardless of the whole EULA discussion.

However, please see the following from my firewall logs:

Quote:
09/20/2011 08:45:34.320 - Alert - Intrusion Prevention - Possible port scan detected - 64.25.35.220, 443, X1, us.ncsoft.com - xxx.xxx.xxx.xxx, 16288, X0 - TCP scanned port list, 16292, 16291, 16289, 16290, 16293
I had logged in to the NCSoft website to cancel my account, and I just happened to be doing my daily review of the firewall log files at about the same time. That's when I noticed the above. Note that there were several entries like this, but I only posted this one.

So, yeah....NCSoft and/or Paragon Studios employees reading this...care to explain why your web server is trying to port scan my PC?


 

Posted

That is really weird. An explanation would be nice but I doubt you'll get one.


 

Posted

If I had to guess it's the NCSoft Launcher reaching out to check to see if you have the latest game client. There was an update after all today. If you had beta and test servers installed as well it would help explain the multiple entries your seeing.



50s - Energyman, Elec^3 Blaster - Light Bringer Prime, Triform PB - OxyStorm, Robo/Storm/Mace MM - Widow Lotone, NW - Psi-Vox, Ill/FF/Earth Control

 

Posted

Yeah, I'm at work. No NCSoft launcher on this PC, now or ever. I went to the NCSoft website with my web browser.


 

Posted

This is worth a serious response. Wish I had something to contribute, besides a request that this topic not be trolled.


The Paladin
Steel Canyon, Virtue
Exalted

@Paladin

 

Posted

At a rough guess, based on what you were doing, I'd say that it's something related to their IP-based security on Master Accounts that is verifying that you're not spoofing your IP address or connecting through a known Proxy service.

Slashdot does something similar when you post anonymously to make sure you're not posting via an open proxy.


Omnes relinquite spes, o vos intrantes

My Characters
CoX Chatlog Parser
Last.fm Feed

 

Posted

Quote:
Originally Posted by The_Spad_EU View Post
At a rough guess, based on what you were doing, I'd say that it's something related to their IP-based security on Master Accounts that is verifying that you're not spoofing your IP address or connecting through a known Proxy service.

Slashdot does something similar when you post anonymously to make sure you're not posting via an open proxy.
This would be my guess as well based on you accessing the account pages.


If the game spit out 20 dollar bills people would complain that they weren't sequentially numbered. If they were sequentially numbered people would complain that they weren't random enough.

Black Pebble is my new hero.

 

Posted

Quote:
Originally Posted by sleestack View Post
OK, so I just canceled my CoH account. I had been planning to do so when the game went F2P, regardless of the whole EULA discussion.

However, please see the following from my firewall logs:



I had logged in to the NCSoft website to cancel my account, and I just happened to be doing my daily review of the firewall log files at about the same time. That's when I noticed the above. Note that there were several entries like this, but I only posted this one.

So, yeah....NCSoft and/or Paragon Studios employees reading this...care to explain why your web server is trying to port scan my PC?
99.999% this is a false positive. It happens all the time. The log says that the host in question is port scanning your system *from* port 443 (the SSL port) *to* a *small* number of consecutive high ports on your system around 16288.

More likely your own computer was making connections *to* NCsoft from those source ports to port 443 (basically, an HTTPS connection) and for some reason NCSoft's website didn't process those connections correctly or quickly enough. After your workstation closed those ports and opened new ones, at some point NCSoft's web server responded to your computer on those ports not realizing your computer had already closed them. Your firewall saw your computer close those ports so it no longer tracked connections on them. Then it saw packets coming from the web server heading for those ports, those packets were not, as far as it knew, part of existing connections, and it saw a bunch of them heading to a range of consecutive ports in a short time window. So it triggered its port scan IDS signature.

However, the odds of NCSoft sending a port scan *from* port 443 is fairly low, and more significantly no one who port scans would only scan a few ports in the 16000's - that's a worthless scan: nothing runs there generally.

You see this most often when the target server (in this case the web server) is highly loaded or overloaded, or the network connections between client and server are lossy and dropping or misrouting packets, also due to network congestion. You will see, as you mention, bursts of activity like this and it will often trip port scan signatures in many firewalls.


[Guide to Defense] [Scrapper Secondaries Comparison] [Archetype Popularity Analysis]

In one little corner of the universe, there's nothing more irritating than a misfile...
(Please support the best webcomic about a cosmic universal realignment by impaired angelic interference resulting in identity crisis angst. Or I release the pigmy water thieves.)

 

Posted

And that makes even more sense.

*praise Arcanaville*


If the game spit out 20 dollar bills people would complain that they weren't sequentially numbered. If they were sequentially numbered people would complain that they weren't random enough.

Black Pebble is my new hero.

 

Posted

Quote:
Originally Posted by The_Spad_EU View Post
At a rough guess, based on what you were doing, I'd say that it's something related to their IP-based security on Master Accounts that is verifying that you're not spoofing your IP address or connecting through a known Proxy service.

Slashdot does something similar when you post anonymously to make sure you're not posting via an open proxy.
Considering the master account system goes ape **** when you try to log in from a "another" IP, this is probably true.


 

Posted

While I would love to say "what Arcanaville said" I'm trying to find an official answer for you.

I'll let you know if/when I hear something back.


Andy Belford
Community Manager
Paragon Studios

 

Posted

I don't trust Arcanaville. Creepy AI.

Developer answers would be appreciated.


 

Posted

Arcanaville is an AI? Hmm... Yesss.. The math... The unflusterable rational thinking... The Star Trek Animated Show... Yes! It all makes sense now...


 

Posted

Quote:
Originally Posted by SlickRiptide View Post
Arcanaville is an AI? Hmm... Yesss.. The math... The unflusterable rational thinking... The Star Trek Animated Show... Yes! It all makes sense now...
Quick, someone upload a logical paradox!


"You don't lose levels. You don't have equipment to wear out, repair, or lose, or that anyone can steal from you. About the only thing lighter than debt they could do is have an NPC walk by, point and laugh before you can go to the hospital or base." -Memphis_Bill
We will honor the past, and fight to the last, it will be a good way to die...

 

Posted

Quote:
Originally Posted by The_Foo View Post
I don't trust Arcanaville. Creepy AI.

Developer answers would be appreciated.
Trust her or not, she's 100% correct. 443 is the port that is used when you browse any SSL site. Since Sleestack was going to cancel his account, he was undoubtedly logged in using a secure connection to NCsoft's web server--i.e. 64.25.35.220 port 443. That ip address is us.ncsoft.com, the main account management server.

As an IT professional that has been working in various technical capacities for a very long time, I can assure you that there's exactly zero chance in hell that us.ncsoft.com is doing a port scan from port 443. This is simply the account management server answering a request sent by Sleestack, full stop, end of story. Really, barring some really weird setup, I don't even think that it's possible to do such a port scan from port 443. When you open a port to scan someone else's computer, you don't specify the port from which you're going to do it, you almost always let the OS will pick one for you. Even if you tried to open that specific port, you will almost certainly be denied the ability to do so since the web server has it tied up listening for incoming requests from people who want to manage their account. Even if someone were to take great pains to override these safeguards, it still wouldn't work because it would be impossible for the server to determine whether any replies that the machine did send back to 443 were supposed to be directed at its hypothetical scanning software or the web server.

So yeah, there is zero question in my mind that this is most definitely a false positive.


We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)

 

Posted

Quote:
Originally Posted by The_Foo View Post
I don't trust Arcanaville. Creepy AI.

Developer answers would be appreciated.


 

Posted

Quote:
Originally Posted by Arcanaville View Post
99.999% this is a false positive. It happens all the time. The log says that the host in question is port scanning your system *from* port 443 (the SSL port) *to* a *small* number of consecutive high ports on your system around 16288.

More likely your own computer was making connections *to* NCsoft from those source ports to port 443 (basically, an HTTPS connection) and for some reason NCSoft's website didn't process those connections correctly or quickly enough. After your workstation closed those ports and opened new ones, at some point NCSoft's web server responded to your computer on those ports not realizing your computer had already closed them. Your firewall saw your computer close those ports so it no longer tracked connections on them. Then it saw packets coming from the web server heading for those ports, those packets were not, as far as it knew, part of existing connections, and it saw a bunch of them heading to a range of consecutive ports in a short time window. So it triggered its port scan IDS signature.

However, the odds of NCSoft sending a port scan *from* port 443 is fairly low, and more significantly no one who port scans would only scan a few ports in the 16000's - that's a worthless scan: nothing runs there generally.

You see this most often when the target server (in this case the web server) is highly loaded or overloaded, or the network connections between client and server are lossy and dropping or misrouting packets, also due to network congestion. You will see, as you mention, bursts of activity like this and it will often trip port scan signatures in many firewalls.
Yeah this makes sense, because right before the time of the log entries I tried to access my account and got the "Site down, try again later" message.

Okay, "mystery" solved as far as I'm concerned.


 

Posted

Also a networking guy here for my day job, and echoing what Arcanaville and TonyV said. Responses from port 443 on their web server to high (aka ephemeral) ports are entirely to be expected, especially if your browser is opening multiple connections to load images, etc. Twitchy firewall overreacting.

Going to venture a guess... ZoneAlarm?


 

Posted

Quote:
Originally Posted by Frostbiter View Post
That is really weird. An explanation would be nice but I doubt you'll get one.
Quote:
Originally Posted by Paladin View Post
This is worth a serious response. Wish I had something to contribute, besides a request that this topic not be trolled.

We need a congressional hearing and a written response from the President of Korea.


Speeding Through New DA Repeatables || Spreadsheet o' Enhancements || Zombie Skins: better skins for these forums || Guide to Guides

 

Posted

Quote:
Originally Posted by Zombie Man View Post
We need a congressional hearing and a written response from the President of Korea.
ILLOGICAL! ILLOGICAL! NORMAN, PLEASE COORDINATE!




(Sorry, I just wanted to use that reference...)


"You don't lose levels. You don't have equipment to wear out, repair, or lose, or that anyone can steal from you. About the only thing lighter than debt they could do is have an NPC walk by, point and laugh before you can go to the hospital or base." -Memphis_Bill
We will honor the past, and fight to the last, it will be a good way to die...

 

Posted

Quote:
Originally Posted by Zombie Man View Post
We need a congressional hearing and a written response from the President of Korea.


It all right. Nothing to see here.



He means me you twit.




Whatever. Works for us either way.


[Guide to Defense] [Scrapper Secondaries Comparison] [Archetype Popularity Analysis]

In one little corner of the universe, there's nothing more irritating than a misfile...
(Please support the best webcomic about a cosmic universal realignment by impaired angelic interference resulting in identity crisis angst. Or I release the pigmy water thieves.)

 

Posted

Quote:
Originally Posted by The_Foo View Post
I don't trust Arcanaville. Creepy AI.

Developer answers would be appreciated.
I'm developing an idea...
An AE arc featuring Arcanaville as the world's first silicon-based life form (which is so brilliant it invented itself. Maybe in The Future.) who secretly pulls all the strings behind Paragon City, the Rogue Isles, Praetoria, the Rikti, the Battalion, and everything else...

...wait, does that make Arcanaville the Well of the Furies, and the Well of the Furies a sentient machine...?

...This is actually the plot of the Incarnate Trials! GASP!


@Draeth Darkstar
Virtue [Heroes, Roleplay], Freedom [Villains], Exalted [All Sides, Roleplay]
Code:
I24 Proc Chance = (Enhanced Recharge + Activation Time) * (Current PPM * 1.25) / 60*(1 + .75*(.15*Radius - 0.011*Radius*(360-Arc)/30))
Single Target Radius = 0. AoE Non-Cone Arc = 360.

 

Posted

Quote:
Originally Posted by Draeth Darkstar View Post
I'm developing an idea...
An AE arc featuring Arcanaville as the world's first silicon-based life form (which is so brilliant it invented itself. Maybe in The Future.) who secretly pulls all the strings behind Paragon City, the Rogue Isles, Praetoria, the Rikti, the Battalion, and everything else...

...wait, does that make Arcanaville the Well of the Furies, and the Well of the Furies a sentient machine...?

...This is actually the plot of the Incarnate Trials! GASP!

Reading that made me think arcanaville=nemesis?


On Justice
Global @Desi Nova Twitter: @desi_nova Steam: Desi_nova. I don't do Xbox or PS3

 

Posted

Just want to throw this out into the thread. Can I have all your CoH stuff?



Contact me in-game: @CheeseSlicer