Aha, I think I know what this is, as I encountered something similar using ISA2k. If you go to the properties of your Internet NIC, into TCP/IP Properties and click the Advanced button. On the DNS tab at the bottom, there's an option "Register this connection's address in DNS". IIRC this is enabled by default, and the result is your external NIC trying to register with the External DNS server. This in return initiates a barrage on incoming packets from the DNS server. By unchecking the box your server stops trying to register with the external DNS. While this might only stop the packet scans from the DNS Servers, it's one less alert to worry about. As Ara rightly says, lock your door, it's the world we live in. I get loads of users who have installed personal firewalls coming to me panicking about all the external attacks that their firewall has warned them of, so my usual reply is to be worried of the ones it doesn't warn you of... *evil* HTH Regards, Steve Steve Lunn - PC & Network Support Microsoft MCP DDI: 01423 855101 Fax: 01423 855181 -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: 16 March 2005 18:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Port Scans http://www.ISAserver.org Depends on what IP the scanning is coming from. For example, I just noticed a scanning alert today that said it was coming from the IP address of our ISP's DNS server. If I block that, I will no longer be able to do DNS lookups. -----Original Message----- From: Paul Laudenslager [mailto:paul@xxxxxxxxxxxx] Sent: Wednesday, March 16, 2005 12:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Port Scans http://www.ISAserver.org I see continual port scans from my ISP where I host my servers. Is it possible to block these IP's altogether? Thanks! Paul ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve.lunn@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx Homeowners Group consists of Homeowners Friendly Society Limited (HFSL), Registered and Incorporated under the Friendly Societies Act 1992, Reg. No. 964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No. 3224780, Homeowners Financial Administration Limited (HFAL), Reg. No. 4301736, Homeowners Membership Services Limited (HMSL), Reg. No. 3091667 and UK Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162, all registered at Hornbeam Park Avenue, Harrogate. HG2 8XE. Tel: 01423 855000 Web: http://www.homeowners.co.uk HFSL and HIFML are both authorised and regulated by the Financial Services Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA Register no. is 181487. You can check this on the FSA's Register by visiting the FSA's website http://www.fsa.gov.uk/register or by contacting the FSA on 0845 606 1234 HFAL, HMSL and UKFISL are non-regulated limited companies. United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners Friendly Society Limited This e-mail is intended only for the person named as recipient. The contents are confidential. If you are not the intended recipient of this e-mail, please notify us as soon as possible and delete it. If you are not the intended recipient of the e-mail, any use by you is prohibited.