I saved a few firewall logs which show IP addresses and ports, including the ports that were scanned to trigger the attack, but I wasn't running wireshark and don't have any actual packet captures. Should I post the logs to this thread or email them to your support? The only really interesting part is the protection log which indicates: 2013/11/30 21:00:24 detected scan packet: 53371; packet recv TCP 72.21.81.253:80 -> 192.168.1.102:53371 (40) [ ACK ] 2013/11/30 21:00:36 detected port scanning: 53371, 53377, 53378, 53379, 53380, 53381, 53382; packet recv TCP 72.21.81.253:80 -> 192.168.1.102:53382 (40) [ ACK ] 2013/11/30 21:00:36 Attack SCAN (53371, 53377, 53378, 53379, 53380, 53381, 53382) detected from 72.21.81.253 {host blocked for 5 min} [000001B5] 2013/11/30 21:02:00 detected scan packet: 53390; packet recv TCP 69.16.175.42:80 -> 192.168.1.102:53390 (40) [ ACK ] 2013/11/30 21:04:19 detected port scanning: 53513, 53516, 53519, 53522, 53525, 53528, 53531; packet recv TCP 69.16.175.42:80 -> 192.168.1.102:53531 (40) [ ACK ] 2013/11/30 21:04:19 Attack SCAN (53513, 53516, 53519, 53522, 53525, 53528, 53531) detected from 69.16.175.42 {host blocked for 5 min} [000001B6] 2013/11/30 21:05:36 intruder 72.21.81.253 unblocked [000001B5] 2013/11/30 21:09:19 intruder 69.16.175.42 unblocked [000001B6] The other log file is a basically just a serious of details of when I allowed or blocked MBAM from accessing various IPs. (I first allowed it, then blocked it as I was trying to figure out what was going on.) If you want more details of my firewall configuration and security we should probably take this offline.