Security Basics mailing list archives
Re: Home firewall Hits
From: "me null" <me_null () hotmail com>
Date: Thu, 06 Nov 2003 15:27:17 -0500
hello, i havent read through the replys you have got but ill chime in non the less. i would amagine some have sayed part of what i will.
1 im not sure what u ment here bout it sounds like a port scan">From reading the firewall log, I would think that my router is continuously
hitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it is continuous."
2 these are DHCP ports 67 / 68 UDP a DHCP server would tell DHCP clients where thay are and info regarding you network.
3 is this is EXACTLY your setup ... " [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
than theres nothing blocking access from the internet to your router. witch means some 1 can (if thay havent yet) crack you routers password. you would be amased at how easy this can be like a user name of "admin" and a password of "admin" and BAM thay have CONTROL of your router. either put a fire wall between your router and the internet or ATLEAST change you login credintals for your routerfirewall ]"
hope this helps and wasnt too redundant
From: "Preston, Tony" <Tony.Preston () acs-inc com>To: "'security-basics () securityfocus com'" <security-basics () securityfocus com>Subject: Home firewall Hits Date: Fri, 31 Oct 2003 08:56:15 -0500 I am hoping someone here can explain what I am seeing on my home network. I use Kerio's tiny personal firewall and Windows ME. I have everything up to date with the latest patches. This is my home network and something strange is happening. The configurations is [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/ firewall ] From reading the firewall log, I would think that my router is continuously hitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it is continuous. I have the latest firmware from linksys, the firewall is rejecting all the packets. While I am an experienced programmer, I do not have alot of network experience, probably I would classify myself as knowing enough to be dangerous...:) The activity is at a moderate rate from a couple per second to one every 20 seconds. If it is some sort of attack attempt it is using a randomized delay between packets. Here is a summary of the hits. [30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In UDP, 192.168.1.1:40826->localhost:162, Owner: no owner thru 192.168.1.1:40899->localhost:162, Owner: no owner I do see other "hits" which are much less frequent which are an occasional hit here orthere, I am not as concerned about these, but would be curious if anyone hasideas about why they occur. The first one, I might see one or two a day. The second one would show up in sets of 5-10, maybe a couple of times a day. [30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.197.121:80->localhost:1452, Owner: no owner [31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In UDP, 0.0.0.0:68->localhost:67, Owner: no owner Anything here I should be concerned with?? I am hoping someone here can explain what I am seeing on my home network. I use Kerio's tiny personal firewall and Windows ME. I have everything up to date with the latest patches. The configurations is: [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/ firewall ] From reading the firewall log, I would think that my router is continuously hitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it is continuous. I have the latest firmware from linksys, the firewall is rejecting all the packets. While I am an experienced programmer, I do not have alot of network experience, probably I would classify myself as knowing enough to be dangerous...:) The activity is at a moderate rate from a couple per second to one every 20 seconds. If it is some sort of attack attempt it is using a randomized delay between packets. Here is a summary of the hits. [30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In UDP, 192.168.1.1:40826->localhost:162, Owner: no owner thru 192.168.1.1:40899->localhost:162, Owner: no owner I do see other "hits" which are much less frequent which are an occasional hit here orthere, I am not as concerned about these, but would be curious if anyone hasideas about why they occur. The first one, I might see one or two a day. The second one would show up in sets of 5-10, maybe a couple of times a day. [30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.197.121:80->localhost:1452, Owner: no owner [31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In UDP, 0.0.0.0:68->localhost:67, Owner: no owner Anything here I should be concerned with?? --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security tosimplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
_________________________________________________________________Compare high-speed Internet plans, starting at $26.95. https://broadband.msn.com (Prices may vary by service area.)
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Home firewall Hits Preston, Tony (Nov 03)
- RE: Home firewall Hits Omar Khawaja (Nov 03)
- Re: Home firewall Hits Tijl DULLERS (Nov 04)
- RE: Home firewall Hits Andreas Freyvogel (Nov 05)
- <Possible follow-ups>
- Re: Home firewall Hits rjemckay (Nov 04)
- RE: Home firewall Hits Preston, Tony (Nov 04)
- hopster bypass that firewall! K a r l i @ Y a h o o ! (Nov 05)
- Re: Home firewall Hits me null (Nov 06)
- RE: Home firewall Hits Preston, Tony (Nov 07)