Security Basics mailing list archives
Re: Home firewall Hits
From: "Tijl DULLERS" <Tijl.DULLERS () dhl com>
Date: Tue, 04 Nov 2003 11:29:20 +0100
Hi, Port 162 UDP = SNMP traps.Dit you configure your wireless router to send SNMTP traps to your workstation PC ?
Or do you have SNMP enabled on the Wireless router at all ? Preston, Tony wrote:
I am hoping someone here can explain what I am seeing on my home network. I use Kerio's tiny personal firewall and Windows ME. I have everything up to date with the latest patches. This is my home network and something strange is happening. The configurations is [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/ firewall ] From reading the firewall log, I would think that my router is continuouslyhitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it iscontinuous. I have the latest firmware from linksys, the firewall is rejecting all the packets. While I am an experienced programmer, I do not have alot of network experience, probablyI would classify myself as knowing enough to be dangerous...:)The activity is at a moderate rate from a couple per second to one every 20 seconds. If it is some sort of attack attempt it is using a randomized delay between packets. Here is a summary of the hits. [30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: InUDP, 192.168.1.1:40826->localhost:162, Owner: no ownerthru 192.168.1.1:40899->localhost:162, Owner: no owner I do see other "hits" which are much less frequent which are an occasional hit here or there, I am not as concerned about these, but would be curious if anyone has ideas about why they occur. The first one, I might see one or two a day. The second one would show up in sets of 5-10, maybe a couple of times a day. [30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.197.121:80->localhost:1452, Owner: no owner [31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In UDP, 0.0.0.0:68->localhost:67, Owner: no owner Anything here I should be concerned with?? I am hoping someone here can explain what I am seeing on my home network. I use Kerio's tiny personal firewall and Windows ME. I have everything up to date with the latest patches. The configurations is: [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/ firewall ] From reading the firewall log, I would think that my router is continuouslyhitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it iscontinuous. I have the latest firmware from linksys, the firewall is rejecting all the packets. While I am an experienced programmer, I do not have alot of network experience, probablyI would classify myself as knowing enough to be dangerous...:)The activity is at a moderate rate from a couple per second to one every 20 seconds. If it is some sort of attack attempt it is using a randomized delay between packets. Here is a summary of the hits. [30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: InUDP, 192.168.1.1:40826->localhost:162, Owner: no ownerthru 192.168.1.1:40899->localhost:162, Owner: no owner I do see other "hits" which are much less frequent which are an occasional hit here or there, I am not as concerned about these, but would be curious if anyone has ideas about why they occur. The first one, I might see one or two a day. The second one would show up in sets of 5-10, maybe a couple of times a day. [30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.197.121:80->localhost:1452, Owner: no owner [31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In UDP, 0.0.0.0:68->localhost:67, Owner: no owner Anything here I should be concerned with?? --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Home firewall Hits Preston, Tony (Nov 03)
- RE: Home firewall Hits Omar Khawaja (Nov 03)
- Re: Home firewall Hits Tijl DULLERS (Nov 04)
- RE: Home firewall Hits Andreas Freyvogel (Nov 05)
- <Possible follow-ups>
- Re: Home firewall Hits rjemckay (Nov 04)
- RE: Home firewall Hits Preston, Tony (Nov 04)
- hopster bypass that firewall! K a r l i @ Y a h o o ! (Nov 05)
- Re: Home firewall Hits me null (Nov 06)
- RE: Home firewall Hits Preston, Tony (Nov 07)