Security Basics mailing list archives
Re: Home firewall Hits
From: <rjemckay () verizon net>
Date: Mon, 3 Nov 2003 23:04:37 -0500
Tony - check the log tab in your Linksys router setup, it probably has logging enabled. If it is it will send oout/broadcast SNMP packets with log information obtained at the router. I'm assuming that you're runing your router as a NAT box and so much if not all of the inbound traffic from the internet is being blocked at the router (unless you've enable various services). If you want to check or view the log information from the router I would suggest using WallWatcher and WallreViewer - both packages are free. WallWatcher will show give you a nice readout of the SNMP logs generated by your router, WallReViewer gives you a nice analysis of the logs over a period of time. Also, you will need to determine what internal IP address you want the router to broadcast to - if you want it to broadcast to all computers on your internal network use 255 in the last octet or put a specific computer IP address. Wall Watcher and WallReViewer can be found at http://www.sonic.net/~sraaii/wallwatcher/Index.html rm
From: "Preston, Tony" <Tony.Preston () acs-inc com> Date: 2003/10/31 Fri AM 08:56:15 EST To: "'security-basics () securityfocus com'" <security-basics () securityfocus com> Subject: Home firewall Hits I am hoping someone here can explain what I am seeing on my home network. I use Kerio's tiny personal firewall and Windows ME. I have everything up to date with the latest patches. This is my home network and something strange is happening. The configurations is [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/ firewall ] From reading the firewall log, I would think that my router is continuously hitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it is continuous. I have the latest firmware from linksys, the firewall is rejecting all the packets. While I am an experienced programmer, I do not have alot of network experience, probably I would classify myself as knowing enough to be dangerous...:) The activity is at a moderate rate from a couple per second to one every 20 seconds. If it is some sort of attack attempt it is using a randomized delay between packets. Here is a summary of the hits. [30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In UDP, 192.168.1.1:40826->localhost:162, Owner: no owner thru 192.168.1.1:40899->localhost:162, Owner: no owner I do see other "hits" which are much less frequent which are an occasional hit here or there, I am not as concerned about these, but would be curious if anyone has ideas about why they occur. The first one, I might see one or two a day. The second one would show up in sets of 5-10, maybe a couple of times a day. [30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.197.121:80->localhost:1452, Owner: no owner [31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In UDP, 0.0.0.0:68->localhost:67, Owner: no owner Anything here I should be concerned with?? I am hoping someone here can explain what I am seeing on my home network. I use Kerio's tiny personal firewall and Windows ME. I have everything up to date with the latest patches. The configurations is: [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/ firewall ] From reading the firewall log, I would think that my router is continuously hitting Port 162 with a UDP message. The odd thing is that it is doing this by using an incrementing port from 192.168.1.1, I see many of these every day, it is continuous. I have the latest firmware from linksys, the firewall is rejecting all the packets. While I am an experienced programmer, I do not have alot of network experience, probably I would classify myself as knowing enough to be dangerous...:) The activity is at a moderate rate from a couple per second to one every 20 seconds. If it is some sort of attack attempt it is using a randomized delay between packets. Here is a summary of the hits. [30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In UDP, 192.168.1.1:40826->localhost:162, Owner: no owner thru 192.168.1.1:40899->localhost:162, Owner: no owner I do see other "hits" which are much less frequent which are an occasional hit here or there, I am not as concerned about these, but would be curious if anyone has ideas about why they occur. The first one, I might see one or two a day. The second one would show up in sets of 5-10, maybe a couple of times a day. [30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.197.121:80->localhost:1452, Owner: no owner [31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In UDP, 0.0.0.0:68->localhost:67, Owner: no owner Anything here I should be concerned with?? --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Home firewall Hits Preston, Tony (Nov 03)
- RE: Home firewall Hits Omar Khawaja (Nov 03)
- Re: Home firewall Hits Tijl DULLERS (Nov 04)
- RE: Home firewall Hits Andreas Freyvogel (Nov 05)
- <Possible follow-ups>
- Re: Home firewall Hits rjemckay (Nov 04)
- RE: Home firewall Hits Preston, Tony (Nov 04)
- hopster bypass that firewall! K a r l i @ Y a h o o ! (Nov 05)
- Re: Home firewall Hits me null (Nov 06)
- RE: Home firewall Hits Preston, Tony (Nov 07)