Security Basics mailing list archives
Re: multicast connection trials from a home machine - is it regular?
From: "GSimmonds" <gsimmonds () primus ca>
Date: Wed, 16 Apr 2003 19:17:14 -0400
----- Original Message ----- From: "ruben" <rubenb () arnet com ar> To: <SECURITY-BASICS () securityfocus com> Sent: Tuesday, April 15, 2003 10:46 AM Subject: multicast connection trials from a home machine - is it regular?
From the firewall log:"blocked: Out ICMP;Router solicitation;localhost->224.0.0.2;Owner: Tcpip Kernel Driver" That is done (as the first outbound communication) every time the machine
is
connected via dialup to the Internet. Is that a logical part of the
process?
OS is Win98, firewall is Kerio, the rule CAN be modified, but the blocking came as default in the firewall settings. What arises my doubts is that
the
firewall blocks the attempt to connect to 224.0.0.2 but the http and mail service go back and forth as usual. A short Google search shows some info about multicast in NT machines, but nothing worthwile. I'm suspecting of some backdoor sitting in this machine. Of course it can be a part of a legitimate process. Can you enlighten me about this? TIA, Ruben.-
Hi Ruben, You can forego the slash and burn, at least for now. ;) What you're seeing is ICMP Router Discovery Protocol (IRDP). A "feature" built into MS winsock2. It's an unnecessary process with potential problems. http://www.atstake.com/research/advisories/1999/rdp.txt I'm not sure if it is routed far enough to be abused on an ISP dialup. Maybe someone can elaborate. To be on the safe side, either block or disable it. Cheers Gary --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- multicast connection trials from a home machine - is it regular? ruben (Apr 15)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 15)
- Re: multicast connection trials from a home machine - is it regular? ruben (Apr 16)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 16)
- Re: multicast connection trials from a home machine - is it regular? Jan Falkenreck (Apr 16)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 17)
- Re: multicast connection trials from a home machine - is it regular? ruben (Apr 16)
- Re: multicast connection trials from a home machine - is it regular? James-lists (Apr 16)
- Re: multicast connection trials from a home machine - is it regular? GSimmonds (Apr 17)
- <Possible follow-ups>
- Re: multicast connection trials from a home machine - is it regular? Chris Berry (Apr 17)
- RE: multicast connection trials from a home machine - is it regular? Cushing, David (Apr 17)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 15)