RE: Home firewall Hits
From: Andreas Freyvogel (afreyvogel_at_ecmarket.com)
Date: 11/04/03
- Previous message: DRAx: "Re: Firewalls, Routers, and Bears ... oh, my"
- In reply to: Tijl DULLERS: "Re: Home firewall Hits"
- Next in thread: rjemckay_at_verizon.net: "Re: Home firewall Hits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Tue, 4 Nov 2003 13:38:20 -0800
check this out, might help:
http://www.robertgraham.com/pubs/firewall-seen.html
Cheers,
-Andreas
-----Original Message-----
From:
security-basics-return-24881-afreyvogel=ecmarket.com@securityfocus.com
[mailto:security-basics-return-24881-afreyvogel=ecmarket.com@securityfoc
us.com]On Behalf Of Tijl DULLERS
Sent: Tuesday, November 04, 2003 2:29 AM
To: Preston Tony
Cc: 'security-basics@securityfocus.com'
Subject: Re: Home firewall Hits
Hi,
Port 162 UDP = SNMP traps.
Dit you configure your wireless router to send SNMTP traps to your
workstation PC ?
Or do you have SNMP enabled on the Wireless router at all ?
Preston, Tony wrote:
>I am hoping someone here can explain what I am seeing on my home network.
>I use Kerio's tiny personal firewall and Windows ME. I have everything up
>to date with the latest patches.
>
>This is my home network and something strange is happening. The
>configurations is
>
>
> [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
>firewall ]
>
>
>From reading the firewall log, I would think that my router is continuously
>hitting
>Port 162 with a UDP message. The odd thing is that it is doing this by
>using an
>incrementing port from 192.168.1.1, I see many of these every day, it is
>continuous.
>
>I have the latest firmware from linksys, the firewall is rejecting all the
>packets.
>
>While I am an experienced programmer, I do not have alot of network
>experience, probably
>I would classify myself as knowing enough to be dangerous...:)
>
>The activity is at a moderate rate from a couple per second to one every 20
>seconds. If it
>is some sort of attack attempt it is using a randomized delay between
>packets.
>
>Here is a summary of the hits.
>
>[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 192.168.1.1:40826->localhost:162, Owner: no owner
> thru
> 192.168.1.1:40899->localhost:162, Owner: no owner
>
>
>I do see other "hits" which are much less frequent which are an occasional
>hit here or
>there, I am not as concerned about these, but would be curious if anyone
has
>ideas about
>why they occur. The first one, I might see one or two a day. The second
>one would
>show up in sets of 5-10, maybe a couple of times a day.
>
>[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
> 207.46.197.121:80->localhost:1452, Owner: no owner
>
>[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 0.0.0.0:68->localhost:67, Owner: no owner
>
>Anything here I should be concerned with??
>
>I am hoping someone here can explain what I am seeing on my home network.
>I use Kerio's tiny personal firewall and Windows ME. I have everything up
>to date with the latest patches.
>
>The configurations is:
>
> [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
>firewall ]
>
>
>From reading the firewall log, I would think that my router is continuously
>hitting
>Port 162 with a UDP message. The odd thing is that it is doing this by
>using an
>incrementing port from 192.168.1.1, I see many of these every day, it is
>continuous.
>
>I have the latest firmware from linksys, the firewall is rejecting all the
>packets.
>
>While I am an experienced programmer, I do not have alot of network
>experience, probably
>I would classify myself as knowing enough to be dangerous...:)
>
>The activity is at a moderate rate from a couple per second to one every 20
>seconds. If it
>is some sort of attack attempt it is using a randomized delay between
>packets.
>
>Here is a summary of the hits.
>
>[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 192.168.1.1:40826->localhost:162, Owner: no owner
> thru
> 192.168.1.1:40899->localhost:162, Owner: no owner
>
>
>I do see other "hits" which are much less frequent which are an occasional
>hit here or
>there, I am not as concerned about these, but would be curious if anyone
has
>ideas about
>why they occur. The first one, I might see one or two a day. The second
>one would
>show up in sets of 5-10, maybe a couple of times a day.
>
>[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
> 207.46.197.121:80->localhost:1452, Owner: no owner
>
>[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 0.0.0.0:68->localhost:67, Owner: no owner
>
>Anything here I should be concerned with??
>
>
>
>---------------------------------------------------------------------------
>Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
>The Presidio integrates PGP data encryption and XML Web Services security
to
>simplify the management and deployment of PGP and reduce overall PGP costs
>by up to 80%.
>FREE WHITEPAPER & 30 Day Trial -
>http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
>---------------------------------------------------------------------------
-
>
>
>
---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------
- Previous message: DRAx: "Re: Firewalls, Routers, and Bears ... oh, my"
- In reply to: Tijl DULLERS: "Re: Home firewall Hits"
- Next in thread: rjemckay_at_verizon.net: "Re: Home firewall Hits"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
