Re: interesting traffic



On Fri, 29 Dec 2006, in the Usenet newsgroup alt.computer.security, in article
<g3flh.32$0F1.10@trnddc02>, David H. Lipman wrote:

From: "tiffini" <tiffini@xxxxxxxxxxxx>

[Did the O/P notice the responses to his earlier posting of this question
in the newsgroup comp.os.linux.networking?]

| I'll lock down the ports you recommend 1024-1030, and 137.

NO !

Do NOT block 1024-1030.

Depending on the capabilities of your firewall (recognizing incoming
packets in those ranges as being replies to something your systems sent
out - verses unsolicited packets inbound) blocking those ports is quite
reasonable. On my home firewall, I've been dropping incoming unrelated
UDP to those ports for several years now. It's just ordinary messenger
spam such as:

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found 55 Critical System Errors.

To fix the errors please do the following:

1. Download Registry Update from: www.some.spammers.website
2. Install Registry Update
3. Run Registry Update
4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!

That one was captured on the firewall a couple of weeks ago when I was
running a packet sniffer. Source address was bogus. Oh, and I know it's
not real because I don't have any microsoft boxes, and the the spammers
web site isn't microsoft.com - not that they give a hoot if your systems
are 0wn3d.

At work, we port shift any outgoing packets out of the 1025-1050 range
(nearly all are DNS queries outbound) and drop any inbound to that range
as they can't be valid replies to anything we've sent out. Last I bothered
to measure, it was averaging a half Megabyte per day per IP address, so
for a /16 network, that saves about a Gigabyte of bandwidth every _month_

Using a packet sniffer to capture this crap, it's usually pretty obvious
based on IP and UDP headers that the source is fake, and this most often
seems to be coming from zombie windoze boxes on your ISPs local range.
You _could_ bitch to your ISP about it, but the O/P is posting from
Comcast which probably isn't going to know how to spell 'IP' much less
know about port numbers and protocols.

Old guy
.



Relevant Pages

  • Re: Babysitting on iptables requested :-)
    ... Here's the list of ports that I see probed then I take the "Probe my ... this was a friendly probe; all packets were TCP SYNs - ... SYN is a packet that is used to initiate a TCP connection. ... >> between Windows machines, so without this a Windows machine in your ...
    (comp.os.linux.security)
  • Re: Political Analysis of Security Products
    ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
    (Pen-Test)
  • Re: Network traffic monitor app
    ... switch in the router to connect equipment together. ... So for traffic from a workstation to the internet it goes from the ... packets sent and the second the number of dud packets. ... one or more ports. ...
    (comp.sys.mac.misc)
  • RELENG_6_3 ping and DUP packets
    ... duplicate packets when pinging the upgraded machine. ... <ACPI PCI bus> on pcib0 ... usb0: USB revision 1.0 ... 2 ports with 2 removable, ...
    (freebsd-stable)
  • Re: Plausible reasons for http access?
    ... snip some important but volumous and onorous content...to free up your time while helping me.. ... provides transportation service - in this case, transporting packets. ... Many instances have different open 'ports' numbered anything but 80,110,25. ... I wonder though if Spybots utility has failed to differentiate a proxy port and an actual open ethernet-internet port and is telling me I have "open ports" but no tcp/ip packets are acknowledged unless specificaly allowed? ...
    (comp.security.misc)