Re: interesting traffic



On Fri, 29 Dec 2006, in the Usenet newsgroup alt.computer.security, in article
<g3flh.32$0F1.10@trnddc02>, David H. Lipman wrote:

From: "tiffini" <tiffini@xxxxxxxxxxxx>

[Did the O/P notice the responses to his earlier posting of this question
in the newsgroup comp.os.linux.networking?]

| I'll lock down the ports you recommend 1024-1030, and 137.

NO !

Do NOT block 1024-1030.

Depending on the capabilities of your firewall (recognizing incoming
packets in those ranges as being replies to something your systems sent
out - verses unsolicited packets inbound) blocking those ports is quite
reasonable. On my home firewall, I've been dropping incoming unrelated
UDP to those ports for several years now. It's just ordinary messenger
spam such as:

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found 55 Critical System Errors.

To fix the errors please do the following:

1. Download Registry Update from: www.some.spammers.website
2. Install Registry Update
3. Run Registry Update
4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!

That one was captured on the firewall a couple of weeks ago when I was
running a packet sniffer. Source address was bogus. Oh, and I know it's
not real because I don't have any microsoft boxes, and the the spammers
web site isn't microsoft.com - not that they give a hoot if your systems
are 0wn3d.

At work, we port shift any outgoing packets out of the 1025-1050 range
(nearly all are DNS queries outbound) and drop any inbound to that range
as they can't be valid replies to anything we've sent out. Last I bothered
to measure, it was averaging a half Megabyte per day per IP address, so
for a /16 network, that saves about a Gigabyte of bandwidth every _month_

Using a packet sniffer to capture this crap, it's usually pretty obvious
based on IP and UDP headers that the source is fake, and this most often
seems to be coming from zombie windoze boxes on your ISPs local range.
You _could_ bitch to your ISP about it, but the O/P is posting from
Comcast which probably isn't going to know how to spell 'IP' much less
know about port numbers and protocols.

Old guy
.



Relevant Pages

  • fastforward/routing: a 3 million packet-per-second system?
    ... Would a system where both processor QPI ports connect to each other ... Allows more interrupts ... I've found about 3 streams between Centos clients is about the best way ... packets errs idrops bytes packets errs bytes colls drops ...
    (freebsd-net)
  • Re: fastforward/routing: a 3 million packet-per-second system?
    ... Would a system where both processor QPI ports connect to each other ... Allows more interrupts ... I've found about 3 streams between Centos clients is about the best way ... packets errs idrops bytes packets errs bytes colls drops ...
    (freebsd-net)
  • Re: Babysitting on iptables requested :-)
    ... Here's the list of ports that I see probed then I take the "Probe my ... this was a friendly probe; all packets were TCP SYNs - ... SYN is a packet that is used to initiate a TCP connection. ... >> between Windows machines, so without this a Windows machine in your ...
    (comp.os.linux.security)
  • Re: Political Analysis of Security Products
    ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
    (Pen-Test)
  • Re: Network traffic monitor app
    ... switch in the router to connect equipment together. ... So for traffic from a workstation to the internet it goes from the ... packets sent and the second the number of dud packets. ... one or more ports. ...
    (comp.sys.mac.misc)