Re: interesting traffic

From: "Moe Trin" <ibuprofin@xxxxxxxxxxxxxxxxxxxxxx>

| Depending on the capabilities of your firewall (recognizing incoming
| packets in those ranges as being replies to something your systems sent
| out - verses unsolicited packets inbound) blocking those ports is quite
| reasonable. On my home firewall, I've been dropping incoming unrelated
| UDP to those ports for several years now. It's just ordinary messenger
| spam such as:
| Windows has found 55 Critical System Errors.
| To fix the errors please do the following:
| 1. Download Registry Update from:
| 2. Install Registry Update
| 3. Run Registry Update
| 4. Reboot your computer
| That one was captured on the firewall a couple of weeks ago when I was
| running a packet sniffer. Source address was bogus. Oh, and I know it's
| not real because I don't have any microsoft boxes, and the the spammers
| web site isn't - not that they give a hoot if your systems
| are 0wn3d.
| At work, we port shift any outgoing packets out of the 1025-1050 range
| (nearly all are DNS queries outbound) and drop any inbound to that range
| as they can't be valid replies to anything we've sent out. Last I bothered
| to measure, it was averaging a half Megabyte per day per IP address, so
| for a /16 network, that saves about a Gigabyte of bandwidth every _month_
| Using a packet sniffer to capture this crap, it's usually pretty obvious
| based on IP and UDP headers that the source is fake, and this most often
| seems to be coming from zombie windoze boxes on your ISPs local range.
| You _could_ bitch to your ISP about it, but the O/P is posting from
| Comcast which probably isn't going to know how to spell 'IP' much less
| know about port numbers and protocols.
| Old guy

Thanx Moe Trin and Happy New Year.

Hopefully this "Old guy" will grace us with his presence more often in 2007. :-)



Relevant Pages

  • Clever firewall rules
    ... This one drops all incoming packets that are not SYN packets, ... Either way, both rules are in my firewall, and it produces the results I'm ... similar rule that would log people who ping me, ... I have some basic rules that just open the ports that I ...
  • Re: HELP ME
    ... > transparently either by using a stealth firewall or a totally transparent ... > firewall any attackers that try to connect to firewalled ports will get ... > [The firewall should be configured to drop offending packets silently, ... >> DO IF SOME TCP CONNECTION RECIVE TO MY BOX, THE KERNEL IGNORE IT AND ...
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
  • Re: Help With firewall ports
    ... make design of your firewall. ... recommend "default deny" approach. ... into your box except to ports you explicitly allow. ... close all packets with FIN, URG and PSH flags on ...