Re: Ports getting hammered?
- From: "Somebody." <somebody.@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 4 Jan 2006 10:29:06 -0500
"Duane Arnold" <No@xxxxxx> wrote in message
news:h8wuf.5457$nu6.66@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>> 7664703 Packet DROPPED: Proto: IP_UDP Flags: 0x0000000a Src:
>>> 218.19.119.233 Dest: 192.168.123.143 SrcPort: 23421 DstPort: 1689
>>>
>>
>> Something on your machine is attempting to connect out over the port most
>> commonly used for IMAP, a mail protocol.
>>
>> Probably some spyware calling home.
>>
>> Your ZA is blocking it, but it's there, and operating.
>>
>> It may be successfully connecting out on other ports.
>>
>> Your SMC is likely not configured to block any outbound connections.
>>
>> -Russ.
>
> How is that possible? The log clearly indicates unsolicited inbound
> packets are being dropped. Please explain to me how any PFW or any FW
> solution knows that dubious outbound traffic is be sent from a machine and
> the it's going to make some decision to start blocking outbound, because
> something is phoning home? If the malware running on the machine solicited
> the traffic from the remote IP, the PFW is not stopping anything.
>
> Duane :)
Ok, first of all my apologies for reading that log very badly. I read it as
outbound 143 for some reason when it's clearly inbound UDP 1689. I'll
mumble something about coffee now...
UDP 1689 could be anything, a custom peice of malware, whatever. Officially
it belongs to http://www.firefox.co.uk/ as part of some sort of e-learning
software package. We should ask the OP if he participates in such
activities.
Why inbound UDP is being seen by ZA as routed to his private IP and not
dropped at the firewall, points to either broken sessions being used to send
traffic back in, or a forward/DMZ rule of some sort on the firewall. It
could also be the result of something calling home and fessing up the local
private IP to the remote side, but I'm not sure how that ends up as the
destination IP after the traffic returns.
Now, to your particular question about outbound traffic, some PFWs and all
good hardware firewalls are capable of blocking outbound traffic using one
or more of the following methods, even when the local machine is either
initiating or soliciting the traffic:
1. it's not on the list of allowed outbound ports/protocols
2. it's on the list of blocked outbound ports/protocols
3. it's not on the list of allowed destinations
4. it's on the list of blocked destinations
5. it contains traffic that can be identified as problematic based on
signature (deep inspection)
6. the behaviour of the traffic can be identified as nefarious (metrics,
threholds, or profiling)
7. combinations of the above methods
All of these methods relate to the arresting of the "phoning home" behavior
you're referring to, and form an important part of a fully implemented
security strategy in my opinion. Ignoring or accepting all outbound session
traffic as valid is simply bad security and easily leads to serious and
complete compromise scenarios.
-Russ.
.
- Follow-Ups:
- Re: Ports getting hammered?
- From: Volker Birk
- Re: Ports getting hammered?
- From: Duane Arnold
- Re: Ports getting hammered?
- References:
- Ports getting hammered?
- From: SHRED
- Re: Ports getting hammered?
- From: Duane Arnold
- Re: Ports getting hammered?
- From: SHRED
- Re: Ports getting hammered?
- From: Duane Arnold
- Re: Ports getting hammered?
- From: SHRED
- Re: Ports getting hammered?
- From: Somebody.
- Re: Ports getting hammered?
- From: Duane Arnold
- Ports getting hammered?
- Prev by Date: Re: Wired router as firewall
- Next by Date: Re: Ports getting hammered?
- Previous by thread: Re: Ports getting hammered?
- Next by thread: Re: Ports getting hammered?
- Index(es):
Relevant Pages
|
