Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sun, 19 Feb 2006 22:15:07 -0600
On Sun, 19 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in
article <1i08n2w088rn7$.1ntr15vcvg8h4.dlg@xxxxxxxxxx>, Susan wrote:
What confuses me is the Sygate Personal Firewall blocked traffic log shows
certain patterns, namely that these NDIS User Mode IO driver requests come
from a variety of "Remote Host" IP addresses & a variety of "Remote Port"
and "Local Port" addresses but always with the same "Remote MAC". I'm
having trouble making any sense of this data.
That's normal. Packets are transferred at the local level using an
Ethernet protocol - which just happens to be able to carry IP as well as
130+ other networking protocols. If you have a total of two devices on
your local network - such as a computer and a router, then the MAC
address that your computer will be talking to is ALWAYS the address of
the router, no matter if you are talking to www.google.com, ftp.locus.gov
or any other address out on the Internet. The MAC addresses used are
where the packet is coming-from/going-to on this particular hop.
Action = Blocked (note it always reports blocked)
Then your firewall is working - don't worry about it.
Direction = Incoming (the direction is always the same)
So crap coming in from the world is being blocked. Fine. End of problem.
Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac)
[compton ~]$ etherwhois 00-80-C8
00-80-C8 (hex) D-LINK SYSTEMS, INC.
0080C8 (base 16) D-LINK SYSTEMS, INC.
53 Discover Dr.
Irvine CA 92618
Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc)
PORT 11 would be unusual, as that is a rarely used service. 1900 is
PlugNPray, 53 is a name service that translates between IP addresses and
hostnames, and 137 is the windoze toy version of name service. On the
other hand, these toy firewalls also report ICMP Type numbers as 'port'
numbers (ICMP doesn't have ports - the idiots who wrote the firewall are
trying to not techno-babble and making a false statement) and a ICMP Type
11 would be a Time Expired message, normally seen with TRACERT (or the
Local Host = 192.168.0.10 (only a few ip addresses show up here)
If the packet is destined for that address, then your router is translating
it from your 126.96.36.199 prodigy address to RFC1918 (local use only)
addresses. That address can't exist out in the world, because it's a local
only address and no one knows where (or which) person is using it.
Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up)
[compton ~]$ etherwhois 00-0D-60
00-0D-60 (hex) IBM Corporation
000D60 (base 16) IBM Corporation
3039 Cornwallis Road
Dept FCGA, Bldg 660, Office F106
Research Triangle Park NC 27709
Using an IBM box? The FF:FF:FF:FF:FF:FF address is the Ethernet
broadcast, and is never used to actually send/receive data packets.
A reverse IP search of each of the suspect addresses doesn't tell me much.
OrgName: RIPE Network Coordination Centre
You asked ARIN who the address belongs to. ARIN doesn't know, because the
address is allocated out if one of the four other Regional Network
Registrars - in this case RIPE in Europe. If you asked RIPE, they'd tell
you the address is assigned to AFRINIC (the new African RIR) and asking
_them_ finally tells you the address is assigned to a DSL ISP in the
Rabat, Morocco area. Most likely, an 0wn3d box run as a zombie.
What confuses me the most is that the googling says ndisuio.sys is for
wireless and it should not be blocked but I see no ill effects when I set
my Sygate Personal Firewall to automatically block it. The windows xp
machine and the wireless networking seems to be working just fine even with
all these requests blocked.
I can't talk about ndisuio.sys, because I got rid of windoze in 1992. The
fact that your firewall is blocking INBOUND crap and you are not seeing a
problem means that everything is fine - you need not worry about it.
- Prev by Date: Re: Firewall for web hosting company
- Next by Date: Re: Pix 506E or Netscreen 5GT?
- Previous by thread: Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)
- Next by thread: Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)