Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)



On Sun, 19 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in
article <1i08n2w088rn7$.1ntr15vcvg8h4.dlg@xxxxxxxxxx>, Susan wrote:

What confuses me is the Sygate Personal Firewall blocked traffic log shows
certain patterns, namely that these NDIS User Mode IO driver requests come
from a variety of "Remote Host" IP addresses & a variety of "Remote Port"
and "Local Port" addresses but always with the same "Remote MAC". I'm
having trouble making any sense of this data.

That's normal. Packets are transferred at the local level using an
Ethernet protocol - which just happens to be able to carry IP as well as
130+ other networking protocols. If you have a total of two devices on
your local network - such as a computer and a router, then the MAC
address that your computer will be talking to is ALWAYS the address of
the router, no matter if you are talking to www.google.com, ftp.locus.gov
or any other address out on the Internet. The MAC addresses used are
where the packet is coming-from/going-to on this particular hop.

Action = Blocked (note it always reports blocked)

Then your firewall is working - don't worry about it.

Direction = Incoming (the direction is always the same)

So crap coming in from the world is being blocked. Fine. End of problem.

Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac)

[compton ~]$ etherwhois 00-80-C8
00-80-C8 (hex) D-LINK SYSTEMS, INC.
0080C8 (base 16) D-LINK SYSTEMS, INC.
53 Discover Dr.
Irvine CA 92618
UNITED STATES
[compton ~]$

Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc)

PORT 11 would be unusual, as that is a rarely used service. 1900 is
PlugNPray, 53 is a name service that translates between IP addresses and
hostnames, and 137 is the windoze toy version of name service. On the
other hand, these toy firewalls also report ICMP Type numbers as 'port'
numbers (ICMP doesn't have ports - the idiots who wrote the firewall are
trying to not techno-babble and making a false statement) and a ICMP Type
11 would be a Time Expired message, normally seen with TRACERT (or the
real traceroute).

Local Host = 192.168.0.10 (only a few ip addresses show up here)

If the packet is destined for that address, then your router is translating
it from your 69.110.35.129 prodigy address to RFC1918 (local use only)
addresses. That address can't exist out in the world, because it's a local
only address and no one knows where (or which) person is using it.

Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up)

[compton ~]$ etherwhois 00-0D-60
00-0D-60 (hex) IBM Corporation
000D60 (base 16) IBM Corporation
3039 Cornwallis Road
Dept FCGA, Bldg 660, Office F106
Research Triangle Park NC 27709
UNITED STATES
[compton ~]$

Using an IBM box? The FF:FF:FF:FF:FF:FF address is the Ethernet
broadcast, and is never used to actually send/receive data packets.

A reverse IP search of each of the suspect addresses doesn't tell me much.
http://ws.arin.net/whois/?queryinput=196.206.235.196 search
OrgName: RIPE Network Coordination Centre

You asked ARIN who the address belongs to. ARIN doesn't know, because the
address is allocated out if one of the four other Regional Network
Registrars - in this case RIPE in Europe. If you asked RIPE, they'd tell
you the address is assigned to AFRINIC (the new African RIR) and asking
_them_ finally tells you the address is assigned to a DSL ISP in the
Rabat, Morocco area. Most likely, an 0wn3d box run as a zombie.

What confuses me the most is that the googling says ndisuio.sys is for
wireless and it should not be blocked but I see no ill effects when I set
my Sygate Personal Firewall to automatically block it. The windows xp
machine and the wireless networking seems to be working just fine even with
all these requests blocked.

I can't talk about ndisuio.sys, because I got rid of windoze in 1992. The
fact that your firewall is blocking INBOUND crap and you are not seeing a
problem means that everything is fine - you need not worry about it.

Old guy
.



Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
    (Security-Basics)
  • Re: 8Signs PC Firewall Problem
    ... > First a little understanding of my network setup... ... > If I turn 8 Signs PC Firewall Off, ... > the packets in realtime. ... > I was wondering if it's buffer problem, as in the buffer on the lan ...
    (comp.security.firewalls)
  • Re: Network scanning: Continued (newbie)
    ... ARP requests are handled a layer under IP. ... > egress packets impossible on layer 1. ... > should be pretty silent if put that firewall ruleset on it. ... > The recent conversation titled network scanning inspired me to ask the ...
    (Security-Basics)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)