Re: blocking incoming udp packets



JClark <jclark@xxxxxxxxxxxxxx> writes:

On Wed, 09 Jul 2008 22:14:13 -0500, comphelp@xxxxxxxxx (Todd H.)
wrote:

JClark <jclark@xxxxxxxxxxxxxx> writes:

On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@xxxxxxxxx (Todd H.)
wrote:

JClark <jclark@xxxxxxxxxxxxxx> writes:

Returning to the original question, a summary, as I see it (not
necessarily correctly):

It seems the router is sending udp packets to 255.255.255.255 (both
source and destination ports = 520, or to 192.168.1.255 (source port
ranging from 7000 to 7259, and destination port 162.

I have no idea what this all means.

UDP 162 is the SNMP trap port. If you're not familiar with simple
network management protocol, this traffic to 162 may simply be the
network device attempting to send traps to be logged by an SNMP
management station.

UDP 520 is RIP routing. The router is advertising routes with this
exceedingly simple, easy to spoof protocol.

Both should be functionality that can be disabled in the source
network device.

Best Regards,
Todd,
Some good news. I was able to disable RIP routing in the router, and
now all the traffic over UDP 520 has stopped.
Now I need to work on the SNMP 162. It isn't quite as clear.
But it seems I'm on the right track.
Many thanks again.

Disabling SNMP in general on the device is a good idea if you're not
using it. Did I miss in this thread where the make/model of the
router was mentioned?
Hi Todd,

It's a Linksys BEFSX41.
The RIP disabling was easy to do, and that has stopped the traffic on
port 520.
Under "Administration" I have SNMP "disable" checked, so SNMP ought to
be disabled. I also have UPnP disabled.

But I'm still getting the port 162 traffic.

Barring an answer from an owner here, your next step is to a linksys
support forum on this model and asking users there how to disable the
sending of traps.

You will also want to make sure you have the latest firmware for that
device as it has quite a checkered history with respect to exploitable
firmware vulnerabilities.

Best Regards,
--
Todd H.
http://www.toddh.net/
.