Re: Plausible reasons for http access?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Wed, 13 Dec 2006 21:34:15 -0600
On Thu, 14 Dec 2006 in the Usenet newsgroup comp.security.misc, in article
<z81gh.67520$rv4.28983@edtnps90>, warf wrote:
This thread elucidates the futility of the average [over 20] enduser in
trying to 'protect' themselves by having access to port traffic
information.
Watch the context. The word port has several meanings, which is why I
wrote:
]Yes - port (in this context) means 'interface', or connection point that
]allows access to/from "a" network. We also call them "hoses" or "pipes",
whereas 'port' in the context you are using (port numbers), more equates
to room numbers in a hotel or office building, or telephone extension
numbers. These are places to connect to where you will find something
specific - perhaps a web server, perhaps a file server, maybe even 'Room
Service' - I dunno.
I to am too plagued 2...by the deception of firewall vendors deluging us
with logs of the attacks they thwarted on our behalf s.
On my home firewall, I normally have _ALL_ logging off. I'm not using
windoze, so my firewall also does not mail self-congratulatory messages
to everyone on the LAN.
I have never ever ever had a single abuse admin reply to my "why is a
netbios attack[scan] originating from your network...?" query.
NetBIOS is a protocol meant for local use within a windoze workgroup.
As microsoft designed the protocol (actually, it's non-routable
predecessor NETBUI) for the 10-20 PC office, and not the Internet at
large, this stuff should be blocked at the perimeter. Two of my ISPs
(I have 4) block this at the dialin terminal server, while the other
doesn't (neither does my broadband provider). The problem is as I
eluded to in my reply in the "evesdropping a computer how is it possible,
how can it be prevented ?" thread. Windoze enables crap by default on
the off-chance that you'll find it useful. If you want to share your
hard drive, and your printer with the world - bingo, no extra work on
your part. This may not be the best idea that ever came down the pike,
but they feel that "ease of operation" is more important than security.
As for ignoring reports of a netbios scan, the majority will ignore
this. They feel that you have some responsibility to not be accepting
those connections in the first place. If you block the connection (or
better yet, don't run a server on that port) then the scan is futile.
Another problem is that the majority of such abuse reports don't have
the details needed to show that they need to document to do something
to the owner of the "attacking" computer. I'd suspect that most
"attacks" are coming from computers that have successfully been
attacked - perhaps a chain of A controls B which controls C, which
controls D which is "attacking E.
It is probably because his killfile is set to gobble every email of that
type and send me to email obscurity for even suggesting it is a real
threat....as he watches the soaps.
Lessee, you're posting from an 'eastlink.ca' cable address. _Most_
residential broadband providers (especially in North America) like to
pretend to be "common carrier" which is a US term meaning someone who
provides transportation service - in this case, transporting packets.
They claim that's all they do, and they are not responsible for the
_content_ of those packets. Other providers around the world have
adopted a similar concept of "we're only delivering connectivity",
because it's less of a hassle than policing their turf, inspecting
the content of those packets, and so on. Yes, they're supposed to
pay attention to abuse complaints, but kicking off customers isn't
the way to make money. That's why we (in the business) use firewalls
to block access to our systems from large parts of the world.
I have read that most logged requests are simply misdirected or
background internet packets....true?
Depends. Those originating from (crude measure) your ISP - your network
neighborhood may well be. Those originating from halfway around the
world are probably worms, zombies, or the inevitable skript kiddiez.
NOW the MEAT of this thread for all us pleabs trying to get a leg
over..."how do we sort out the malicious from the mundane?
To a large extent - you don't. You mention using XP - windoze sorta
copied a UNIX command called 'netstat' which is used to see what stuff
is open/active on your network interface. For XP, try 'netstat /ano'
and see what's open. I'm not using windoze, but what I see using the
original command is
[compton ~]$ netstat -atun
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
[compton ~]$
there is exactly one service "open" on this box (SSH or "Secure Shell").
What happens if I try to connect to some other port?
[compton ~]$ telnet localhost 139
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$
Nothing there. Nothing running means nothing to exploit. If I wanted to
have this box directly on the Internet (it's one of six boxes on the
home LAN, behind a firewall that is also NATing), I wouldn't need a
firewall application, because there is nothing (except SSH which is
only accepting connections from seven specific computers) open. If
someone tries to connect, they get the same "Connection refused" as
shown above.
Do I freak when I see so&so from China running thru all ports from
135-139 three times in a row?
The three times in a row is the way IP works when there is no response.
If there were a "FOAD" response, a normal computer would give up upon
receiving that response. But this is just someone trying to see if
you'd like to share your hard drive.
do I wonder why PCanywhere is trying to connect to me from RU?
Are people still using that?
Or do I just watch blissfully the blinking lights on my Dlink wireless
router [hardwire connection]
OK - stop it right there. If someone tries to connect to port 80 on your
eastlink IP address, what "answers". (I haven't had a single system
setup in decades - if you connect to my broadband address, which of the
six computers should respond? Seeing as how I'm not offering services
to the world, the "new" connection isn't forwarded, but is blocked at
the router.)
and trust my ZA2007intsuite to give me as much protection as is humanly
possible under $100
---------------------
Their main use is telling the ones who use it that some host in Korea or
Kenya attempted to connect to a trojan that they don't have installed.
---------------------
Use 'netstat' and see what is open on your computer. Do you have some
need for that to be open? If not, disable that service (don't ask me
how, I got rid of windoze in 1992 before they discovered networking).
Did that "break" something you are using? No; then you didn't need it.
Yes; then re-enable it, and try blocking it at the router. Your
computer will run faster if it isn't running a service, and also running
a firewall of some sorts to block access to that service.
Then look at your router - and see that it isn't forwarding stuff you
don't need. If your router can't forward the request, it sends back
that same "Connection refused" message. No way in == no worries for you.
and still be able to hassle guys like you on these NGs?.......with my
unworthy requests???? and saggy underwear?
Can't do a thing for the saggy underwear. For the requests, I can answer
networking stuff, but not the windoze end of things.
Oldguy 2...miffed again [at myself now]
One of the problems with computers connected to the Internet is that
many (most) people don't want to learn anything about them. They expect
to turn them on (hopefully they can find the power switch), and things
will just work - not to sure what they are, but they'll work. It doesn't
work that way. Someone else wrote:
-------------------
Congratulations. You've just figured out that they lied to you
when they told you even an untrained monkey on crack can use a
computer. Yes, there's a lot to learn
-------------------
Old guy
.
- Follow-Ups:
- Re: Plausible reasons for http access?
- From: warf
- Re: Plausible reasons for http access?
- References:
- Plausible reasons for http access?
- From: Dubious Dude
- Re: Plausible reasons for http access?
- From: Moe Trin
- Re: Plausible reasons for http access?
- From: Dubious Dude
- Re: Plausible reasons for http access?
- From: Moe Trin
- Re: Plausible reasons for http access?
- From: warf
- Plausible reasons for http access?
- Prev by Date: Re: HP pavilion preloaded spyware is sticky...
- Next by Date: web application call executable code to serve client req
- Previous by thread: Re: Plausible reasons for http access?
- Next by thread: Re: Plausible reasons for http access?
- Index(es):
Relevant Pages
|
