[Lewitt]

I have Sygate as a firewall and it seems to be doing a pretty good job. However, there are some incidents that I would really like to know about.
One day there were 119 blocks coming from the same addresses. The blocks alternates between two sources. The are occurring several times a day. Today, 9/05/08, I have had 47 since 04:00 am. What is going on? Do I need to allow these to go through? Why are they all coming from two sources?
I did a back trace and was given IANA as a result of the trace. They disallow any use of the numbers and say they do not know who the sources are. This a copy of two lines from my traffic log, but it doesn't look to be properly formatted here. Hope it straightens out on the post. If not, then get hold of me and I'll try to redo it.

Copy of Security Log

Date – Time Action Direction Prot Remote Host
26523 09/05/2008 09:20:26 Blocked 10 Incoming UDP 192.168.0.1
26524 09/05/2008 09:23:05 Blocked 10 Incoming ICMP 192.168.0.1
Remote MAC Local Host Local MAC Local Port
00-0F-B3-5A-54-36 2049 239.255.255.250 01-00-5E-7F-FF-FA 1900
00-0F-B3-5A-54-36 3 192.168.0.3 00-17-31-8C-87-F0 3
User Name Domain Security Occurrences Begin Time
HP_Administrator MAXDESK Normal 20 09/05/2008 09:19:23
HP_Administrator MAXDESK Normal 1 09/05/2008 09:22:04
End Time Rule Name
09/05/2008 09:19:25 Block_all
09/05/2008 09:22:04 Block_all

Since Sygate is doing its' job, I'm not too worried, but I am just profoundly curious as to why there are so many from these sources. I'm tired of seeing a group of ten or more attacts in sequence, and getting hundreds per day.

Anyone have any suggestions, or answers?

Would appreciate it!

Thanks,
Lewitt















t

[TOGG]

The log extract layout is quite hard to follow because the headings, and what appears under them, don't seem to tally.

The port numbers, 26523/4 (which may or may not be the originating ones) fall into IANA's 'Unassigned' category and so do not provide much help. IANA Port list here; http://www.iana.org/assignments/port-numbers

Checking the IP address mentioned in the first part of the log doesn't help because the domain name for that address cannot be found, but I don't know if that is particularly significant.

How do you connect to the internet, dialup or broadband?. My (limited) understanding is that dialup IPA's change each time you connect whereas broadband ones can remain the same. See what happens when you run this test;http://www.ip-adress.com/ If you are on broadband, check with your ISP as to how you change the IP address and see if that reduces the number of apparent 'attacks'.

I have, over the years, seen many articles about software firewalls and the information that they produce. There seems to be a concensus that most of the activity they report is normal internet traffic because many port scans are done for none malicious purposes. If your firewall is blocking these connection attempts, (and you don't have any programs that are failing to be updated as a result), I personally would assume that you need do nothing more but see what other, more knowledgeable, members suggest.

[lunarlander]

In terms of hacking, a port scan is like scouting around. Maybe you have some port forwarded, maybe it is forwarded to a vulnerable version of an application. There is nothing one can do about these scans. If you do have some ports forwarded, you may want to follow up to see if your application has a newer version that takes care of some vulnerability. Or you may decide to cancel that port forward until the attacker moves away.

[Lewitt]

I tried to get the entire log to print in a readable format, but it just wont do it.
Here is the data that I hope will be necessary.

Remote Host | Remote MAC | Protocol
192.168.0.1 | 00-0F-B3-5A-54-36| UDP
192.168.0.1 | 00-0F-B3-5A-54-36| ICMP

Local Host | Local MAC
239.255.255.250 | 01-00-5E-7F-FF-FA
192.168.0.3 | 00-17-31-8C-87-F0

I am on DSL, 1.7, through Qwest. I am contacting them about this and see what they say. So far it is doing harm that I can detect. It's just that I am curious as hell as to why something continiously tries to get into my computer and is blocked. A hundred, or more, times a day is something to be curious about I think.
When (if) I get a reply from Qwest I'll let you know.

I just did a a preview of the post and it is not formatting the way I type it out on cut and paste. But, I think you can undderstand it better.
Sorry for the mix up on formatting, and thanks for your reply guys.

[lunarlander]

Your curiosity is well justified, but I hate to tell you - it's quite normal to be scanned. I am being scanned right now as I type this and it has been going on for 2 days. Mine is from 1 single address, and is systematically going up my ports one at a time. Your log doesnt show you which port number they are trying, but my log does. Right now he is at the 3000's. There are 65535 total ports for him to try.

[Lewitt]

HeyLunarLander, Thanks for the reply.

Here is what I found out in the last few days of research. I could be slightly off base, but this is mainly the gist of the thing.

IANA has blocked out a siignificant series of addresses that are purchased in groups by different organizations. They are mostly used as MACs (Media Access Controls), in conjunction with SSDPs (Simple Service Discovery Protocol), using a multicast system. Mainly, small businesses and home networks are the target. For example, if a user sets up a home network or small business it is used to help HTTP clients and HTTP resources discover each other for SSDP services in the form of printers, Scanners, Fax Machines; etc,; ie, another way to make a buck from PC users.

Somehow it all connected to the UPnP, which (I understand) we use to install new equipment and software on our machines. This must alert organizations that we are adding to our PCs.

I am not exactly sure how it works, but it goes through the MBONE (Multicast Backbone) of MCAST-NET. It is possible to find out who owns the specific address that are hitting our machines, but is it worth the effort of going through hundreds (Thousands?) of databases?

My probes are alternating between ports 1900 and 3, and not bothering any others. I am now looking at a way to exclude them from listing on my logs. With one shot I had 44 of them in a row. One day I got 132 hits between 7 am and 12 noon. Sygate is successfully blocking all of them.

Anyway, I think I'm fairly close to judging what is going on, and Just thought I'd pass this on. If you (or anyone) has any comments I'd be glad to hear them.

Lewitt

[mrss]

I used to run Sygate on my home PC network. Everytime one of my PC's was rebooted, it would do that simple discovery thing you mentioned, and all the other PC's would get a UDP packet that Sygate would block. The IP would be the 192.168.0.xxx commonly used by the PC's on my network.

Maybe you're getting something similar.

[TOGG]

Out of curiosity, I checked ports 3 and 1900 in the IANA list and then Googled the results, 'Compression Process' for 3 and 'SSDP' for 1900.

The information I found about Compression process wasn't particularly useful, but one of the pages I found was of the opinion that port 3 wasn't used by trojans or viruses.

As you have already learned, SSDP is connected with universal plug and play and, to quote Wikipedia. is "an expired IETF (Internet Engineering Taskforce) draft by Microsoft and Hewlett-Packard". (and) "is the basis of the discovery protocol of Universal plug-and-play."

All interesting stuff and, if not actually reassuring, not too sinister either!