Netgear portscanning me?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I have a Netgear DG834 v2 adsl modem/router.

It works well.

My question is why would my local norton fireall report that the
router portscanned me? The report says that network traffic from the
netgear matches the signature of a known attack.

Attacking Computer : 192.168.0.1, 53
Action Taken : Block
Destination Address : 192.168.0.2, 55841
Traffic Description : UDP, 53

Am I right in guessing that the, e.g. 53, is a port? And isnt port 53
used for DNS? What is the netgear doing and should I be worried?

Thanks for any light shed on this.


Re: Netgear portscanning me?
Tam writes:
Quoted text here. Click to load it

Your PC sent a DNS request to the router. The router sent back a reply.
It is normal.

PS. Norton often - specifically, stuff designed for home users - often
causes problems. For 99% of people who don't need/want to monitor or
block outgoing data, the in-built Windows (XP SP2/Vista) firewall works
fine. A firewall isn't usually necessary if you are behind a NAT router,
as it likely has its own firewall.

Re: Netgear portscanning me?

Quoted text here. Click to load it

request to the router then it would of course pass through norton
firewall. In that case the firewall should 'remember' that the request
was sent and handle the reply when it comes. It is stored in the state
table huh?

Which would make the communication the Norton reported as totally
unsolicited? Am I off the mark here?

Also... i do like to run a local firewall in addition to the firewall
built into the router. Its handy for monitoring what is going out and
will alert me to x y and z program trying to access the net which is
handy indeed for programs/spyware that is communicating with the
outside world (or, attempting to... off with its head :))


Re: Netgear portscanning me?
On Mon, 03 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article

Quoted text here. Click to load it

Almost correct.  The PC sent a DNS request.  The router isn't a full
sourse of information about everything in the world, and has to pass
the request along to others. This takes time. Norton figured after a
second or two that it wasn't going to get an answer, and marked that
connection attempt as dead. When the router finally did get an answer
and responded, Norton had forgotten that it had asked, and wanting to
impress the O/P, announced that it has BLOCKED AN ATTACK!!!

Quoted text here. Click to load it

This is mainly because Norton was set in the most paranoid mode. The
world isn't a simple as the paranoid mode requires, and Norton winds
up looking like the "boy who cried wolf".

Quoted text here. Click to load it

Agreed, but how is Norton supposed to sell crap if that were the case?

Quoted text here. Click to load it

Yes, but only for a limited time. Who ever configured the firewall
set the time to short.  You could file a bug report with Norton, and
maybe they'll look into correcting the problem. (I doubt it, as this
problem has been going on for years - you need only use the search
engine you are posting from as a search engine.)

  Web  Results 1 - 10 of about 226,000 for Norton blocked attack 53 UDP.
  (0.12 seconds)

Quoted text here. Click to load it

No, it merely means that Norton has been configured to forget things
that don't happen right away. If you read the RFCs (for example, section
5.1 of RFC1034), you might find that a DNS response can literally take
several seconds. The industry standard namserver (ISC BIND) is normally
set for a five second timeout.  You must understand that every server
in the world isn't waiting patiently to serve only you. As of the
middle of last month, there are 82,000 networks in the world which
translates to about a quarter million name servers - do you know the
right one to ask your question? Oh, and there are about 2,533,552,588
IPv4 (the kind you are using) addresses to keep track of.

Quoted text here. Click to load it

Why are you installing spyware, viruses, and other trojans?  Or do you
think there is a "Malware Fairy" that flutters by, waves her magic
wand when you aren't looking, and Hey Presto, your computer is infected?

        Old guy


Re: Netgear portscanning me?
Moe Trin wrote:

Quoted text here. Click to load it
 
Quoted text here. Click to load it

Though I regard Norton as complete and useless crap I do admit that finding
acceptable timeout values for UDP answer packets is a bit od a problem
problem for any stateful packet filter implementation because UDP is a
stateless protocol. TCP connections are easier to handle for a filter
because of flags and sequence numbers.

Wolfgang



Re: Netgear portscanning me?
On Tue, 04 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article

Quoted text here. Click to load it



The timeout IF YOU FEEL THAT YOU NEED THIS should be based on the way
DNS works, not the way UDP works.   A sane resolver setup will try to
query a name server and wait a few seconds for a reply of some kind. It
is possible, that the server queried MIGHT be down at the moment. In *nix,
this query is allowed to wait five seconds before the resolver tries a
second query to a different server. If the second (and possible third)
query fails, the resolver again tries the "first" name server, and
this time waits twice as long - ten seconds.  Is that a realistic
timeout for a firewall?  Probably not, but it's a hint from people who
know how the Domain Name Service works.

Except in special circumstances, ALL DNS traffic uses UDP, which is a
connectionless protocol. At the protocol level, there is no indication
that a remote system has replied to you, and no indication to the remote
system that you received OR DID NOT RECEIVE a packet it sent. Thus, all
timeouts are handled by the _application_ and not the UDP network.

The other problem users never think about is that no name server knows
about all hosts. When your resolver "asks a question", the name server
you ask will look to see if it knows the answer (is the data cached).
If not, it has to ask from the root domain on down in a multi-step
process. The question "what is the address of FOO.BAR.BAZ.QUX.COM"
starts by asking one of the root servers - the reply comes back
".COM - ask the .com nameservers at [3 to 12 possible IP addresses]".
Your name server asks one of those, and gets told ".QUX.COM - ask the
qux.com name servers at [2 or more addresses]".  Your name server asks
one of them, and is told to ask the .baz.qux.com nameservers at another
set of addresses - and when you finally find the addresses of the
.bar.baz.qux.com nameservers, THEY will tell you the IP address you have
been searching for.   In this case, that's five UDP packet exchanges
that have to work. (In fact, most name servers have cached at least
many of the addresses of the top level name servers, so you can probably
skip that first query.)

Those users who are in domains like demon.co.uk, t-ipnet.de, tiscali.fr
and similar may realize that not all of the world is a .com or .net or
similar. In fact, there are 8 top-level domains with four letters (such
as .info or .arpa), 12 top-level domains with three letters (such as
.com or .edu), and 253 top-level domains of two letters. There are also
two (rarely used) top-level domains of SIX letters (.museum and .travel)
for a total of 275 top level domains in official Internet namespace.

Quoted text here. Click to load it

See RFC1035 - the header of a DNS query and response have a sequence
number in the first two octets of the query and response.  These
so-called firewalls _could_ inspect those numbers if they wanted to,
but that's to much work.    Likewise, this crap software screams about
attacks, and they _could_ do something to protect the user from
further attacks by simply blocking the "attacking" host for an hour or
two - wonder why the brane-ded a$$holes who create these programs didn't
implement that.  Maybe they know they are lying when they report this
stuff as an attack.  To bad the users don't understand the joke.

        Old guy

Re: Netgear portscanning me?
Kris wrote:
Quoted text here. Click to load it


Having a 2nd firewall secures your PC and limits the spread of any
malware should it ever get behind the NAT firewall. If you don't have
wireless and never allow a laptop on your network it's probably not an
issue. But imagine a laptop that gets infected while somewhere else,
then connects to your network. If you're relying solely on the NAT
firewall, your whole network just got compromised.

Or imagine all those poor saps who thought WEP would secure their
wireless LAN. Anyone driving by with the right software, could get
behind the NAT firewall in minutes.

IMO every computer on the network should have it's own firewall in
addition to the NAT firewall.

Re: Netgear portscanning me?
Quoted text here. Click to load it

Unfortunately no.


Better configure your systems correctly.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

  Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?
Volker Birk wrote:
Quoted text here. Click to load it

Double firewalling is standard industry practice. Do you disagree? If so
I hope you are not working as a network administrator.

Re: Netgear portscanning me?
Quoted text here. Click to load it

Yes.

Especially the "Personal Firewall" nonsense is counter-productive. I
don't have any problems with the Windows-Firewall, though, if it's
configured correctly.

Quoted text here. Click to load it

I do not. I'm CTO ;-)

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

  Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?
Quoted text here. Click to load it

To achieve what? Aside from increased sales for personal firewall
vendors, that is.

Quoted text here. Click to load it

Well, I for one most certainly do.

Quoted text here. Click to load it

M-hm. You have some arguments to go with that opinion of yours?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netgear portscanning me?
Ansgar -59cobalt- Wiechers wrote:
Quoted text here. Click to load it


Arguments? Sure. Any PC on your LAN that does not have a software
firewall is vulnernable if any other machine gets infected with a WORM
or gets hacked. It's that simple. Remember that DNS corrupting worm from
about 2 years ago? An awful lot of network admins learned the hard way
about double firewalling that day didn't they?

You can chose to disagree that double firewalling is not standard
industry practice but that does not change the fact that it is. A simple
google of "is double firewalling a standard industry practice" returns
over a million hits.

Re: Netgear portscanning me?
Quoted text here. Click to load it

So tell me: how did that other machine get hacked or infected with a
worm in the first place? And how does the software firewall protect the
ports you need to be open in your LAN? (because most certainly any other
port would be closed and thus not exploitable, wouldn't it?)

Quoted text here. Click to load it

Frankly, no, it ain't.

Quoted text here. Click to load it

No. What "DNS corrupting worm" are you talking about?

Quoted text here. Click to load it

M-hm. In my network the systems are kept up to date, they don't have
services running they're not supposed to, and the network is properly
segmented with firewalls on the boundaries. So tell me again: what
exactly do I need double firewalling for? Other then increasing the
vondors' revenue, my network's complexity, and my own workload?

Quoted text here. Click to load it

A million flies ...

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netgear portscanning me?
Ansgar -59cobalt- Wiechers wrote:
Quoted text here. Click to load it


You've obviously not been in IT very long.

Re: Netgear portscanning me?
Quoted text here. Click to load it
[...]
Quoted text here. Click to load it

Amusing. You're talking about a person, who probably has more
experience and deeper insights than most of the people here in the group,
with small exceptions.

In German: "Jeder macht sich so lächerlich, wie er kann."

Trying to translate that for you: "You're making a fool out
of yourself as good as you can" ;-)

Chuck, perhaps you could work on your arguments a little bit. Maybe
they're not as close to perfect as they could be :-))

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

  Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?
Chuck wrote:

Quoted text here. Click to load it



At any rate, it seems that if you have been in IT very long, you had a long
time doing wrong/stupid things.

Re: Netgear portscanning me?
Ansgar -59cobalt- Wiechers wrote:
Quoted text here. Click to load it


The OP was talking about a SOHO network with a single switch/router. One
segment only. In such an environment double firewalling is essential if
there is the possibility of an infected PC being added to the network.

The worm I was referring to is documented here:

http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

I referred to it incorrectly as a DNS corrupting worm because in the
environment where I work it was windows 2000 based DNS servers that were
affected. The point however is still valid. If these servers had been
properly firewalled they would not have been affected.

Re: Netgear portscanning me?
Quoted text here. Click to load it

If these servers wouldn't have offered network services to the Internet
they should not offer, no firewalls would have been needed.

These worms are why I hacked http://www.dingens.org at this time.

The problem is not, that those servers needed firewalling. The problem
is, that Microsoft failed and have to answer for all this damage,
because it's completely moronic to offer unneeded network services
which are potentially vulnerable, and to make this the default and even
make it complicated to stop that.

To be clear:

What we're talking about is worm-rbot.cbq.

<http://www.sophos.com/virusinfo/analyses/w32rbotcbq.html
| Name                               > W32/Rbot-CBQ
| Type                               * Worm
| How it spreads                     * Network shares
| Affected operating systems         * Windows

BTW:

| What this worm has to do with DNS  * completely nothin' ;-)

It's completely idiotic to enable network shares to the Internet. Just
disable them => no firewalling needed.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

  Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?
Quoted text here. Click to load it

These questions still stand.

[...]
Quoted text here. Click to load it
[...]
Quoted text here. Click to load it

I fail to see what kind of threat that "infected PC" would pose to
properly configured and patched systems on the same network segment.
Please elaborate.

Quoted text here. Click to load it

That was a Zotob variant. Microsoft released a patch for the exploited
vulnerability a week earlier, and filtering that crap at the network
boundary would most certainly have prevented an infection (see MS
Security Bulletin MS05-039 [1], section "Vulnerability Details"). I fail
to see any need for personal firewalls on any computer in the LAN
because of this.

[1] http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netgear portscanning me?
Chuck wrote:


Quoted text here. Click to load it


Now speak after me: - D M Z
                     - host pro tec tion

Quoted text here. Click to load it


If these servers had been properly patched they would not have been affected.

Anyway, we'll try it again: - D M Z
                             - host pro tec tion
                - I P sec

Site Timeline