Lately I've been receiving popup warning messages from Zone Alarm that it has blocked access to my computer on UDP Port 1025. It provides an IP address that I tracert back to my ISP's cached DNS server (at least, that appears to be its function judging by the machine name.) This has been going on for about 10 days. I've used the same ISP for at least 4 years. The popup appears about once per day.
This is on Win XP Home SP2 notebook computer behind a NAT router. Wireless network connection. ZA free version 6.1.737.000
How does that request get to my machine -- shouldn't it be blocked at the firewall? Is this anything to worry about? The popup offers an option to not warn again in the future -- is it a good idea to enable that feature? As it only happens about once per day, it's not that much of an annoyance, but it does seem curious.
TIA
********************** snipped-for-privacy@telusTELUS.net remove uppercase letters for true email
Even though ZoneAlarm is a stupid thing on its own, why didn't you even do the basic configuration?
This is a well know port for a well known RPC service exploit in Windows NT 5 series. Nothing special.
Why are you analysing network noise?
NAT misconfiguration? Stupid NAT implementation?
Which firewall?
As long as you're not running any vulnerable RPC service on that port: No.
You should have already disabled it a long time ago. Anyway, the same holds for having uninstalled or never installed ZoneAlarm. Obviously you lack knowledge for packet filtering, and obviously ZoneAlarm is one of the worst implementations ever.
Get a real signature delimiter!
And stop spamming telustelus.net with your bounces!
XP? "ipconfig /all" will list the name servers you are using.
What is the port number on the source (remote) end? If it's 53, this is a normal problem - the remote DNS server was slower than your firewall is hair-triggered for, and your firewall forgot that it had allowed an outbound packet that would produce a reply. It's a fairly common problem with "personal" firewalls.
There are two possible answers. The first is as above - you sent out a request to the name server, which was busy at the time, and it was slow to respond. When it finally did, your system had forgotten that it had asked - a fairly typical occurrence on so-called personal firewalls.
The second possibility (much less likely given the firewall) is that the packet is actually messenger spam - some wanker trying to send spam directly to your display, often appearing as if it is a warning from your computer. The clue would be that the message points you to some website. The last time I bothered to log that trash, I was seeing about
1000 messages a day. These often have faked source addresses (the spammer doesn't want to hold a conversation - he wants you to click on some URL and go to a website). If the blocked packet is messenger spam, your ISP is incompetent and isn't following the recommendations in RFC2827 and RFC3704 (blocking inbound packets that have a source address from "inside").
Depends on what's in that packet. If it's really a slow response from the name server (likely), file a bug report with the klowns who created your firewall. If the packet is messenger spam (less likely), use a packet capture tool and send the data to your ISP hinting at RFC2827. Either the name server is 0wn3d (highly unlikely), or they aren't bothering to filter obviously fake packets at the perimeter. Were I to bet, I'd put money on a slow nameserver and crappy personal firewall.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.