ZoneAlarm Security Alert - My own ISP?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View

I often get alerts like this:

-------
ZoneAlarm Security Alert
Protected
The firewall has blocked Internet access to your computer (NetBIOS
Session) from dialup-4.232.33.145.Dial1.LosAngeles1.Level3.net
(4.232.33.145) (TCP Port 3436) [TCP Flags: S].
-------

Since the city name embedded therein is often my own (Miami), and I'm a
dial-up user, I suspect these might be coming from Earthlink, my own ISP.

How can I determine whether they are from Earthlink and whether to let
them through? What about other NetBIOS Session alerts?

If I click on "Don't show this dialog again," will I stop seeing all
security alerts? Should I?

--
Marshall Price of Miami
Known to Yahoo as d021317c

Re: ZoneAlarm Security Alert - My own ISP?
Quoted text here. Click to load it

BLOCK BLOCK, and I say again BLOCK 'em. don't let these in! BLOCK em!

Re: ZoneAlarm Security Alert - My own ISP?
Steve Williamson wrote:
Quoted text here. Click to load it

All right, that's what I like to hear!  Who needs NetBIOS, anyhow?

Tell me more!  :-)

--
Marshall Price of Miami
Known to Yahoo as d021317c

Re: ZoneAlarm Security Alert - My own ISP?

Quoted text here. Click to load it

Well, if you have a computer that has a direct connection to the modem,
which is a direct connection to the Internet, then you remove Client for MS
networks and MS File and Print sharing off of the NIC (network interface
card) or the dial-up connection, and the NetBios ports are closed. The
computer cannot network with other computers. The computer shouldn't have
the ability to network with other computers while the computer has a direct
connection to the Internet (no router between) the computer and the
Internet).
Quoted text here. Click to load it

It doens't matter when the ports are closed to begin with, because an attack
cannot be initiated on the ports when they are closed.
.
http://www.petri.co.il/what 's_port_445_in_w2k_xp_2003.htm



Re: ZoneAlarm Security Alert - My own ISP?
Mr. Arnold wrote:
Quoted text here. Click to load it

I'm not sure I understand, but I think you're saying that if all the
following conditions were met, they would present a vulnerability:

 + Connected to the Internet through a NIC (via ethernet)
 + NetBIOS enabled on that NIC
 + Client for MS Networks enabled
 + MS File and Print sharing enabled
 + Certain ports open

Right?

Also, I assume that for routine uses -- http, mail (including IMAP),
news, telnet, rlogin, etc. -- "networking" (which I don't quite
understand) with other computers (including my ISP's computers) is
neither necessary nor desirable. Is that right?

Quoted text here. Click to load it

Is port 445 a TCP port, or some other kind of port?

Each of these alerts indicates a TCP port (never the same one), but I
assume they refer to ports my ISP's computers are using for output, not
which ports they're addressed to on my computer.

I haven't seen port 445 among them, anyway, but I would like to find out
whether it's blocked.

Incidentally, I just received a rash of these alerts. Are they likely to
be initiated by Earthlink, or could they be coming from somebody who
read my post in this newsgroup and wants to have a bit of fun?

--
Marshall Price of Miami
Known to Yahoo as d021317c

Re: ZoneAlarm Security Alert - My own ISP?

Quoted text here. Click to load it

You are kind of right. And what are those ports that are being talked about
in the link provided?

http://www.petri.co.il/what 's_port_445_in_w2k_xp_2003.htm
http://www.governmentsecurity.org/articles/CommonPorts.php

Port 445 is for NT classed O/S(s) like Win 2k, XP, Win 2k3 and Win Vista. If
it's not a NT classed O/S like Win 9'x or ME, port 445 TCP is not involved,
and the other ports being talked about are involved for MS NT and non NT
classed O/S(s).

The Internet is a giant network. If your computer has a direct connection to
the Internet via a modem, I don't care if the modem is a dialup or a NIC
connected to a modem and there is no device such as a router, firewall
appliance or a gateway computer running a software FW with one NIC facing
the WAN/Internet and the other NIC facing the LAN, a device/solution
between the modem and your computer, then the computer has a direct
connection to the Internet.

If the computer is in that situation, then why would you want your computer
to be able to share its resources with those ports open to other computers
on the Internet?  WAN is (Wide Area Network)/Internet. The LAN (Local Area
Network) is the ISP's network in this case that has a connection to the
WAN/Internet, and other computers (other users) are  on the ISP's network
like your computer is on the ISP's network. Why would you want your computer
in communications with other user computers on the ISP's LAN, and why would
you want your computer via the ISP's unprotected LAN from the WAN to be in
communications on the ports talked above in an attackable state with
computers on the WAN?

The ports being talked about above ARE the (Windows Networking Ports),  and
if they are open and exposed with the services listening on the ports, then
the computer is open to attack and will be attacked if they are open and not
protected, with the services listening.

BTW, ZA is protecting those ports as long as you have not set rules with ZA
to protect those ports, open them, on ZA with those ports open on the
computer itself, because the services below are enabled on the dialup or
Ethernet connection.

Quoted text here. Click to load it

ZA for lack of better words is a machine level packet filter it is not a
firewall solution, as discussed in the link provided.

A firewall seperates two networks. One network is usually the Internet it's
protection from, and the other network it is protecting is the LAN. A FW
sits at the junction point between the two networks. A FW must have at least
two network interfaces  with one interface facing the WAN, and the other
interface facing LAN. That would be two NIC(s) in the case of a secured
gateway computer running FW software. The other two solutions have the two
interfaces built into them

What is a FW and what does a FW do?

http://www.vicomsoft.com/knowledge/reference/firewalls1.html

ZA is not a FW. ZA is a machine level packet filter protecting at the
machine level.


Quoted text here. Click to load it

Yes, in away that's networking, but it's not the networking we're talking
about, where as, if those (WNP(s)) are not protected while the computer has
a direction connection to the Internet with the services listening, then you
have some real problems.

There are two types of traffic a FW or a personal packet filter/personal FW
deals with in protecting the LAN or a computer that's running something like
a PFW.   They block unsolicited inbound traffic coming from computers to the
computer that have a FW in front of it or packet filter/PFW running on the
computer. These solution will allow inbound traffic if a solicitation
(outbound traffic) is made by a program to a remote IP while the computer is
behind these solutions.

Unsolicited inbound traffic is block, and solicited inbound traffic is not
blocked. If you open a port on a FW by settings rules to do so, the
unsolicted inbound traffic can access the port on the computer.


Quoted text here. Click to load it

There are only two types of ports in this case, and they are TCP and UDP
ports on the computer.

Quoted text here. Click to load it

Those are inbound ports that are on your computer that  inbound traffic
coming form other computers are trying to reach on your computer, unsolicted
inbound traffic. It doesn't matter if it's another user's computer on the
ISP's network or if it is a computer setting out there on the WAN/Internet

Quoted text here. Click to load it

You don't have to worry about it period if  the services that have been
talked about are removed off of the NIC or dial-up type connection. If the
port is not open with a program/somthing listening on the port, then how can
it be attacked?

BTW, ZA or any solution like ZA can be attacked and taken down, just like
the O/S can be attacked if malware has been allowed to run on the computer
to take it down. If it happens and the (WNP(s)) are closed because you have
removed the services that would have those ports open with those services
listening on the port, then how can they be attacked?

BTW, the port can be open on the FW and left unprotected on the computer.
But if nothing (a program) is listening on the port on the computer so that
it can be exploited that can lead to the O/S being exploited, then it
doesn't mean anything.

Quoted text here. Click to load it

Well, that's what PFW(s) do they alert when maybe they shouldn't be
hollering about anything.

Quoted text here. Click to load it

As far as this being due to someone reading post, NO. :)

Look at it this way, it's just everyday unsolicited inbound traffic that's
being blocked from the Internet. If you had a router sitting in front of the
computer something between the modem and your computer, then ZA wouldn't be
saying anything> And then you might say to yourself if it came past that
router and ZA sounded off, then this is something I need to be worried
about.


Re: ZoneAlarm Security Alert - My own ISP?
On Wed, 26 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article

Quoted text here. Click to load it

Brave Firewall!!!   Good Firewall!!!   Well Done!!!

Quoted text here. Click to load it

Some luser's windoze box looking to see if you want to share.

Quoted text here. Click to load it

No, they're coming from a "Point Of Presence" provider - it could be
any number of actual ISPs.  This is why when you are dialing in, you
are required to identify yourself not only by "username", but by
"username@ISP.name" so they know which list of usernames to look at.

Quoted text here. Click to load it

As usual, the Level 3 rwhois server isn't allowing remote access, but
in theory you might send mail to abuse@level3.com. You'll probably only
get an auto-response from their ignore-bot.

Quoted text here. Click to load it

Do you want to share your system with this unknown person/zombie?

Quoted text here. Click to load it

See that your computer is not configured to share anything/everything
with any/everyone.  Microsoft copied the idea of the UNIX command
"netstat" which shows what ports are open on your computer. I got rid
of windoze before they invented the network (or what-ever they're
claiming now), but other posters have suggested

  C:\\ netstat /an   in a DOS window
  C:\\ netstat /ano     for winXP

The original command on a *nix box would show

[compton ~]$ netstat -anptu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address      State
tcp        0      0 0.0.0.0:22              0.0.0.0:*            LISTEN
[compton ~]$

Here, the box has exactly one port "open" and in fact it's actually
restricted to allow connections from only ~4300 addresses in the entire
world.

Quoted text here. Click to load it

Sorry - I don't use windoze.  Personally, I don't bother wasting CPU
cycles having the firewall tell me it blocked access to a closed port.
They didn't get in, and there is little you can do to get them to stop
trying (there really isn't an Internet Police Force, and most "abuse@"
complaints are ignored), so what else are you going to do?  See that
your box isn't offering services to anyone you don't specifically want
to have access, and don't worry about it.

        Old guy

Re: ZoneAlarm Security Alert - My own ISP?

Quoted text here. Click to load it

Did he ask you about all of this?

Quoted text here. Click to load it

Did he ask you about all of this?

Quoted text here. Click to load it

Did he ask you about all of this?

You're off into left field as usual old man.


Re: ZoneAlarm Security Alert - My own ISP?
Mr. Arnold wrote:
Quoted text here. Click to load it

Please stand by, fellas.  It's all good, but a bit hard to digest.

--
Marshall Price of Miami
Known to Yahoo as d021317c

Re: ZoneAlarm Security Alert - My own ISP?
Moe Trin wrote:
Quoted text here. Click to load it

Thanks for the insights, Moe.

I'd never heard of Level 3 before; I assumed it was an Earthlink
technicality.  It didn't occur to me I could go to www.level3.net, but
once I did, I was surprised to discover that:

Level 3 counts among its customers:

    * 19 of the world’s top 20 telecom companies
    * 9 of the 10 largest telecom carriers in Europe
    * 9 of the top 10 U.S. Internet Service Providers (ISPs)
    * 9 of the top 10 U.S. cable companies
    * 4 of the top 5 telecom companies in Asia
    * Top 5 U.S. Wireless Service Providers

No wonder America's so far behind in Internet communications.  Level 3
is more interested (by law) in cash than in the nation's viability, and
they must have the clout to protect their business against any political
movement to provide cheaper, faster - and especially free! - Internet
access.

Hoping for the information superhighway?  Free, open WiFi clouds?
Forget about it.  Not as long as our political system runs on billions
and billions of dollars in "soft money," a/k/a "free speech."

I note (http://lvlt.client.shareholder.com/stockquote.cfm )
that about two-thirds of the way through October, their stock took a
huge tumble on high volume.  What happened?, I wonder.


--
Marshall Price of Miami
Known to Yahoo as d021317c

Re: ZoneAlarm Security Alert - My own ISP?

Quoted text here. Click to load it

You want to show some kind of proof here that the US is so far behind in
Internet communications.

Are you going to sit there and tell eveyone that if you provided a service,,
you had people working for you, with you and your employees needing to pay
bills and put food on the table that such a service would be free?

Quoted text here. Click to load it

What are you talking about? Business is business, and your prespective on
things is not changing anything.

Quoted text here. Click to load it

Who cares? Did you forget where you are posting?  I'll remind you. It's
comp.security.firewalls. You come in here posting about security issues, and
then you start going to left field. :)


Re: ZoneAlarm Security Alert - My own ISP?
On Tue, 01 Jan 2008, in the Usenet newsgroup comp.security.firewalls, in article

Quoted text here. Click to load it



Earthlink has been using "Point Of Presence" providers for at least
12 years.  It's a lot less expensive to contract out to a bandwidth
provider than to set up a dial-in access point, never mind connecting
those terminal servers to "the Internet".  With the falling numbers
of dial-in customers, it is much easier to let a few POP providers
handle things, while the ISP remains the point of contact for the
customer.

Quoted text here. Click to load it

They've been buying other companies - in the original post, you were
reporting connections from 4.x.x.x which is one of the original blocks
owned by BBN (Bolt Beranek and Newman, which became Genuity). This was
one of the original companies that DoD contracted with to set up the
Internet back in 1970.

Quoted text here. Click to load it

They are a backbone - one of the main connectors of the many ISPs
around the world. You might see this using a route tracing program
such as 'traceroute' or the toy windoze version TRACERT.EXE and note
the domain names of those intermediate steps..

Quoted text here. Click to load it

ah, right


Most of the telecoms in Europe are government entities, somewhat akin
to the post office (which they also run in a number of countries).

Quoted text here. Click to load it

because Level3 is a backbone

Quoted text here. Click to load it

Again - national entities.  But you may be surprised to discover that
(as one example) Japan's national telephone agency (NTT) runs a number
of bandwidth hubs in the US (do a whois on 129.250/16 and 130.94/16
for example), as well as around Asia and Europe.

Quoted text here. Click to load it

Talk to your stock broker / investment councillor.

        Old guy

Site Timeline