------- ZoneAlarm Security Alert Protected The firewall has blocked Internet access to your computer (NetBIOS Session) from dialup-4.232.33.145.Dial1.LosAngeles1.Level3.net (4.232.33.145) (TCP Port 3436) [TCP Flags: S].
-------
Since the city name embedded therein is often my own (Miami), and I'm a dial-up user, I suspect these might be coming from Earthlink, my own ISP.
How can I determine whether they are from Earthlink and whether to let them through? What about other NetBIOS Session alerts?
If I click on "Don't show this dialog again," will I stop seeing all security alerts? Should I?
Well, if you have a computer that has a direct connection to the modem, which is a direct connection to the Internet, then you remove Client for MS networks and MS File and Print sharing off of the NIC (network interface card) or the dial-up connection, and the NetBios ports are closed. The computer cannot network with other computers. The computer shouldn't have the ability to network with other computers while the computer has a direct connection to the Internet (no router between) the computer and the Internet).
It doens't matter when the ports are closed to begin with, because an attack cannot be initiated on the ports when they are closed. .
I'm not sure I understand, but I think you're saying that if all the following conditions were met, they would present a vulnerability:
Connected to the Internet through a NIC (via ethernet) + NetBIOS enabled on that NIC + Client for MS Networks enabled + MS File and Print sharing enabled + Certain ports open
Right?
Also, I assume that for routine uses -- http, mail (including IMAP), news, telnet, rlogin, etc. -- "networking" (which I don't quite understand) with other computers (including my ISP's computers) is neither necessary nor desirable. Is that right?
Is port 445 a TCP port, or some other kind of port?
Each of these alerts indicates a TCP port (never the same one), but I assume they refer to ports my ISP's computers are using for output, not which ports they're addressed to on my computer.
I haven't seen port 445 among them, anyway, but I would like to find out whether it's blocked.
Incidentally, I just received a rash of these alerts. Are they likely to be initiated by Earthlink, or could they be coming from somebody who read my post in this newsgroup and wants to have a bit of fun?
You are kind of right. And what are those ports that are being talked about in the link provided?
formatting link
's_port_445_in_w2k_xp_2003.htmhttp://www.governmentsecurity.org/articles/CommonPorts.php Port 445 is for NT classed O/S(s) like Win 2k, XP, Win 2k3 and Win Vista. If it's not a NT classed O/S like Win 9'x or ME, port 445 TCP is not involved, and the other ports being talked about are involved for MS NT and non NT classed O/S(s).
The Internet is a giant network. If your computer has a direct connection to the Internet via a modem, I don't care if the modem is a dialup or a NIC connected to a modem and there is no device such as a router, firewall appliance or a gateway computer running a software FW with one NIC facing the WAN/Internet and the other NIC facing the LAN, a device/solution between the modem and your computer, then the computer has a direct connection to the Internet.
If the computer is in that situation, then why would you want your computer to be able to share its resources with those ports open to other computers on the Internet? WAN is (Wide Area Network)/Internet. The LAN (Local Area Network) is the ISP's network in this case that has a connection to the WAN/Internet, and other computers (other users) are on the ISP's network like your computer is on the ISP's network. Why would you want your computer in communications with other user computers on the ISP's LAN, and why would you want your computer via the ISP's unprotected LAN from the WAN to be in communications on the ports talked above in an attackable state with computers on the WAN?
The ports being talked about above ARE the (Windows Networking Ports), and if they are open and exposed with the services listening on the ports, then the computer is open to attack and will be attacked if they are open and not protected, with the services listening.
BTW, ZA is protecting those ports as long as you have not set rules with ZA to protect those ports, open them, on ZA with those ports open on the computer itself, because the services below are enabled on the dialup or Ethernet connection.
ZA for lack of better words is a machine level packet filter it is not a firewall solution, as discussed in the link provided.
A firewall seperates two networks. One network is usually the Internet it's protection from, and the other network it is protecting is the LAN. A FW sits at the junction point between the two networks. A FW must have at least two network interfaces with one interface facing the WAN, and the other interface facing LAN. That would be two NIC(s) in the case of a secured gateway computer running FW software. The other two solutions have the two interfaces built into them
What is a FW and what does a FW do?
formatting link
ZA is not a FW. ZA is a machine level packet filter protecting at the machine level.
Yes, in away that's networking, but it's not the networking we're talking about, where as, if those (WNP(s)) are not protected while the computer has a direction connection to the Internet with the services listening, then you have some real problems.
There are two types of traffic a FW or a personal packet filter/personal FW deals with in protecting the LAN or a computer that's running something like a PFW. They block unsolicited inbound traffic coming from computers to the computer that have a FW in front of it or packet filter/PFW running on the computer. These solution will allow inbound traffic if a solicitation (outbound traffic) is made by a program to a remote IP while the computer is behind these solutions.
Unsolicited inbound traffic is block, and solicited inbound traffic is not blocked. If you open a port on a FW by settings rules to do so, the unsolicted inbound traffic can access the port on the computer.
There are only two types of ports in this case, and they are TCP and UDP ports on the computer.
Those are inbound ports that are on your computer that inbound traffic coming form other computers are trying to reach on your computer, unsolicted inbound traffic. It doesn't matter if it's another user's computer on the ISP's network or if it is a computer setting out there on the WAN/Internet
You don't have to worry about it period if the services that have been talked about are removed off of the NIC or dial-up type connection. If the port is not open with a program/somthing listening on the port, then how can it be attacked?
BTW, ZA or any solution like ZA can be attacked and taken down, just like the O/S can be attacked if malware has been allowed to run on the computer to take it down. If it happens and the (WNP(s)) are closed because you have removed the services that would have those ports open with those services listening on the port, then how can they be attacked?
BTW, the port can be open on the FW and left unprotected on the computer. But if nothing (a program) is listening on the port on the computer so that it can be exploited that can lead to the O/S being exploited, then it doesn't mean anything.
Well, that's what PFW(s) do they alert when maybe they shouldn't be hollering about anything.
As far as this being due to someone reading post, NO. :)
Look at it this way, it's just everyday unsolicited inbound traffic that's being blocked from the Internet. If you had a router sitting in front of the computer something between the modem and your computer, then ZA wouldn't be saying anything> And then you might say to yourself if it came past that router and ZA sounded off, then this is something I need to be worried about.
Some luser's windoze box looking to see if you want to share.
No, they're coming from a "Point Of Presence" provider - it could be any number of actual ISPs. This is why when you are dialing in, you are required to identify yourself not only by "username", but by " snipped-for-privacy@ISP.name" so they know which list of usernames to look at.
As usual, the Level 3 rwhois server isn't allowing remote access, but in theory you might send mail to snipped-for-privacy@level3.com. You'll probably only get an auto-response from their ignore-bot.
Do you want to share your system with this unknown person/zombie?
See that your computer is not configured to share anything/everything with any/everyone. Microsoft copied the idea of the UNIX command "netstat" which shows what ports are open on your computer. I got rid of windoze before they invented the network (or what-ever they're claiming now), but other posters have suggested
C:\\ netstat /an in a DOS window C:\\ netstat /ano for winXP
The original command on a *nix box would show
[compton ~]$ netstat -anptu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN [compton ~]$
Here, the box has exactly one port "open" and in fact it's actually restricted to allow connections from only ~4300 addresses in the entire world.
Sorry - I don't use windoze. Personally, I don't bother wasting CPU cycles having the firewall tell me it blocked access to a closed port. They didn't get in, and there is little you can do to get them to stop trying (there really isn't an Internet Police Force, and most "abuse@" complaints are ignored), so what else are you going to do? See that your box isn't offering services to anyone you don't specifically want to have access, and don't worry about it.
I'd never heard of Level 3 before; I assumed it was an Earthlink technicality. It didn't occur to me I could go to
formatting link
but once I did, I was surprised to discover that:
Level 3 counts among its customers:
19 of the world?s top 20 telecom companies * 9 of the 10 largest telecom carriers in Europe * 9 of the top 10 U.S. Internet Service Providers (ISPs) * 9 of the top 10 U.S. cable companies * 4 of the top 5 telecom companies in Asia * Top 5 U.S. Wireless Service Providers
No wonder America's so far behind in Internet communications. Level 3 is more interested (by law) in cash than in the nation's viability, and they must have the clout to protect their business against any political movement to provide cheaper, faster - and especially free! - Internet access.
Hoping for the information superhighway? Free, open WiFi clouds? Forget about it. Not as long as our political system runs on billions and billions of dollars in "soft money," a/k/a "free speech."
I note
formatting link
about two-thirds of the way through October, their stock took a huge tumble on high volume. What happened?, I wonder.
You want to show some kind of proof here that the US is so far behind in Internet communications.
Are you going to sit there and tell eveyone that if you provided a service,, you had people working for you, with you and your employees needing to pay bills and put food on the table that such a service would be free?
What are you talking about? Business is business, and your prespective on things is not changing anything.
Who cares? Did you forget where you are posting? I'll remind you. It's comp.security.firewalls. You come in here posting about security issues, and then you start going to left field. :)
Earthlink has been using "Point Of Presence" providers for at least
12 years. It's a lot less expensive to contract out to a bandwidth provider than to set up a dial-in access point, never mind connecting those terminal servers to "the Internet". With the falling numbers of dial-in customers, it is much easier to let a few POP providers handle things, while the ISP remains the point of contact for the customer.
They've been buying other companies - in the original post, you were reporting connections from 4.x.x.x which is one of the original blocks owned by BBN (Bolt Beranek and Newman, which became Genuity). This was one of the original companies that DoD contracted with to set up the Internet back in 1970.
They are a backbone - one of the main connectors of the many ISPs around the world. You might see this using a route tracing program such as 'traceroute' or the toy windoze version TRACERT.EXE and note the domain names of those intermediate steps..
ah, right
Most of the telecoms in Europe are government entities, somewhat akin to the post office (which they also run in a number of countries).
because Level3 is a backbone
Again - national entities. But you may be surprised to discover that (as one example) Japan's national telephone agency (NTT) runs a number of bandwidth hubs in the US (do a whois on 129.250/16 and 130.94/16 for example), as well as around Asia and Europe.
Talk to your stock broker / investment councillor.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.