'attack' from Router IP..?

Hi all... I have a 3COM 3CRWE554G72T router and home network with NIS (Norton internet security) 2003. All PC's in the network have Win2k, SP4 IE6 SP1. L2TP Cable internet is through 3Com wireless Officeconnect 3CRWE554G72T router.

in recent weeks (after 2-3 years of mostly uneventful usage with NIS) I began to get alerts from it on an attack (?):

"portscan" of 192.168.1.1 (domain 53). That is the router IP. Then it does an autoblock on this IP which of course disables http browsing of internet for half an hour (only FTP, email and skype continue to work). This happens dozens of times every day.

NIS allows to include any IP or port in the DMZ, but these 'attacks' come from different ports every time (1000-5000 range) and If I allow all ports from 192.168.1.1 then it means NIS is bypassed, in effect, isnt it? because all internet is coming from this IP.

how can I determine whether this is some hack portscan or some periodical DNS status ping by the internt provider? (why would they do it on a different port every time?)

thanks

Reply to
developmental2
Loading thread data ...

No

Well, that should be telling you that you don't block the Device IP of the router.

The Device IP of the router should be allowed on all ports. And no *all the Internet is *NOT* coming from the Device IP.

There is no ping happening from the ISP. Nothing can attack the LAN using the Device IP of the router, period.

NIS is not supposed to be blocking the Device IP of the router for any reason. The router is communicating with machines connected to it doing advertisements and other communications.

formatting link
I suggest you configure NIS properly to deal with the router or get rid of it.

Reply to
Maximum Dog4

So, why exactly do you wonder? It's the purpose of NIS to throw random useless and sometimes wrong messages at you.

LOL, you don#t even have any f****ng clue about TCP/IP.

You simply can't. Since there's no way to differ NIS' messages from random messages.

Reply to
Sebastian Gottschalk

try turning off NAT.

Reply to
Hexalon

Yes, if things don't exactly meet what is expected, these products will scream that you are being attacked. The designer, and the person who misconfigured it should be shot for gross stupidity.

An application on one of your computers asked for a hostname to IP address lookup. The firewall allows a few seconds for the reply, and if no reply occurs, forgets that there was a question. The nameserver that is answering the question was slow, and replied a second or two after the firewall forgot the question, and the firewall thinks this is some new packet - not associated with anything, and SCREAMS THAT YOU ARE BEING ATTACKED!!! Idiots!

Perhaps you should get a real firewall instead of the toy.

That's funny - you also need a better log reader

"ping" is using a completely different protocol (ICMP). There are TCP and UDP versions, but no one uses those, because virtually no application exists to create them.

You really need to learn about the fundamentals of networking, or stop using such a crap "firewall". You're posting from a search engine named google, perhaps you should use that for it's primary purpose and search for the answer.

Old guy

Reply to
Moe Trin

Moe Trin wrote: ..

I've been seeing those for a long time - thanks for the explanation!

I have to turn off the firewall to clear its log. Is there some other way to clear the log for Win Xp "firewall"?

Reply to
Rick Merrill

You're asking the wrong person about this. Old Moe Trin knows nothing about a PFW/personal packet filter and the features in them, particularly XP's FW. As I recall, he might not use the MS platform period.

Reply to
Maximum Dog5

Just to digg a bit: Is it possible to not misconfigure it? AFAICS it's not even possible to reference TCP states, thus you'll always end up with either a too strong or too lax configuration.

AFAIK they changed the wording a bit to not give reason for legal action. Still, there's no difference wrt. what impression the user gets.

SunOS 4 up to Solaris 8? TcpPing?

Reply to
Sebastian Gottschalk

You're welcome! It's been fairly well reported in this group among others. As you can tell, I'm not pleased with the crap designers who thought up that brain dead idea. In fact, the delayed response _could_ take tens of seconds as the DNS server asks recursively starting at the root servers. Each level _could_ be busy - this is especially the case with domains other than .com, or .net.

Sorry - I got rid of windoze before they invented the Internet, or what ever they claim to have done. The only microsoft product in the house is two old "Dove Bar" mice, which my wife prefers.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.