My question is why would my local norton fireall report that the router portscanned me? The report says that network traffic from the netgear matches the signature of a known attack.
Your PC sent a DNS request to the router. The router sent back a reply. It is normal.
PS. Norton often - specifically, stuff designed for home users - often causes problems. For 99% of people who don't need/want to monitor or block outgoing data, the in-built Windows (XP SP2/Vista) firewall works fine. A firewall isn't usually necessary if you are behind a NAT router, as it likely has its own firewall.
request to the router then it would of course pass through norton firewall. In that case the firewall should 'remember' that the request was sent and handle the reply when it comes. It is stored in the state table huh?
Which would make the communication the Norton reported as totally unsolicited? Am I off the mark here?
Also... i do like to run a local firewall in addition to the firewall built into the router. Its handy for monitoring what is going out and will alert me to x y and z program trying to access the net which is handy indeed for programs/spyware that is communicating with the outside world (or, attempting to... off with its head :))
Almost correct. The PC sent a DNS request. The router isn't a full sourse of information about everything in the world, and has to pass the request along to others. This takes time. Norton figured after a second or two that it wasn't going to get an answer, and marked that connection attempt as dead. When the router finally did get an answer and responded, Norton had forgotten that it had asked, and wanting to impress the O/P, announced that it has BLOCKED AN ATTACK!!!
This is mainly because Norton was set in the most paranoid mode. The world isn't a simple as the paranoid mode requires, and Norton winds up looking like the "boy who cried wolf".
Agreed, but how is Norton supposed to sell crap if that were the case?
Yes, but only for a limited time. Who ever configured the firewall set the time to short. You could file a bug report with Norton, and maybe they'll look into correcting the problem. (I doubt it, as this problem has been going on for years - you need only use the search engine you are posting from as a search engine.)
Web Results 1 - 10 of about 226,000 for Norton blocked attack 53 UDP. (0.12 seconds)
No, it merely means that Norton has been configured to forget things that don't happen right away. If you read the RFCs (for example, section
5.1 of RFC1034), you might find that a DNS response can literally take several seconds. The industry standard namserver (ISC BIND) is normally set for a five second timeout. You must understand that every server in the world isn't waiting patiently to serve only you. As of the middle of last month, there are 82,000 networks in the world which translates to about a quarter million name servers - do you know the right one to ask your question? Oh, and there are about 2,533,552,588 IPv4 (the kind you are using) addresses to keep track of.
Why are you installing spyware, viruses, and other trojans? Or do you think there is a "Malware Fairy" that flutters by, waves her magic wand when you aren't looking, and Hey Presto, your computer is infected?
Though I regard Norton as complete and useless crap I do admit that finding acceptable timeout values for UDP answer packets is a bit od a problem problem for any stateful packet filter implementation because UDP is a stateless protocol. TCP connections are easier to handle for a filter because of flags and sequence numbers.
Having a 2nd firewall secures your PC and limits the spread of any malware should it ever get behind the NAT firewall. If you don't have wireless and never allow a laptop on your network it's probably not an issue. But imagine a laptop that gets infected while somewhere else, then connects to your network. If you're relying solely on the NAT firewall, your whole network just got compromised.
Or imagine all those poor saps who thought WEP would secure their wireless LAN. Anyone driving by with the right software, could get behind the NAT firewall in minutes.
IMO every computer on the network should have it's own firewall in addition to the NAT firewall.
Especially the "Personal Firewall" nonsense is counter-productive. I don't have any problems with the Windows-Firewall, though, if it's configured correctly.
Arguments? Sure. Any PC on your LAN that does not have a software firewall is vulnernable if any other machine gets infected with a WORM or gets hacked. It's that simple. Remember that DNS corrupting worm from about 2 years ago? An awful lot of network admins learned the hard way about double firewalling that day didn't they?
You can chose to disagree that double firewalling is not standard industry practice but that does not change the fact that it is. A simple google of "is double firewalling a standard industry practice" returns over a million hits.
So tell me: how did that other machine get hacked or infected with a worm in the first place? And how does the software firewall protect the ports you need to be open in your LAN? (because most certainly any other port would be closed and thus not exploitable, wouldn't it?)
Frankly, no, it ain't.
No. What "DNS corrupting worm" are you talking about?
M-hm. In my network the systems are kept up to date, they don't have services running they're not supposed to, and the network is properly segmented with firewalls on the boundaries. So tell me again: what exactly do I need double firewalling for? Other then increasing the vondors' revenue, my network's complexity, and my own workload?
The OP was talking about a SOHO network with a single switch/router. One segment only. In such an environment double firewalling is essential if there is the possibility of an infected PC being added to the network.
The worm I was referring to is documented here:
formatting link
I referred to it incorrectly as a DNS corrupting worm because in the environment where I work it was windows 2000 based DNS servers that were affected. The point however is still valid. If these servers had been properly firewalled they would not have been affected.
Amusing. You're talking about a person, who probably has more experience and deeper insights than most of the people here in the group, with small exceptions.
In German: "Jeder macht sich so lächerlich, wie er kann."
Trying to translate that for you: "You're making a fool out of yourself as good as you can" ;-)
Chuck, perhaps you could work on your arguments a little bit. Maybe they're not as close to perfect as they could be :-))
If these servers wouldn't have offered network services to the Internet they should not offer, no firewalls would have been needed.
These worms are why I hacked
formatting link
at this time.
The problem is not, that those servers needed firewalling. The problem is, that Microsoft failed and have to answer for all this damage, because it's completely moronic to offer unneeded network services which are potentially vulnerable, and to make this the default and even make it complicated to stop that.
To be clear:
What we're talking about is worm-rbot.cbq.
| Name > W32/Rbot-CBQ | Type * Worm | How it spreads * Network shares | Affected operating systems * Windows
BTW:
| What this worm has to do with DNS * completely nothin' ;-)
It's completely idiotic to enable network shares to the Internet. Just disable them => no firewalling needed.
The timeout IF YOU FEEL THAT YOU NEED THIS should be based on the way DNS works, not the way UDP works. A sane resolver setup will try to query a name server and wait a few seconds for a reply of some kind. It is possible, that the server queried MIGHT be down at the moment. In *nix, this query is allowed to wait five seconds before the resolver tries a second query to a different server. If the second (and possible third) query fails, the resolver again tries the "first" name server, and this time waits twice as long - ten seconds. Is that a realistic timeout for a firewall? Probably not, but it's a hint from people who know how the Domain Name Service works.
Except in special circumstances, ALL DNS traffic uses UDP, which is a connectionless protocol. At the protocol level, there is no indication that a remote system has replied to you, and no indication to the remote system that you received OR DID NOT RECEIVE a packet it sent. Thus, all timeouts are handled by the _application_ and not the UDP network.
The other problem users never think about is that no name server knows about all hosts. When your resolver "asks a question", the name server you ask will look to see if it knows the answer (is the data cached). If not, it has to ask from the root domain on down in a multi-step process. The question "what is the address of FOO.BAR.BAZ.QUX.COM" starts by asking one of the root servers - the reply comes back ".COM - ask the .com nameservers at [3 to 12 possible IP addresses]". Your name server asks one of those, and gets told ".QUX.COM - ask the qux.com name servers at [2 or more addresses]". Your name server asks one of them, and is told to ask the .baz.qux.com nameservers at another set of addresses - and when you finally find the addresses of the .bar.baz.qux.com nameservers, THEY will tell you the IP address you have been searching for. In this case, that's five UDP packet exchanges that have to work. (In fact, most name servers have cached at least many of the addresses of the top level name servers, so you can probably skip that first query.)
Those users who are in domains like demon.co.uk, t-ipnet.de, tiscali.fr and similar may realize that not all of the world is a .com or .net or similar. In fact, there are 8 top-level domains with four letters (such as .info or .arpa), 12 top-level domains with three letters (such as .com or .edu), and 253 top-level domains of two letters. There are also two (rarely used) top-level domains of SIX letters (.museum and .travel) for a total of 275 top level domains in official Internet namespace.
See RFC1035 - the header of a DNS query and response have a sequence number in the first two octets of the query and response. These so-called firewalls _could_ inspect those numbers if they wanted to, but that's to much work. Likewise, this crap software screams about attacks, and they _could_ do something to protect the user from further attacks by simply blocking the "attacking" host for an hour or two - wonder why the brane-ded a$$holes who create these programs didn't implement that. Maybe they know they are lying when they report this stuff as an attack. To bad the users don't understand the joke.
I fail to see what kind of threat that "infected PC" would pose to properly configured and patched systems on the same network segment. Please elaborate.
That was a Zotob variant. Microsoft released a patch for the exploited vulnerability a week earlier, and filtering that crap at the network boundary would most certainly have prevented an infection (see MS Security Bulletin MS05-039 [1], section "Vulnerability Details"). I fail to see any need for personal firewalls on any computer in the LAN because of this.
Not mine, neither any I have configured. Why should it?
I don't remember running an unpatched Microsoft DNS server. I can only remember running an always patched and well-secured BIND, and that's just because of my special needs.
No, they didn't.
A search for "kill all jews" also returns over a million hits. You command, Sir!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.