Port 2967

Hi,

I have noticed a large number of TCP attacks on port 2967 being dropped by my firewall. This appears to be associated with Symantec SSC Agent whatever that does.

Are others seeing this also?

Reply to
JC
Loading thread data ...

Read some news, will ya?

Reply to
Sebastian Gottschalk

look for yourself

formatting link
?port=2967

Reply to
Bit Twister

First of all, ignore SG. He's a dick. Actually, since he acts like a dick in the newsgroups, he pobably doesn't have one.

Yeah, I've been getting a few dozen hits a day, too.

Reply to
ASMx4

First of all, ignore ASMx4. He's a dick. He tells you to ignore other people for no good reason, and he's spamming around with an invalid eMail address.

Fine. Means: You don't have an explanation either. Means: You're also too dumb/stupid/lazy to STFW.

Reply to
Sebastian Gottschalk

JC skrev:

I do get a couple of dozen or so, all is coming from this NODEX-NET in Russia.

83.243.77.59 and 83.243.77.241 stands for the biggest part of them.

inetnum: 83.243.72.0 - 83.243.79.255 netname: NODEX-NET org: ORG-NL22-RIPE descr: Fiber Optic Network country: RU

Would it help to block the route-address? route: 83.243.72.0/21

Reply to
Anders

I am receiving them from a number of Asian IP address ranges and some European IP address ranges. So far nothing from the addresses above.

Reply to
JC

Yes, it would help reducing your connectivity for no good reason.

Reply to
Sebastian Gottschalk

I find this article about the TCP traffic on the port.

formatting link

Reply to
Anders

In what way will "my" connectivity be reduced..? I am not the one trying to connect to my self.

Reply to
Anders

You're blocking this subnet. Thus, you cannot connect to these computers when you actually want something from them (f.e. via P2P file sharing).

What's that supposed to mean? You're behaving as if unsolicited connection attempts would be malicious, rather than being the normal modus operandi of many protocols spoken on the internet.

Reply to
Sebastian Gottschalk

I don't have interest in P2P or any type of file sharing with Russia.

It means that I block traffic from (not to).

I have a Small LAN merely for Sweden and Swedish users meaning that I actually is blocking anything that is not accurate to that. So if I see traffic that is from countries known for misbehave like spam or things like trying to make connection's there it should not be any, they are blocked out.

Reply to
Anders

You should only allow access to what you want access too, and that means you could belock access to that entire subnet. Maybe he doesn't need anything from Amsterdam.

The first rule of network security is block everything and then allow what is really needed.

Unsolicited connections can and often are a probe to determine if there is something to connect too. In most cases unless you are working with customers outside of your country or area, it's perfectly fine to block access to/from many countries subnets - while it's not perfect, it does cut down on the probes, traffic, and attempts at malicious activity.

I block about 30 subnets (/24 /16 /8) in most of our firewalls because we've seen what they are attempting - such as nodes in China accessing our FTP ports, trying for hours to connect, when they have no business reason to connect to our FTP servers.

Reply to
Leythos

"f.e." means "for example". What about websites hosted somewhere in this subnet? What about eMail?

BTW, you later stated that you're just administrating the net for the users. What if they want to do P2P?

OK, and WHY? Because they're gently asking for if you've some service running? Utterly stupid!

Except that these connections should be there. And that your reasoning is flawed, since it doesn't solve anything, but creates negative side effects (especially for the users).

Reply to
Sebastian Gottschalk

Sebastian - you're entire concept of security is flawed. If something is probing your network that you don't want to probe it, then by all means it should be blocked.

There is no reason to allow access to ports from unknown sources "just because". There is no reason to allow a newtwork access to the entire internet "just because".

If there is no reason to allow users access to Amsterdam, then why allow it. All open access does is permit exploits that may or may not be there now or sometime in the future.

It's really funny that you don't understand the first rule of security - only allow access to what is "Needed".

Reply to
Leythos

It's a great way to make rules so you in the end only have from, in my case Sweden. You seem to lack the understanding of how, and were the blocking is done. It is not a rule set on the Internet or my ISP, it is a rule in my firewall, meaning that if I want to connect to some subnet (that is in my rule-set) I will get that connection, because the rule is for incoming not outgoing.

And I don't want to win millions of $ or ?.

Yes, but there is nothing that state that I have to allow it on my LAN.

Reply to
Anders

Leythos skrev:

Amen =)

Reply to
Anders

I like the "because they're GENTLY ASKING".... Yea, and the SQL Slammer=20 worm was gently asking if port 1433/1434 was open, as were the worms=20 that exploited IIS/Apache flaws....

If it probes you and you don't need it to have access to your network,=20 then block it - it's a basic concept.

And you should block it at your firewall, always, unless you have a=20 business/personal need.

--=20

snipped-for-privacy@rrohio.com remove 999 in order to email me

Reply to
Leythos

Leythos skrev:

In this case I think it is some sort of a worm or malware, because probing the port 2967 on TCP is no normal activity.

Reply to
Anders

Symantec Client Communication uses 2967.

Rtvscan Rtvscan makes a request to Winsock for TCP port 2967 on IP-based networks. This is the only port needed for default client-to-server communication. On NetWare servers, Rtvscan.nlm listens on TCP port 2968.

It would seem that the host is trying to take control of a Symantec Exploit that was patched a long time ago, but, hey, it's "Gently" asking :)

formatting link
More details listed above - and hey, it's just gently probing for an exploit :)

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.