comp.security.firewalls archive
Re: Some help interpreting log snipped please?
Date: Sun Dec 04 2005 - 19:01:43 CET
On Sun, 4 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in article
<dmu0pd$pvs$1@domitilla.aioe.org>, watson wrote:
> Moe Trin wrote
>
>> watson wrote:
>I thought windows sharing was part of their network protocols and I only
>have dialup tcp/ip installed. But I will double check, this is a new
>machine/setup.
Dialup is networking. Microsoft makes no differentiation between dialup,
wireless, or Ethernet. They assume you want to share your system with any
computer you can connect to in any way.
>>>Why am I getting udp blocks incoming and outgoing from addresses from
>>>other networks?
>>
>> Clueless people running a fools operating system.
>This OS is only installed as one of what will be several OS's including
>BSD. Only reason I installed wincrap is that there are some software
>packages that only run on this and I am most familiar with it. But my
>intention is to shift to another OS ASAP.
http://www.catb.org/~esr/faqs/smart-questions.html
Include details that the people need - O/S, distribution and version, and
so on. While there are only a handful of BSDs (such as FreeBSD, NetBSD and
OpenBSD), there are at least 20 different branded UNIX, and over 380 Linux
distributions - never mind the Mac O/S. All have different warts.
>I thought I just forgot to add it. Here it is, sorry for the confusion;
>can you take a look and confirm what is happening here?
OK, I put this into a file so I could look at it - lets look first at the
sources:
[compton ~]$ grep In ZZZ | cut -d',' -f2 | cut -d':' -f1 | sort -un
4.240.123.247
4.240.150.93
61.233.41.180
218.66.104.208
[compton ~]$
The two 4.240.x.x addresses resolve to Dial1.Phoenix1.Level3.net which is
a point of presence provider (they rent dialup service to ISPs - here, this
is the Phoenix Arizona market). The other two are Chinese blocks.
61.232.0.0 - 61.237.255.255 is the China Railway Telecom Center, while
218.66.0.0 - 218.67.127.255 is CHINANET Fujian province network. While both
are official arms of the Chinese government (Railway Administration and Army
respectively), they act as commercial ISPs, providing connectivity to Chinese
businesses. Most of what we see outside of China is fast buck artists selling
IP space to anyone. That mainly means spammers.
[compton ~]$ grep Out ZZZ | cut -d'>' -f2 | cut -d':' -f1 | sort -un
4.240.123.247
4.240.150.93
209.244.0.3
218.66.104.208
[compton ~]$
The new one here (209.244.0.3) is resolver1.level3.net, a name server.
The Chinese stuff is all windoze messenger spam - not much you can do to
prevent it from wasting your bandwidth (my recent experience, it's about
1000 packets a day - about a half megabyte). All you can do it to DROP
(ignore) the packets. While I call this 'Chinese', UDP source addresses
(especially messenger spam like this) are often faked. Last month, I ran
logging for a week (tcpdump -n udp and not port 53 >> /tmp/udp.watch) and
while looking at the claimed source addresses, noted such blocks as 1.x.x.x
and 94.x.x.x, neither of which were ever released by IANA.
The stuff between you and the two 4.240.x.x dialups is two windoze boxes
attempting to share. I'd strongly recommend disabling that. Then you will
be left with other systems waving their undies at you on ports 135, 137-139
and 445 yelling 'Hello Sailor'. Best thing to do there is to block it,
either DROP (ignore) or REJECT (reply with a 'FOAD' packet).
Bottom line - another day contaminated by open windoze boxes and messenger
spam. Nothing new.
Old guy
Received on Sun Dec 11 14:24:13 2005