Re: Port scans through NAT router?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Port scans through NAT router?

From: Duane Arnold <NotMe@NotMe.com>
Date: Sat Jan 28 2006 - 15:30:21 CET



ohaya wrote:


> 


> Dom wrote:


> 


>>>I thought that if I didn't map a given port in the Netgear, that the


>>>router would have nowhere to route any traffic on any unmapped ports?


>>


>>True. What is the nature of the traffic? Source/destination addresses


>>and ports.


> 


> 


> 


> Hi,


> 


> Thanks for the responses.  Please, I hope that this thread can be kept


> civil.


> 


> I'm going to respond to all of the posts (which I'm grateful for) in one


> post.  I hope that this is ok.


> 


> The RT314 is an older Netgear product.  It does not have have SPI.  


> 


> In the configuration, there's a port mapping function/menu, where I can


> specify when a port or range of ports (e.g., 2000-3000) should be mapped


> to one of my "inside" IP addresses, which are on the 192.168.0 subnet.


> 


> From the Sygate security log, it looks like the scans are coming from


> outside, and when I do a backtrace in Sygate, the source of the scan


> varies.


> 


> "Somebody is scanning your computer.


>  Your computer's TCP ports: 


>  1166, 1177, 1183,  and 1234 have been scanned from 195.37.77.141.."


> 


> I've put 2 BMPs showing the Sygate security log and backtrace at:


> 


> http://members.cox.net/ohaya/sygate1.bmp


> 


> http://members.cox.net/ohaya/sygate2.bmp


> 


> I think that the Sygate log indicates that this is TCP traffic, and not


> UDP.


> 


> BTW, as I think that I mentioned, I was also under the (possibly wrong)


> impression that the router would not route packets to any inside IP


> address unless a mapping was setup.  That was the main reason for my


> post.  


> 


> I think, but am not 100% sure that the times that I got this port scan


> warning, that I was in the process of visiting a website that seemed to


> have been associated with (at least) the same DNS domain name as the


> source of the port scan (e.g., see the BMP for the backtrace).


> 


> If I am visiting a website, say http://www.foo.com, is there some way


> for port scans to ride back into my NAT'ed network "on top of" the


> outgoing HTTP connection?


> 


> I hope that I've responded with enough additional info.


> 


> Thanks again!


> 


> Jim



I can only tell you in the post that I made as to what was happening in 


my situation where that Linksys NAT router didn't have SPI and probes 


came through it with BlackIce sounding off about the probes coming 


through it.



I'll try to be civil about it. But I don't need some *clown* telling me 


about what was happening on my network just because the *clown* has not 


experienced it.



Duane :)


Received on Tue Feb  7 20:58:03 2006