frankenfeet
RIP Ziggy
Premium
join:2001-10-14
Smiths Grove, KY
 ·Insight Communicat..
| I keep getting port scanned!
Here's my current setup. I'm running XP Pro w/ SP2. I have Sygate Pro as a software firewall, and I'm behind a router (Netgear WGT 624 v3). I've got Sygate set up so that it sends out an email when my PC has security issues. Over the past month or so I'm getting these email from Sygate that look like this.
The last string of digits of the remote hosts IP vary. Any idea what this is, or how it's getting past my router? I'm certain I don't have any sort of mailware or virus.
--
ƒ ℜ λ η κ ε ℵ ƒ € ∃ † |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
 ·WebBand
| Well, here's the WHOIS lookup:
Now, that doesn't mean GNAX is to blame, thats just the owner of that IP range. Are you connected to GNAX in anyway?
UDP is a stateless protocol, so it's kinda weird that it'd be an average portscan.
More info:
»www.auditmypc.com/freescan/readi···ning.asp
UDP Scanning
Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an "ICMP Port Unreachable" message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).
Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.
Some people think UDP scanning is pointless - not so. Sometimes for example, Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn't matter that port 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can.
More likely, Sygate is having a FP.
-CaFF
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
frankenfeet
RIP Ziggy
Premium
join:2001-10-14
Smiths Grove, KY
·Insight Communicat..
| I'm not connected to GNAX. That doesn't mean I wasn't connecting to them at some other point, like maybe gaming or something. Any idea how this is getting through my router? I do have the router set up to respond to internet pings though.
--
ƒ ℜ λ η κ ε ℵ ƒ € ∃ † |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to frankenfeet
Is it just me, or is the OP's software providing a useless report? "UDP Port scan" doesn't mean anything without the details, and that just contributes to clutter or "OMG!" responses.
However, because I'm apparently smarter than Sygate, I can tell from here that this is specifically benign behavior: it's UDP-based traceroutes originating from a Routescience route optimizer.
Ignore it.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| Is it just me, or is the OP's software providing a useless report? Useless? Not at all.
Look at the facts. The report has scared the hell out of the OP. It has made him glad he is protected by that software.
Useless for security, sure. But a damn good marketing effort to keep the customers spending money on a product that they don't need.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| reply to frankenfeet
Any idea how this is getting through my router? There is no evidence that anything untoward is getting through your router. The chances are that your system sent a udp packet, and this was a response. We cannot guess much beyond that, because your report has nothing useful about the event, not even the local and remote port numbers.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12 |
|
frankenfeet
RIP Ziggy
Premium
join:2001-10-14
Smiths Grove, KY
·Insight Communicat..
| reply to frankenfeet
Sorry I wasn't trying to overreact. I was just worried that incoming packets were getting through to the point where my software firewall was intercepting them. I assumed that the router would stop unsolicited packets. I think I get it now though. Thanks for the replies.
--
ƒ ℜ λ η κ ε ℵ ƒ € ∃ † |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
·RoadRunner Cable
 ·AT&T CallVantage
| 
DNS records |
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
