Re: I keep getting port scanned! in Security

Re: I keep getting port scanned! in Security http://www.dslreports.com/forum/r20232001 en Tue, 02 Dec 2008 05:37:56 EDT Tue, 02 Dec 2008 05:37:56 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20232001 EGeezer : More information If you're interested.. :)
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

DNS records

]]> http://www.dslreports.com/forum/remark,20232001 Wed, 26 Mar 2008 23:12:13 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20230376 frankenfeet : Sorry I wasn't trying to overreact. I was just worried that incoming packets were getting through to the point where my software firewall was intercepting them. I assumed that the router would stop unsolicited packets. I think I get it now though. Thanks for the replies.
--
ƒ ℜ λ η κ ε ℵ ƒ € ∃ †]]> http://www.dslreports.com/forum/remark,20230376 Wed, 26 Mar 2008 18:31:43 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20230196 nwrickert :

Any idea how this is getting through my router?

There is no evidence that anything untoward is getting through your router. The chances are that your system sent a udp packet, and this was a response. We cannot guess much beyond that, because your report has nothing useful about the event, not even the local and remote port numbers.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12]]> http://www.dslreports.com/forum/remark,20230196 Wed, 26 Mar 2008 17:58:28 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20230143 nwrickert :

Is it just me, or is the OP's software providing a useless report?

Useless? Not at all.

Look at the facts. The report has scared the hell out of the OP. It has made him glad he is protected by that software.

Useless for security, sure. But a damn good marketing effort to keep the customers spending money on a product that they don't need.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12]]> http://www.dslreports.com/forum/remark,20230143 Wed, 26 Mar 2008 17:51:43 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20230056 Steve : Is it just me, or is the OP's software providing a useless report? "UDP Port scan" doesn't mean anything without the details, and that just contributes to clutter or "OMG!" responses.

However, because I'm apparently smarter than Sygate, I can tell from here that this is specifically benign behavior: it's UDP-based traceroutes originating from a Routescience route optimizer.

Ignore it.

--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site]]> http://www.dslreports.com/forum/remark,20230056 Wed, 26 Mar 2008 17:36:16 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20229821 frankenfeet : I'm not connected to GNAX. That doesn't mean I wasn't connecting to them at some other point, like maybe gaming or something. Any idea how this is getting through my router? I do have the router set up to respond to internet pings though.
--
ƒ ℜ λ η κ ε ℵ ƒ € ∃ †]]> http://www.dslreports.com/forum/remark,20229821 Wed, 26 Mar 2008 16:57:14 EDT Re: I keep getting port scanned! http://www.dslreports.com/forum/remark,20229252 caffeinator : Well, here's the WHOIS lookup:

--- 03/26/08 12:02:24 Pacific Daylight Time--- performing WHOIS on "65.254.52.109", please wait...--- contacting server whois.arin.net--- smart whois on "65.254.52" OrgName:    Global Net Access, LLC OrgID:      GNAL-2Address:    1100 White St SWCity:       AtlantaStateProv:  GAPostalCode: 30310Country:    US ReferralServer: rwhois://rwhois.gnax.net:4321 NetRange:   65.254.32.0 - 65.254.63.255 CIDR:       65.254.32.0/19 OriginAS:   AS3595,  AS16626NetName:    GNAXNETNetHandle:  NET-65-254-32-0-1Parent:     NET-65-0-0-0-0NetType:    Direct AllocationNameServer: DNS1.GNAX.NETNameServer: DNS2.GNAX.NETNameServer: NS1.GNAX.NETNameServer: NS2.GNAX.NETComment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLEComment:    ********************************************Comment:    Reassignment information for this block isComment:    available at rwhois.gnax.net port 4321Comment:    ********************************************RegDate:    2003-12-29Updated:    2007-06-01 RAbuseHandle: ABUSE745-ARINRAbuseName:   GNAX ABUSE RAbusePhone:  +1-404-230-9150RAbuseEmail:  abuse@gnax.net  RNOCHandle: ENGIN7-ARINRNOCName:   GNAX ENGINEERING RNOCPhone:  +1-404-230-9150RNOCEmail:  engineering@gnax.net  RTechHandle: ENGIN7-ARINRTechName:   GNAX ENGINEERING RTechPhone:  +1-404-230-9150RTechEmail:  engineering@gnax.net  OrgAbuseHandle: ABUSE745-ARINOrgAbuseName:   GNAX ABUSE OrgAbusePhone:  +1-404-230-9150OrgAbuseEmail:  abuse@gnax.net OrgNOCHandle: ENGIN7-ARINOrgNOCName:   GNAX ENGINEERING OrgNOCPhone:  +1-404-230-9150OrgNOCEmail:  engineering@gnax.net OrgTechHandle: ENGIN7-ARINOrgTechName:   GNAX ENGINEERING OrgTechPhone:  +1-404-230-9150OrgTechEmail:  engineering@gnax.net # ARIN WHOIS database, last updated 2008-03-25 19:10# Enter ? for additional hints on searching ARIN's WHOIS database. --- connection closed

Now, that doesn't mean GNAX is to blame, thats just the owner of that IP range. Are you connected to GNAX in anyway?

UDP is a stateless protocol, so it's kinda weird that it'd be an average portscan.

More info:

»www.auditmypc.com/freescan/readi···ning.asp

UDP Scanning

Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an "ICMP Port Unreachable" message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).

Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.

Some people think UDP scanning is pointless - not so. Sometimes for example, Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn't matter that port 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can.

More likely, Sygate is having a FP.

-CaFF

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages]]> http://www.dslreports.com/forum/remark,20229252 Wed, 26 Mar 2008 15:10:05 EDT I keep getting port scanned! http://www.dslreports.com/forum/remark,20229079 frankenfeet : Here's my current setup. I'm running XP Pro w/ SP2. I have Sygate Pro as a software firewall, and I'm behind a router (Netgear WGT 624 v3). I've got Sygate set up so that it sends out an email when my PC has security issues. Over the past month or so I'm getting these email from Sygate that look like this.

The last string of digits of the remote hosts IP vary. Any idea what this is, or how it's getting past my router? I'm certain I don't have any sort of mailware or virus.

--
ƒ ℜ λ η κ ε ℵ ƒ € ∃ †]]> http://www.dslreports.com/forum/remark,20229079 Wed, 26 Mar 2008 14:38:19 EDT