| MSSQL_NULL_PACKET_DOS intrusion attempts Lately I've been getting a bunch of MSSQL_NULL_PACKET_DOS intrusion attempt detections originating form my own machine against various ip addresses. Norton Internet Security reports this as a low security risk but I'd still like to know what it is. I can't find any information on it on the Nortn security reports page. I usually have bittorrent running in the background and the intrusion attempts outbound from my system originate from the ports I have forwarded to the bittorrent client (both hardware and software). Has anyone else gotten this alert? Does this mean I might have a worm on my system (various scans from different software haven't turned anything up)? What are the chances of it being a false positive. |
|
 BubbaGIT-R-DONEPremium,MVM
join:2002-08-19
St. Andrews
 ·DIRECTV
 ·Pickwick Cablevi..
·Comcast
| What ports\protocol is being reported as far as outbound traffic and what ports are you using in association with bittorrent for forwarding ?
--
*Team Z* Member |
|
| The attempts were using TCP protocol/port 48881. I have my bittorrent client configured to accept connections on ports 48881-48999. |
|
| reply to MingusMoo
said by MingusMoo:
Has anyone else gotten this alert? ..... What are the chances of it being a false positive.
Today I got the same alert, except INBOUND originating from Microsoft(!) (hotmail.com server).
Looks like it is a weak IDS signature IMO. |
|
| reply to MingusMoo
I got one of those with NIS2003 too.
I have been using ABC Bittorent client to first download and then seed the new Linspire ISO and port 6881 is one of the ports I'm using. I usually only use Bittorrent for sharing old Grateful Dead Concerts with torrents from bt.etree.org and never saw one of these before.
Details: Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against 64.81.247.99 was detected and blocked
Intruder: COMPUTER-1(192.168.1.101)(6881)
Risk Level: Low
Protocol: TCP
Attacked IP: 64.81.247.99
Attacked Port: ms-sql-s(1433)
I haven't found any signs of Trojans, Worms, Viruses, or anything else on my computer.
|
|
hotmax
join:2004-04-12
New York, NY | reply to MingusMoo
I think NPF is known for improperly logging this attack. I see it as a little bug/loophole in the program when it monitors your outbound connections from programs that are not allowed outbound access. I saw the same thing on my machine, and If you look at the log, it shows the attack originating from your machine right? To me this made no sense, providing you have no virus/worm actually sending out a dos attack. So I investigated...
When I opened TCPView (www.sysinternals.com - free util, very useful for monitoring connections) it showed a certain program trying to get outbound access over and over (in my case a defrag program, Diskeeper). Since this program is not enabled with access, for some reason NPF just kept denying access until it got logged as a dos attack, instead of popping up a dialogue asking for access. I know this was the case since after I shut it off at the services console, the hammering stopped, along with the dos intrusion alert.
My theory is this happens if you shut off "enable access control alerts" from the custom NPF settings, while choosing "Block everything until you allow it" security setting. I did this because miscellaneous packets kept on setting off alerts, and everytime I had to click through it. For some reason Norton feels the need to let you know about every single loose packet detected, so that the user feels the program is "working" (which in the end I suppose is a good sign, showing that NPF is really airtight). So then other applications screw it up, because for some reason all MS software companies think they have the right to have their program access the internet whenever they feel like it.
This alert basically boils down to something on your machine banging on the firewall for outbound access. So I suppose the only thing you can do is track down the source. If you have scanned for virus/worm already, then look at your own software. If you don't know how to check your threads/processes then just make sure you uncheck "check for new version on startup" selections on all your miscellaneous software, or make an access rule in NPF to allow it. Next step is to look thru services, which is where I had to go since Diskeeper doesn't even respect their users with that option. Just keep looking, it's a good idea to track this down because you know that it will be eating up your memory/cpu resources. |
|
|
|
hotmax
join:2004-04-12
New York, NY | reply to MingusMoo
BTW just disregard the destination address. I use bittorent too, and I recognize those port ranges. In my case, I use 6881-6999, and such was the target port for the destination address in my log. I think NPF just picks a random/recently active destination as your target, either because it is confused from all the hammering, or it could not read the header in the packet that the program sent. Remember that if you see the dos alert in NPF, you can be sure that it never got there. |
|
