| Hundreds of KAZAA Port 1214 Hits Today My ZoneAlarm has logged hundreds of hits on port 1214 today. This has never happened before: I usually only get a few hits (20 or 30 at most) during a given day, but nothing like this. My ZA alerts pane maxed-out at 500 hits displayed. I confirmed this by viewing my logs in VisualZone Report Utility (see my attached screen shot).
Has this happened to anyone else? Or did I just unluckily inherit an IP today that was previously owned by someone using KAZAA? I don't have KAZAA installed on my system; I don't do file-sharing of any kind. I do have a dynamically assigned IP address, with a PPPoE WinPoET connection.
[text was edited by author 2002-06-05 23:30:16] |
|
|
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Everybody's doing it This happens all the time. Drop your shields slightly to "reject" rather than "stealth" these connections, and your IP stack will tell the other guy "go away" as the protocol was designed to do. But Kazaa (and other related P2P systems) will keep trying when they hear nothing.
Stealth is overrated.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
 guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | Drop your shields slightly to "reject" rather than "stealth" these connections
I made a good faith effort (help files, exploring various options) on how to do this with ZA (3.1 beta). Any clue on how one does this?
Please?
--
People who describe M$ software as 'mediocre' don't know the half of it. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by guycad:
Any clue on how one does this?
... I'm afraid I have no idea how it works in any particular software: I know the TCP/IP networking, but not ZoneAlarm. Somebody here has to know how to do this.
But another solution is to simply disable or ignore your logfiles entirely.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
| reply to Steve
Thanks Steve, but this is a new phenomenon for me: these hits are coming from many different random IPs. Does that represent millions of other Kazaa users out there, who think my IP is still part of their P2P system?
If I disabled ZA to do what you suggest, how long does it take for the other guys to realize I'm no longer part of their system and wish to be left alone? This is really weird -- never happened to me before.
I could just logoff and logon to my PPPoE connection, which I may do shortly, to see whether that gets rid of the hits, since I'll probably be assigned a different IP address. |
|
 Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | reply to Steve
But another solution is to simply disable or ignore your logfiles entirely.
Steve
Be Nice, If they did that we would go out of business here. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Randy Bell
said by Randy Bell:
Does that represent millions of other Kazaa users out there, who think my IP is still part of their P2P system?
Maybe not "millions", but surely "lots". The previous owner of the was apparently quite popular, and some of that is rubbing off on you.
But you should not disable ZoneAlarm entirely - having protection there is useful. But most of the personal firewalls have a "stealth" mode and something a bit less aggressive: the less aggressive mode is the one you want.
However, in practice these hits are just not consuming enough bandwidth to even give a thought to, so your best approach is to just ignore them entirely. I've not meaningfully looked at firewall logs in years - there is just too much background noise on the internet.
The stuff you worry about is the traffic that isn't logged anyway.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
 jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:19
 ·Speakeasy
| reply to Randy Bell
I don't believe you want to "disable" ZA. I believe that what you need to do is just put your "Internet" zone on "medium" for a bit instead of stealthing it on "high.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
| reply to Steve
OK Steve, I've logged off and logged on again, with a different IP address, and all is quiet. This is the weirdest thing that's happened to me since I've been running ZoneAlarm for about four or five months now.
Regarding logs, I have both ZoneLog Analyser and VisualZone Reporting Utility, to help me interpret the logs. MyNetWatchman rejects the notion of "internet background noise", saying that most firewall hits have a logical explanation:
myNetWatchman - Common Firewall False Positives,
»www.mynetwatchman.com/fpguide.htm
FAQ Firewall Forensics (What am I seeing),
»www.robertgraham.com/pubs/firewall-seen.html
Thanks again for your responses to this thread. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Randy Bell:
MyNetWatchman rejects the notion of "internet background noise",
Oh, all the probes have an explanation - we're not talking random alpha particles from the sun messing up TCP/IP - but these scans and probes are so common that they're not worth fooling with. I call them "background noise" even though others call them "IDS fodder".
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to Steve
OK, I just figured it out (help files don't cover this)
Click on 'Firewall' tab.
In 'Internet Zone Security' box, click on 'Custom'
The resulting dialog box (Custom Firewall Settings) has two tabs across the top. The 'Internet Zone' tab will be highlighted.
The displayed list has two sections. The top section are settings for when 'High' security is set and the bottom section are for when 'Medium' security is set.
In the top section, check off the box which says 'Allow incoming TCP ports: (none selected)
Enter the port number (1214) (or ranges) in the entry field. Click the apply button.
I still have a question though. What's more, I'm certain it's basic. Doesn't my outgoing response have to go back to the originating TCP port?
--
People who describe M$ software as 'mediocre' don't know the half of it. |
|
| reply to jaykaykay
said by jaykaykay:
I don't believe you want to "disable" ZA. I believe that what you need to do is just put your "Internet" zone on "medium" for a bit instead of stealthing it on "high.
Thanks JKK, see my latest post to Steve: I logged off and logged on again to my PPPoE connection, and I have a different IP address now, and all is quiet. I wonder whether this will happen to the next poor unlucky fellow who gets the IP I just released? Hehe..(chuckle)  |
|
 Occasu$
join:2001-07-20
North Vancouver, BC | reply to guycad$
said by guycad:
I still have a question though. What's more, I'm certain it's basic. Doesn't my outgoing response have to go back to the originating TCP port?
I believe that is the idea behind dropping your stealth status to allow a closed response instead of no response to the incoming request. Of course like steve says you can just ignore the scans all together which is a lot easier |
|
 MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA
| reply to Randy Bell
said by Randy Bell:
I wonder whether this will happen to the next poor unlucky fellow who gets the IP I just released? Hehe..(chuckle)
The next person won't be unlucky if they don't look at their firewall log  It's not doing anything, other than worrying you when you look at it.
Notice that MyNetWatchman doesn't "reject" the notion of background noise, he's simply saying that people abuse the term to explain things they don't know. Steve did not misuse it, he clearly explained to you what Kazaa was doing in his first post.
said by mynetwatchman:
I'm tired of hearing unexplainable firewall events as: "normal", "background noise", "random probes", "people mis-typing IP addresses", "Internet radiation", etc...
These are all vague assertions to explain away something this is admittedly difficult to analyze and explain. When you hear words like "random" and "noise" those are really synonyms for "I don't know!".
MyNetwatchman likes to explain in details to you what this background noise is, but he calls it "false positive", and that's all it is.
said by mynetwatchman:
d) Stale IP caches
If you have a dynamic IP address, you will often find that you receive a lot of unsolicted probes when you first obtain a new IP address. This often because the previous user of that IP address was running some applicatio which has cached their IP address somewhere and it's aware that the owner of that IP has changed.
Often the involved applications are Internet game servers, peer-to-peer file/music software (e.g. Gnutella, Napster, Kazaa, audiogalaxy, etc..).
[text was edited by author 2002-06-06 01:10:18] |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | Often the involved applications are Internet game servers, peer-to-peer file/ music software (e.g. Gnutella, Napster, Kazaa, audiogalaxy, etc..). Hmmph - he should add "or compromised systems acting as trojan servers."
I got over 500 scans on known trojan ports in a 4 hour period several weeks ago.
--
People who describe M$ software as 'mediocre' don't know the half of it. |
|
Occasu$
join:2001-07-20
North Vancouver, BC | said by guycad:
Hmmph - he should add "or compromised systems acting as trojan servers."
I got over 500 scans on known trojan ports in a 4 hour period several weeks ago.
The Mynetwatcman program will take the info from these scans and report them to the offending IP's ISP. Take a look around his site, it is a great service Lawrence Baldwin is providing IMHO http://www.mynetwatchman.com |
|
| reply to Randy Bell
Re: Hundreds of KAZAA Port 1214 Hits Today Could be the "new" P2P worm Shermnar.
Links to worms, viruses and Trojans are against this forum's posting rules
Kaspersky is detecting this worm for mor than 2 weeks now ..
[text was edited by moderator] |
|
| Motumbo, when I clicked on your link and downloaded the small zipfile, NAV didn't detect anything. Should it have? |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to Occasu$
Re: Everybody's doing it The Mynetwatcman program will take the info from these scans and report them to the offending IP's ISP.
[laughing] Already setup for netwatchman Monday. Thanx though!
--
People who describe M$ software as 'mediocre' don't know the half of it. |
|
 Ook9Live From Amsterdam
join:2001-05-20
Netherlands | I believe that the Kazaa network is based on SuperNodes. If Kazaa finds your networking & computing speeds above normal, it "decides" that your computer might aswell function as one of those SuperNodes. That is, if you have enabled "Use as SuperNode" in the Kazaa options.
See if you have this enabled and, if so, disable it. The requests on 1214 should die out in a couple of days. |
|
