Beginner's Question

Discussion in 'Computer Security' started by Noaccount, Sep 21, 2005.

  1. Noaccount

    Noaccount Guest

    I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
    Gold, Norton 2004, and SpyWatcher.

    I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    which Whois says is the Internet Authority for Assigned Numbers.
    According to the traffic log, IANA is constantly trying to UDP my
    computer.

    I have two questiong. Why is IANA doing this? And should I continue
    to block it?

    Needless to say I am a clueless newbie. TIA for any advise/info.
     
    Noaccount, Sep 21, 2005
    #1
    1. Advertising

  2. Noaccount

    Jim Watt Guest

    On Wed, 21 Sep 2005 00:47:38 -0500, Noaccount <>
    wrote:

    >I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
    >Gold, Norton 2004, and SpyWatcher.
    >
    >I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    >which Whois says is the Internet Authority for Assigned Numbers.
    >According to the traffic log, IANA is constantly trying to UDP my
    >computer.
    >
    >I have two questiong. Why is IANA doing this? And should I continue
    >to block it?
    >
    >Needless to say I am a clueless newbie. TIA for any advise/info.


    IANA is in charge of allocating groups of IP numbers and the block
    10.0.0.0 .. 10.255.255.255 is allocated to user networks. Its non
    routable so that address is probably in use by something you have
    or if you are on a cable connection using that address block
    some other user of the service.

    So look closer to home for the source
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 21, 2005
    #2
    1. Advertising

  3. Noaccount

    Mark Guest

    Jim Watt wrote:
    > On Wed, 21 Sep 2005 00:47:38 -0500, Noaccount <>
    > wrote:
    >
    >
    >>I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
    >>Gold, Norton 2004, and SpyWatcher.
    >>
    >>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    >>which Whois says is the Internet Authority for Assigned Numbers.
    >>According to the traffic log, IANA is constantly trying to UDP my
    >>computer.
    >>
    >>I have two questiong. Why is IANA doing this? And should I continue
    >>to block it?
    >>
    >>Needless to say I am a clueless newbie. TIA for any advise/info.

    >
    >
    > IANA is in charge of allocating groups of IP numbers and the block
    > 10.0.0.0 .. 10.255.255.255 is allocated to user networks. Its non
    > routable so that address is probably in use by something you have
    > or if you are on a cable connection using that address block
    > some other user of the service.
    >
    > So look closer to home for the source
    > --
    > Jim Watt
    > http://www.gibnet.com


    Also, I fairly regularly see udp traffic with a source address of
    10.x.x.x that contains the payload of the SQL-Slammer/Sapphire worm.
    Does Sygate tell you what UDP port it is trying to connect to? If it's
    1433 or 1434 I'm sure you can/should block it.

    While ISPs should filter such non-routeable addresses, many don't
    examine the source address.

    Mark
     
    Mark, Sep 21, 2005
    #3
  4. Noaccount

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, Noaccount wrote:

    >I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    >which Whois says is the Internet Authority for Assigned Numbers.


    Through RFC1918, IANA has allocated 10.0.0.0 - 10.255.255.255 (as well
    as 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255) for
    use by anyone on a LOCAL network. In your case, your ISP is using the
    addresses for internal purposes. Addresses in these ranges should be
    dropped when they attempt to leave the ISP. Many cable setups use
    local addresses in 192.168.1.0 - 192.168.1.255 for the same reason,
    and with the same restrictions - those addresses are not to leave the
    LOCAL area. Your ISP _should_ be dropping packets with theses addresses
    at their border (see RFC2827).

    >According to the traffic log, IANA is constantly trying to UDP my
    >computer.


    There are 65,000 different services that can use UDP (the same as TCP),
    everything from DNS (which you need) to windoze messenger spam (which you
    probably don't want). You have to be more specific, and identify from/to
    the "Port" number this traffic is using.

    >I have two questiong. Why is IANA doing this?


    They are not - it's _probably_ your ISP, though there isn't enough detail
    in your post.

    >And should I continue to block it?


    Is your connection to the Internet working? If no, then maybe you shouldn't
    be blocking the UDP. If yes, the packets are not needed, and can be blocked
    without further thought.

    >Needless to say I am a clueless newbie. TIA for any advise/info.


    The logging of blocked packets is generally a waste of CPU cycles and disk
    space. Most of these personal firewalls delight in telling the user that
    some host in Korea or Kenya attempted to connect to a trojan that they don't
    have installed. Your firewall blocked it - end of story. If you are having
    problems with the Internet, _then_ you should turn on logging and observe.
    For the rest of the time - turn it off, and ignore.

    Old guy
     
    Moe Trin, Sep 21, 2005
    #4
  5. Noaccount

    Foggy Guest

    If the user has a router in his house, could the 10.x.x.x traffic be
    coming from it?



    Moe Trin wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <>, Noaccount wrote:
    >
    >
    >>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    >>which Whois says is the Internet Authority for Assigned Numbers.

    >
    >
    > Through RFC1918, IANA has allocated 10.0.0.0 - 10.255.255.255 (as well
    > as 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255) for
    > use by anyone on a LOCAL network. In your case, your ISP is using the
    > addresses for internal purposes. Addresses in these ranges should be
    > dropped when they attempt to leave the ISP. Many cable setups use
    > local addresses in 192.168.1.0 - 192.168.1.255 for the same reason,
    > and with the same restrictions - those addresses are not to leave the
    > LOCAL area. Your ISP _should_ be dropping packets with theses addresses
    > at their border (see RFC2827).
    >
    >
    >>According to the traffic log, IANA is constantly trying to UDP my
    >>computer.

    >
    >
    > There are 65,000 different services that can use UDP (the same as TCP),
    > everything from DNS (which you need) to windoze messenger spam (which you
    > probably don't want). You have to be more specific, and identify from/to
    > the "Port" number this traffic is using.
    >
    >
    >>I have two questiong. Why is IANA doing this?

    >
    >
    > They are not - it's _probably_ your ISP, though there isn't enough detail
    > in your post.
    >
    >
    >>And should I continue to block it?

    >
    >
    > Is your connection to the Internet working? If no, then maybe you shouldn't
    > be blocking the UDP. If yes, the packets are not needed, and can be blocked
    > without further thought.
    >
    >
    >>Needless to say I am a clueless newbie. TIA for any advise/info.

    >
    >
    > The logging of blocked packets is generally a waste of CPU cycles and disk
    > space. Most of these personal firewalls delight in telling the user that
    > some host in Korea or Kenya attempted to connect to a trojan that they don't
    > have installed. Your firewall blocked it - end of story. If you are having
    > problems with the Internet, _then_ you should turn on logging and observe.
    > For the rest of the time - turn it off, and ignore.
    >
    > Old guy
     
    Foggy, Sep 21, 2005
    #5
  6. Noaccount

    Noaccount Guest

    On Wed, 21 Sep 2005 00:47:38 -0500, Noaccount <>
    wrote:

    >I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
    >Gold, Norton 2004, and SpyWatcher.
    >
    >I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    >which Whois says is the Internet Authority for Assigned Numbers.
    >According to the traffic log, IANA is constantly trying to UDP my
    >computer.
    >
    >I have two questiong. Why is IANA doing this? And should I continue
    >to block it?
    >
    >Needless to say I am a clueless newbie. TIA for any advise/info.


    Thank you all for the replys.

    I am not on a router.
    I have a direct cable connection
    I am not having any trouble connecting or surfing the internet
    I regularly go to Shields Up and it always says that I am in
    "Stealth Mode" and that my first 1056 ports do not respond to their
    probe. Is this OK?

    My AV and SpyCleaner, Spy Bot etc say that I have no bugs so maybe I
    am OK ???

    Again, Thank You
     
    Noaccount, Sep 22, 2005
    #6
  7. Noaccount

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <iTkYe.94748$>, Foggy wrote:

    >If the user has a router in his house, could the 10.x.x.x traffic be
    >coming from it?


    Sure, but I'm not aware of to many routers that use 10.x.x.x. mainly
    because that address range is often used by ISPs. Most routers and
    modems use 192.168.x.y/24 just for that reason. The 172.16.0.0/12
    range is also available, but is rarely used. Funny, but one of my
    dialin ISPs uses 192.168.19x.x/23 (not a typo) for the terminal
    servers (the boxes you dial into), and 172.16.16.x/24 for the
    customer accessible DNS and mail services. No idea why they
    chose 172.16 but it might have been a network mask compatibility
    problem.

    Were this the O/P's own home network, you'd think he'd be aware of the
    local use of 10.x.x.x, and wouldn't be asking about it.

    Old guy
     
    Moe Trin, Sep 22, 2005
    #7
  8. Noaccount

    Winged Guest

    Noaccount wrote:

    > I regularly go to Shields Up and it always says that I am in
    > "Stealth Mode" and that my first 1056 ports do not respond to their
    > probe. Is this OK?



    This is desired so long as you are not running an Internet server. I
    suspect though this is being done at your ISP firewall. You should
    ensure that you have your firewall set to block inbound ports below 1024
    at your home network perimeter to prevent other individuals on your
    cable companies network from exploiting your system. I am not sure why
    your blocked to 1056 though. Insights anyone?

    Winged
     
    Winged, Sep 22, 2005
    #8
  9. Noaccount

    Jim Watt Guest

    On Wed, 21 Sep 2005 19:29:26 -0500,
    (Moe Trin) wrote:

    >Sure, but I'm not aware of to many routers that use 10.x.x.x.


    Those using the connexant chip set do, but their default is
    10.0.0.2
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 22, 2005
    #9
  10. Noaccount

    Jim Watt Guest

    On Wed, 21 Sep 2005 22:21:01 -0500, Winged <>
    wrote:

    >Noaccount wrote:
    >
    >> I regularly go to Shields Up and it always says that I am in
    >> "Stealth Mode" and that my first 1056 ports do not respond to their
    >> probe. Is this OK?

    >
    >
    >This is desired so long as you are not running an Internet server. I
    >suspect though this is being done at your ISP firewall. You should
    >ensure that you have your firewall set to block inbound ports below 1024
    >at your home network perimeter to prevent other individuals on your
    >cable companies network from exploiting your system. I am not sure why
    >your blocked to 1056 though. Insights anyone?


    What would be useful would be to do

    start>run>cmd

    then run ipconfig

    and post the results you get

    As its a cable system chances are the IP range is 10.x.x.x and
    the 'intruder' is most likely an innocent device on the network
    or perhaps someone trying to be intrusive, either way if ZA is
    blocking it, no need to worry.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 22, 2005
    #10
  11. "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <>, Noaccount wrote:
    >
    > >I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
    > >which Whois says is the Internet Authority for Assigned Numbers.


    <snip>

    > Your ISP _should_ be dropping packets with theses addresses
    > at their border (see RFC2827).


    I don't know about others, but my ISP assigns 10.x addresses to the UBRs. I
    have a dim recollection that it's the Cisco default.

    It's quite possible (even likely!) that the OP's firewall is warning on
    DHCP. Zone Alarm (spit!) certainly used to.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Sep 22, 2005
    #11
  12. Noaccount

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <ae1af$43322373$18d6dabf$>, Winged wrote:

    >> I regularly go to Shields Up and it always says that I am in
    >> "Stealth Mode" and that my first 1056 ports do not respond to their
    >> probe.


    Figures.

    >> Is this OK?


    Ever play with "TRACERT"? That would show how useless "stealth" is.
    The real 'traceroute' makes it even more obvious.

    >You should ensure that you have your firewall set to block inbound ports
    >below 1024 at your home network perimeter to prevent other individuals on
    >your cable companies network from exploiting your system.


    If 113 is "stealthed" instead of blocked or open, you may run into delays
    or even unavailable service from some mail and IRC servers.

    >I am not sure why your blocked to 1056 though. Insights anyone?


    I suspect that is all that Gibson the marketeer is testing. This
    checks the more common servers, and the first few user-land ports where
    crap like windoze messenger pop-ups are directed. It's also likely to
    assume that if the first 1056 are blocked, the firewall is blocking all
    by default (rather than trying to block specific services). You wouldn't
    know this unless you tested all 2 * 65535 ports, but that takes time.

    Old guy
     
    Moe Trin, Sep 22, 2005
    #12
  13. Noaccount

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, Jim Watt wrote:

    >(Moe Trin) wrote:


    >>Sure, but I'm not aware of to many routers that use 10.x.x.x.

    >
    >Those using the connexant chip set do, but their default is
    >10.0.0.2


    Wonderful. 17.9 million addresses available, and they decide to
    waste 16.8 million of them with their brain-dead choice of a default.
    I notice another address used is 10.10.1.10, also with a /8.

    Actually 169.254.0.0/16 would be a far wiser choice, and windoze boxes
    even default to that range when they can't find a DHCP server. It has
    the additional advantage that even windoze uses a TTL of 1, and
    RFC3927 Section 2.7 requires (it's a "MUST NOT") packets not be
    forwarded. Bingo - instant "security".

    Old guy
     
    Moe Trin, Sep 22, 2005
    #13
  14. Noaccount

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <iCwYe.13312$>, Hairy One Kenobi wrote:

    >"Moe Trin" <> wroteD in message


    >> Your ISP _should_ be dropping packets with theses addresses
    >> at their border (see RFC2827).

    >
    >I don't know about others, but my ISP assigns 10.x addresses to the UBRs. I
    >have a dim recollection that it's the Cisco default.


    For systems that should only be accessible from within an ISP, that's fine.
    Only systems that need to be accessed directly from the Internet need to have
    a routable IP. That actually means relatively little of an ISP's resources
    (such as DNS, News, Mail, Web and perhaps FTP). Routers, or DHCP servers
    don't often fit that criteria.

    >It's quite possible (even likely!) that the OP's firewall is warning on
    >DHCP. Zone Alarm (spit!) certainly used to.


    I thought of that - but thought that if the O/P is blocking that, his own
    IP would expire, and the connection fail. On the other hand, if the DHCP
    lease is something like 12 or 24 hours, and the O/P shuts down the computer
    after an hour or two, it likely doesn't matter. To the O/P, DHCP uses port
    67 on the server, and 68 on the client. If those are the port numbers you see,
    the stuff is relatively harmless.

    Old guy
     
    Moe Trin, Sep 22, 2005
    #14
  15. Noaccount

    Management Guest

    Moe Trin wrote:

    >
    > I suspect that is all that Gibson the marketeer is testing.


    Sour Grapes Mr M? At least Steve does not go around making empty
    snide remarks about other people.


    Charlie.


    --
    Broadcasting to the environs
    www.radiowymsey.org
     
    Management, Sep 22, 2005
    #15
  16. Noaccount

    Jim Watt Guest

    On Thu, 22 Sep 2005 14:50:32 -0500,
    (Moe Trin) wrote:

    >In the Usenet newsgroup alt.computer.security, in article
    ><>, Jim Watt wrote:
    >
    >>(Moe Trin) wrote:

    >
    >>>Sure, but I'm not aware of to many routers that use 10.x.x.x.

    >>
    >>Those using the connexant chip set do, but their default is
    >>10.0.0.2

    >
    >Wonderful. 17.9 million addresses available, and they decide to
    >waste 16.8 million of them with their brain-dead choice of a default.
    >I notice another address used is 10.10.1.10, also with a /8.


    I rather think you are missing the point as 10.x.x.x is reserved for
    this sort of thing and as its non routeable its re-usable.

    There are class a A,B,C addresses for the purpose the most
    common being 192.168.x.x bit there is a 172. something or other
    thats less frequently used.


    >Actually 169.254.0.0/16 would be a far wiser choice, and windoze boxes


    No no no

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 23, 2005
    #16
  17. Noaccount

    Jim Watt Guest

    On Thu, 22 Sep 2005 21:22:45 +0100, Management
    <> wrote:

    >Moe Trin wrote:
    >
    >>
    >> I suspect that is all that Gibson the marketeer is testing.

    >
    >Sour Grapes Mr M?


    I bought spinrite 5 and 6 and its a great product that does what
    it says. With todays disks it takes forever, but worththe wait.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 23, 2005
    #17
  18. "Management" <> wrote in message
    news:433311d3$0$49013$...
    > Moe Trin wrote:
    >
    > >
    > > I suspect that is all that Gibson the marketeer is testing.

    >
    > Sour Grapes Mr M? At least Steve does not go around making empty
    > snide remarks about other people.


    Quite right.

    He actually makes empty pseudo-technical commentaries where he emerges the
    hero.

    Although it's probably best not to mention the whole Win2000/XP/Raw Sockets
    thang. That said - having just checked - he's updated the attack analysis in
    a highly entertaining and readable way (and - at last! - dropped claims to
    have written a custom IP stack that exists as an ISAPI DLL)

    He's done an awful lot to promote the idea of adequate security to Joe
    Punter on the 'Net. Which is good. Actually, "very good".

    But let's not confuse that with accuracy, or a lack of self-serving
    "uber-software" that simply duplicates a vendor-supplied built-in function.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Sep 23, 2005
    #18
  19. "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <iCwYe.13312$>, Hairy One Kenobi wrote:


    <snip>

    > >It's quite possible (even likely!) that the OP's firewall is warning on
    > >DHCP. Zone Alarm (spit!) certainly used to.

    >
    > I thought of that - but thought that if the O/P is blocking that, his own
    > IP would expire, and the connection fail. On the other hand, if the DHCP
    > lease is something like 12 or 24 hours, and the O/P shuts down the

    computer
    > after an hour or two, it likely doesn't matter. To the O/P, DHCP uses

    port
    > 67 on the server, and 68 on the client. If those are the port numbers you

    see,
    > the stuff is relatively harmless.


    Yup. You can get away with it for a while (depending upon how crowded the
    infrastructure is), but there's always the chance that switching-off for a
    week's holiday results in no IP when you get back.

    It used to come up quite regularly in the NTL internal newsfroups. Haven't
    had time to check recently...

    H1K
     
    Hairy One Kenobi, Sep 23, 2005
    #19
  20. Noaccount

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <433311d3$0$49013$>, Management wrote:
    >Moe Trin wrote:


    >> I suspect that is all that Gibson the marketeer is testing.

    >
    >Sour Grapes Mr M? At least Steve does not go around making empty
    >snide remarks about other people.


    No, he makes totally clueless network statements such as:

    -------
    But, of course, this "affirmative denial" also lets the sending system
    know that a system actually exists on the receiving end . . . which is
    what we want to avoid in the case of malicious hackers attempting to
    probe our systems.

    I coined the term 'Stealth' when I developed this site's port probing
    technology to describe a closed port that chooses to remain completely
    hidden by sending nothing back to its attempted opener, preferring
    instead to appear not to exist at all.
    -------

    which just shows he doesn't understand how networking works - particularly
    those darned routers that do announce that a non-existent IP address
    really doesn't exist - rather than just ignoring those packets. Or
    haven't you tried using the original 'traceroute' to investigate things.

    This is a trace to a stealthed host (I've deleted the hostname normally
    seen in the first column for space and privacy reasons, and masked the
    first octet of the address to avoid having fools attack this particular
    set of hosts):

    14 (XXX.117.52.49) 329.807 ms 309.331 ms 309.864 ms
    15 (XXX.181.218.10) 329.744 ms 329.413 ms 299.859 ms
    16 * * *
    17 * * *

    I have another (similar) tool that tells me that hop 16 is some kind of
    firewall that is NAT/Port-Forwarding to a host - hop 17 comes back with
    an indication from a server, but with the address of hop 16.

    Similar trace - host exists, and is reachable:

    14 (XXX.117.52.49) 348.127 ms 327.441 ms 339.921 ms
    15 (XXX.181.218.10) 350.116 ms 331.256 ms 333.981 ms
    16 (XXX.87.184.55) 339.793 ms 529.427 ms 469.787 ms

    Similar trace - host does not exist, or is turned off or disconnected

    14 (XXX.117.52.49) 409.373 ms 329.452 ms 331.011 ms
    15 (XXX.181.218.10) 419.833 ms !H

    Here - the router at hop 15 tells me that it knows how to get "there" (or
    I'd see a !N = Network Unreachable), but the host (!H) isn't there. For
    some strange reason, Steve doesn't want to admit to this concept. Wonder
    why.

    Old guy
     
    Moe Trin, Sep 23, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Needham

    beginner's question..

    Scott Needham, Sep 5, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    559
  2. Jens Meyer
    Replies:
    1
    Views:
    891
    Walter Roberson
    Nov 13, 2003
  3. Brian Thompson

    2600 Router Beginner Question

    Brian Thompson, Oct 20, 2004, in forum: Cisco
    Replies:
    6
    Views:
    2,119
    Javier Henderson
    Oct 21, 2004
  4. zarathustra

    Re: simple question for a beginner

    zarathustra, Jun 22, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    1,592
    Phineas P. Hornswaggle
    Jul 1, 2003
  5. John Haithwaite @ Blue Case Solutions

    Re: simple question for a beginner

    John Haithwaite @ Blue Case Solutions, Jun 26, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    569
    John Haithwaite @ Blue Case Solutions
    Jun 26, 2003
Loading...

Share This Page