UDP errors

Discussion in 'Computer Security' started by Gomek, May 21, 2006.

  1. Gomek

    Gomek Guest

    Hi. I reformatted my hard drive and reinstalled everything. I have a
    Linksys router and Zone Alarm installed. I noticed, after I had set
    everything up, there have been some alerts from ZA saying a packet from an
    IP address has been blocked by ZA. I never received these before, and it
    makes me think something might not be set up right in my router? Any
    suggestions would be appreciated.

    Thanks!
     
    Gomek, May 21, 2006
    #1
    1. Advertising

  2. Gomek wrote:
    > Hi. I reformatted my hard drive and reinstalled everything. I have a
    > Linksys router and Zone Alarm installed.


    So why did you ruin your new system in first place?

    > I noticed, after I had set
    > everything up, there have been some alerts from ZA saying a packet from an
    > IP address has been blocked by ZA.


    That's bad, those messages are annoying. Doesn't it support silent logging?

    > I never received these before, and it
    > makes me think something might not be set up right in my router?


    Eh... nothing? A router is not a security measure.

    > Any suggestions would be appreciated.


    Uninstall ZoneAlarm and get a serious security concept. Your router is
    actually quite useful for building up a real firewall.
     
    Sebastian Gottschalk, May 22, 2006
    #2
    1. Advertising

  3. Gomek

    Jim Watt Guest

    On Mon, 22 May 2006 04:02:35 +0200, Sebastian Gottschalk
    <> wrote:

    >> Any suggestions would be appreciated.

    >
    >Uninstall ZoneAlarm and get a serious security concept. Your router is
    >actually quite useful for building up a real firewall.


    Gottschalk is a plonker.

    Your router is effective at providing protection against incoming
    threats, where ZA is useful is identifying and blocking processes
    on your computer which want to call out.

    The two complement each other.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 22, 2006
    #3
  4. Gomek

    Roger Parks Guest

    Gomek wrote:
    > Hi. I reformatted my hard drive and reinstalled everything. I have a
    > Linksys router and Zone Alarm installed. I noticed, after I had set
    > everything up, there have been some alerts from ZA saying a packet from an
    > IP address has been blocked by ZA. I never received these before, and it
    > makes me think something might not be set up right in my router? Any
    > suggestions would be appreciated.
    >
    > Thanks!


    Your Linky is working as designed. Out of the box, most linksys routers
    are NOT stateful firewalls. They will faithfully NAT your LAN, and drop
    unsolicited inbound packets from drive-by scans; but will not challenge
    inbound traffic once you've established an outbound routing-table entry
    - which can happen in many ways, good and not-so-good.

    This blocked packet could have been from a legitimate connection which
    is trying to keep the connection current, or from a malicious
    connection established by a browser link, or any of a number of things.

    IIWU, I'd upgrade the Linky with one of the open-source, Linux OS's
    that includes a proper, stateful firewall (and in some cases attack
    behaviour detection).

    (Also, Sebastian mentioned replacing ZA with a more comprehensive
    security solution ....... Yep - Agree with that.

    But that requires some thought and a broader perspective (e.g. user
    behaviour, potential loss, inventory of threats, which tools deal with
    which threats, etc. :) ) for which most users have no appetite. And it
    becomes religious very quickly.)
     
    Roger Parks, May 22, 2006
    #4
  5. Roger Parks wrote:

    > Your Linky is working as designed. Out of the box, most linksys routers
    > are NOT stateful firewalls. They will faithfully NAT your LAN, and drop
    > unsolicited inbound packets from drive-by scans;


    If due to using DHCP the routers know that there's only one client, a
    full 1:1 NAT forwarding would be correct as well. Not to mention many
    other heuristics... assuming that it will drop unrelated inbound traffic
    is wrong.

    > but will not challenge inbound traffic once you've established an outbound
    > routing-table entry - which can happen in many ways, good and not-so-good.


    Doesn't look like that applies here.

    > IIWU, I'd upgrade the Linky with one of the open-source, Linux OS's
    > that includes a proper, stateful firewall (and in some cases attack
    > behaviour detection).


    If it's a v5 (based on VxWorks instead of Linux), this could be a
    comprehensive task. So far only DD-WRT is working, and still not as
    stable as the previous versions.

    And well, attack behaviour detection is bullshit. Want to flood yourself
    with useless log data - or do you want to apply automatic blocking,
    therefore creating a simple-to-exploit DoS condition?
     
    Sebastian Gottschalk, May 22, 2006
    #5
  6. Gomek

    Roger Parks Guest

    Sebastian Gottschalk wrote:
    > Roger Parks wrote:
    >
    > > Your Linky is working as designed. Out of the box, most linksys routers
    > > are NOT stateful firewalls. They will faithfully NAT your LAN, and drop
    > > unsolicited inbound packets from drive-by scans;

    >
    > If due to using DHCP the routers know that there's only one client, a
    > full 1:1 NAT forwarding would be correct as well. Not to mention many
    > other heuristics... assuming that it will drop unrelated inbound traffic
    > is wrong.


    Right you are.

    I was presuming it was configured to send unknown inbound to a "DMZ".
    Don't really know how the latest ones are set up (mine is a couple of
    years old).

    > > IIWU, I'd upgrade the Linky with one of the open-source, Linux OS's
    > > that includes a proper, stateful firewall (and in some cases attack
    > > behaviour detection).

    >
    > If it's a v5 (based on VxWorks instead of Linux), this could be a
    > comprehensive task. So far only DD-WRT is working, and still not as
    > stable as the previous versions.


    An interesting task ...and a better firewall than the traditional Linky
    factory setup.

    Alternatively get an older <v5, or the SL (?) version.

    >
    > And well, attack behaviour detection is bullshit. Want to flood yourself
    > with useless log data - or do you want to apply automatic blocking,
    > therefore creating a simple-to-exploit DoS condition?


    Bullshit? Perhaps if you sit there and watch raw logs all the time.
    But who does that??

    Once you're convinced that your box is secure, you turn off that
    logging - turning it back on when you're testing your box, or surfing
    on the "wild side" trying to see what they're doing.

    For day to day use, I've turned off the wan firewall syslog popups, and
    monitor onboard Snort (with information and nuisance messages
    deactivated). An alternative syslog configuration reactivates the
    "bullshit" messages when I need them.

    But this is a different conversation than the one asked for....... he
    wanted to know why a sym got past his "stock" Linky, and suggestions
    for it.
     
    Roger Parks, May 22, 2006
    #6
  7. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    "Gomek" <> wrote:

    > Hi. I reformatted my hard drive and reinstalled everything. I have a
    > Linksys router and Zone Alarm installed. I noticed, after I had set
    > everything up, there have been some alerts from ZA saying a packet
    > from an IP address has been blocked by ZA. I never received these
    > before, and it makes me think something might not be set up right in
    > my router? Any suggestions would be appreciated.


    Need more input. :)


    I take it from the Subject line were talking UDP packets?

    What source/destination port?

    What IP? Inside your ISP's "home network" or not?

    What make and model of router?

    Did you change anything at all in your router's configuration?

    Did you install the exact same version of ZA? Is it configured
    *exactly* the same as your old copy?

    For that matter, did you install the exact same version of Windows, and
    patch/update it to the exact degree it was before?

    My knee jerk, gut reaction without knowing anything at all except you're
    seeing a warning about UDP traffic you didn't see before, is that the
    "fault" lies with ZA. Something you tweaked before and haven't tweaked
    since the reinstall, or possibly some minor version issue.

    The good news is if it really is unwanted traffic ZA is apparently doing
    its job so there's no reason to panic. ;-) Figure out what sort of
    traffic it is, then deal with it accordingly. Allow it if you want,
    discard it if you see fit, and enable/disable whatever levels of
    warnings you're comfortable with. :)
    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEcOmPno5iexlRIBERA8mwAJwIcRqE012rug9N2xTwTj25X4VaHACdH4Lj
    LEJy2Eo5MjKc8+quYyK3Ylg=
    =ieuN
    -----END PGP SIGNATURE-----
     
    Sheik Yurbhuti, May 22, 2006
    #7
  8. Gomek

    Gomek Guest

    Hi. Thanks to everyone who contributed. I noticed the last few days I
    haven't had any more UDP packets blocked from Zone Alarm. Most of the
    alerts I get (I don't have them pop up by the way) are ICMP and they are
    internal xxx.xxx.xxx.001 to xxx.xxx.xxx.010 or whatever. I am computer
    savvy, but please excuse my slight ignorance when it comes to these issues.
    Thanks again!


    "Sheik Yurbhuti" <> wrote in message
    news:...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: RIPEMD160
    >
    > "Gomek" <> wrote:
    >
    >> Hi. I reformatted my hard drive and reinstalled everything. I have a
    >> Linksys router and Zone Alarm installed. I noticed, after I had set
    >> everything up, there have been some alerts from ZA saying a packet
    >> from an IP address has been blocked by ZA. I never received these
    >> before, and it makes me think something might not be set up right in
    >> my router? Any suggestions would be appreciated.

    >
    > Need more input. :)
    >
    >
    > I take it from the Subject line were talking UDP packets?
    >
    > What source/destination port?
    >
    > What IP? Inside your ISP's "home network" or not?
    >
    > What make and model of router?
    >
    > Did you change anything at all in your router's configuration?
    >
    > Did you install the exact same version of ZA? Is it configured
    > *exactly* the same as your old copy?
    >
    > For that matter, did you install the exact same version of Windows, and
    > patch/update it to the exact degree it was before?
    >
    > My knee jerk, gut reaction without knowing anything at all except you're
    > seeing a warning about UDP traffic you didn't see before, is that the
    > "fault" lies with ZA. Something you tweaked before and haven't tweaked
    > since the reinstall, or possibly some minor version issue.
    >
    > The good news is if it really is unwanted traffic ZA is apparently doing
    > its job so there's no reason to panic. ;-) Figure out what sort of
    > traffic it is, then deal with it accordingly. Allow it if you want,
    > discard it if you see fit, and enable/disable whatever levels of
    > warnings you're comfortable with. :)
    > -----BEGIN PGP SIGNATURE-----
    >
    > iD8DBQFEcOmPno5iexlRIBERA8mwAJwIcRqE012rug9N2xTwTj25X4VaHACdH4Lj
    > LEJy2Eo5MjKc8+quYyK3Ylg=
    > =ieuN
    > -----END PGP SIGNATURE-----
    >
     
    Gomek, May 23, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PJML
    Replies:
    4
    Views:
    758
  2. jjjlda
    Replies:
    1
    Views:
    442
    Jesper Skriver
    Nov 8, 2003
  3. Tom
    Replies:
    2
    Views:
    5,223
  4. Oliver Rahn
    Replies:
    0
    Views:
    740
    Oliver Rahn
    Aug 30, 2004
  5. Jeanne Medley
    Replies:
    2
    Views:
    1,084
    RHODRI REES
    Feb 11, 2004
Loading...

Share This Page