Zone Alarm Firewall Attacks

Discussion in 'Wireless Networking' started by =?Utf-8?B?TWFkRG9n?=, Oct 12, 2005.

  1. I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
    router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
    detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
    ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)

    When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.

    Should I be concerned ??

    TIA

    MadDog
    =?Utf-8?B?TWFkRG9n?=, Oct 12, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?TWFkRG9n?=

    N. Miller Guest

    On Tue, 11 Oct 2005 23:08:02 -0700, MadDog wrote:

    > I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
    > router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
    > detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
    > ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)
    >
    > When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.
    >
    > Should I be concerned ??


    Modem at 192.168.0.1; sounds familiar...

    From your headers:

    X-WBNR-Posting-Host: 69.226.223.162

    Ah, thought so! Either a SpeedSteam 4100 (new issue), or SpeedStream 5100B
    (older, out of production issue).

    They aren't "attacks" (does ZAP really call them "attacks"? I use Kerio
    Personal Firewall in conjunction with Kiwi Syslog Daemon. Nothing I see is
    reported as an "attack"), just logged probes.

    Hmmm. I first set up my SS4100 on August 25 this year. Looking at Kiwi
    Syslog Daemon I see the first entry subsequent to that installation:

    | 2005-08-24 21:52:00 Local7.Warning 192.168.102.1 2005 Aug 24 21:51:51 (FR114P-2c-f2-3a) 66.125.89.88 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:66.125.89.88,137 ,LAN [Drop] - [Inbound Default rule match]
    | 2005-08-24 21:52:05 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    | 2005-08-24 21:52:07 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    | 2005-08-24 21:52:09 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    | 2005-08-24 21:52:10 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE

    Most recent entry:

    | 2005-10-07 05:36:58 Local7.Warning 192.168.102.1 2005 Oct 07 05:37:04 (FR114P-2c-f2-3a) 192.168.1.64 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:192.168.1.64,137 ,LAN [Forward] - [Inbound Rule(2) match]

    Oh, I haven't caught any KPF entries recently; probably already changed
    things. What you need to do is to set Zone Alarm Pro to trust your modem IP
    address. Your DNS server IP address should now be, "192.168.0.1". If you go
    here:

    http://192.168.0.1/

    ....you should see the modem "Connection Information" page; with a list
    similar to this (first few lines):

    | Connection Information
    |
    | DSL UP
    | Connection UP
    | User ID %UserID%@pacbell.net
    | Connected at 1536 Kbps (downstream)
    | 384 Kbps (upstream)
    | IP Address 69.226.223.162
    | IP Gateway 69.226.223.254
    | DNS Servers 206.13.31.12 dns1-sac.scrmca.sbcglobal.net
    | 206.13.28.12 dns1.snfcca.sbcglobal.net
    | Mode PPP on the modem (Public IP for LAN device)
    | Timeout Never

    Your DNS servers should be the same as my cousin's, both of you on the
    'pltn13' access concentrator. You can find your access concentrator on this
    page:

    http://192.168.0.1/techreadout.htm

    Mine is on line 292, thus:

    | 292 PPP Access Concentrator 90064060300098-rback14.sntcca

    As for that UDP packet to port 137; the SS4100, and the SS5100B are
    actually built by Siemens as routers; they are configured in firmware for
    SBC as "single device routers", so they don't work the same way as the
    generic Siemens products. The generic router would use NetBIOS to find the
    device names of the computers on the LAN. If your D-Link router is logging
    those, you can ignore those log entries.

    The main thing is, configure Zone Alarm Pro to trust IP address
    192.168.0.1. Also, if your mode is set to "PPP on the modem, use private IP
    address", you should set 192.168.1.64 as a trusted IP address in Zone Alarm
    Pro. From the same "Technician Readout" page linked above:

    | 121 DHCP Start IP Address 192.168.1.64
    | 122 DHCP End IP Address 192.168.1.64
    | 123 DHCP Default Gateway 192.168.0.1
    | 124 DHCP Default Lease Time 000 days 00:10:00
    | 125 Domain name domain_not_set.invalid

    BTW, with those UDP probes to port 147, and a computer connected directly
    to the modem, an ipconfig -all command would show:

    Host Name: %ComputerName%.domain_not_set.invalid

    If your D-Link router has a place to enter a domain name on the setup page,
    and you put "sbcglobal.net" in that field, you would see:

    Host Name: %ComputerName%.sbcglobal.net

    ....when you run ipconfig -all.

    Here is mine:

    |
    | Windows IP Configuration
    |
    | Host Name . . . . . . . . . : MEGUMI.aosake.net
    | DNS Servers . . . . . . . . : 192.168.0.1
    | Node Type . . . . . . . . . : Broadcast
    | NetBIOS Scope ID. . . . . . :
    | IP Routing Enabled. . . . . : No
    | WINS Proxy Enabled. . . . . : No
    | NetBIOS Resolution Uses DNS : No
    |
    | Ethernet adapter :

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
    N. Miller, Oct 12, 2005
    #2
    1. Advertising

  3. =?Utf-8?B?TWFkRG9n?=

    N. Miller Guest

    On Wed, 12 Oct 2005 09:20:07 -0700, N. Miller wrote:

    > BTW, with those UDP probes to port 147...


    Duh-oh. S/B "port 137"...

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
    N. Miller, Oct 12, 2005
    #3
  4. Norman,

    Thanks for the reply. I added 192.168.0.1 and 192.168.1.64 to ZAPs
    trusted IP address list. So far, I haven't seen any "probes".

    MD




    "N. Miller" wrote:

    > On Tue, 11 Oct 2005 23:08:02 -0700, MadDog wrote:
    >
    > > I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
    > > router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
    > > detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
    > > ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)
    > >
    > > When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.
    > >
    > > Should I be concerned ??

    >
    > Modem at 192.168.0.1; sounds familiar...
    >
    > From your headers:
    >
    > X-WBNR-Posting-Host: 69.226.223.162
    >
    > Ah, thought so! Either a SpeedSteam 4100 (new issue), or SpeedStream 5100B
    > (older, out of production issue).
    >
    > They aren't "attacks" (does ZAP really call them "attacks"? I use Kerio
    > Personal Firewall in conjunction with Kiwi Syslog Daemon. Nothing I see is
    > reported as an "attack"), just logged probes.
    >
    > Hmmm. I first set up my SS4100 on August 25 this year. Looking at Kiwi
    > Syslog Daemon I see the first entry subsequent to that installation:
    >
    > | 2005-08-24 21:52:00 Local7.Warning 192.168.102.1 2005 Aug 24 21:51:51 (FR114P-2c-f2-3a) 66.125.89.88 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:66.125.89.88,137 ,LAN [Drop] - [Inbound Default rule match]
    > | 2005-08-24 21:52:05 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    > | 2005-08-24 21:52:07 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    > | 2005-08-24 21:52:09 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    > | 2005-08-24 21:52:10 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    >
    > Most recent entry:
    >
    > | 2005-10-07 05:36:58 Local7.Warning 192.168.102.1 2005 Oct 07 05:37:04 (FR114P-2c-f2-3a) 192.168.1.64 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:192.168.1.64,137 ,LAN [Forward] - [Inbound Rule(2) match]
    >
    > Oh, I haven't caught any KPF entries recently; probably already changed
    > things. What you need to do is to set Zone Alarm Pro to trust your modem IP
    > address. Your DNS server IP address should now be, "192.168.0.1". If you go
    > here:
    >
    > http://192.168.0.1/
    >
    > ....you should see the modem "Connection Information" page; with a list
    > similar to this (first few lines):
    >
    > | Connection Information
    > |
    > | DSL UP
    > | Connection UP
    > | User ID %UserID%@pacbell.net
    > | Connected at 1536 Kbps (downstream)
    > | 384 Kbps (upstream)
    > | IP Address 69.226.223.162
    > | IP Gateway 69.226.223.254
    > | DNS Servers 206.13.31.12 dns1-sac.scrmca.sbcglobal.net
    > | 206.13.28.12 dns1.snfcca.sbcglobal.net
    > | Mode PPP on the modem (Public IP for LAN device)
    > | Timeout Never
    >
    > Your DNS servers should be the same as my cousin's, both of you on the
    > 'pltn13' access concentrator. You can find your access concentrator on this
    > page:
    >
    > http://192.168.0.1/techreadout.htm
    >
    > Mine is on line 292, thus:
    >
    > | 292 PPP Access Concentrator 90064060300098-rback14.sntcca
    >
    > As for that UDP packet to port 137; the SS4100, and the SS5100B are
    > actually built by Siemens as routers; they are configured in firmware for
    > SBC as "single device routers", so they don't work the same way as the
    > generic Siemens products. The generic router would use NetBIOS to find the
    > device names of the computers on the LAN. If your D-Link router is logging
    > those, you can ignore those log entries.
    >
    > The main thing is, configure Zone Alarm Pro to trust IP address
    > 192.168.0.1. Also, if your mode is set to "PPP on the modem, use private IP
    > address", you should set 192.168.1.64 as a trusted IP address in Zone Alarm
    > Pro. From the same "Technician Readout" page linked above:
    >
    > | 121 DHCP Start IP Address 192.168.1.64
    > | 122 DHCP End IP Address 192.168.1.64
    > | 123 DHCP Default Gateway 192.168.0.1
    > | 124 DHCP Default Lease Time 000 days 00:10:00
    > | 125 Domain name domain_not_set.invalid
    >
    > BTW, with those UDP probes to port 147, and a computer connected directly
    > to the modem, an ipconfig -all command would show:
    >
    > Host Name: %ComputerName%.domain_not_set.invalid
    >
    > If your D-Link router has a place to enter a domain name on the setup page,
    > and you put "sbcglobal.net" in that field, you would see:
    >
    > Host Name: %ComputerName%.sbcglobal.net
    >
    > ....when you run ipconfig -all.
    >
    > Here is mine:
    >
    > |
    > | Windows IP Configuration
    > |
    > | Host Name . . . . . . . . . : MEGUMI.aosake.net
    > | DNS Servers . . . . . . . . : 192.168.0.1
    > | Node Type . . . . . . . . . : Broadcast
    > | NetBIOS Scope ID. . . . . . :
    > | IP Routing Enabled. . . . . : No
    > | WINS Proxy Enabled. . . . . : No
    > | NetBIOS Resolution Uses DNS : No
    > |
    > | Ethernet adapter :
    >
    > --
    > Norman
    > ~Win dain a lotica, En vai tu ri, Si lo ta
    > ~Fin dein a loluca, En dragu a sei lain
    > ~Vi fa-ru les shutai am, En riga-lint
    >
    =?Utf-8?B?TWFkRG9n?=, Oct 13, 2005
    #4
  5. =?Utf-8?B?TWFkRG9n?=

    N. Miller Guest

    On Wed, 12 Oct 2005 19:57:02 -0700, MadDog wrote:

    > Thanks for the reply. I added 192.168.0.1 and 192.168.1.64 to ZAPs
    > trusted IP address list. So far, I haven't seen any "probes".


    Any time. Not particularly germane to what you experienced, but an
    interesting anecdote for the SS5100B/SS4100 user. My SS4100 is configured
    with "PPP on the modem, use public IP address". For some reason, SBC
    decided on their own to send a technician to work on our NID. My mother
    told me about when it happened; I found the exact time (as accurate as NTP
    servers can get it) in my logs. The tech disconnected the premises for some
    testing. That stopped the PPPoE session. When the router sought to renew
    the IP address lease, with no DSL sync, the modem issued its default DHCP
    IP address to the router; for about thirty minutes my router had
    192.168.1.64 on the WAN port, and no Internet connection. It would have
    been noticeable had anyone been using the computer at that time.

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
    N. Miller, Oct 13, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. °Mike°

    Re: Zone Alarm Vs XP's firewall?

    °Mike°, Aug 14, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    1,093
    °Mike°
    Aug 14, 2003
  2. Patch

    Audible alarm in Zone Alarm?

    Patch, Aug 18, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    1,120
    Patch
    Aug 18, 2003
  3. gary
    Replies:
    12
    Views:
    2,430
    w_tom
    Sep 22, 2004
  4. Jones

    Zone Alarm or Zone Alarm Pro?

    Jones, Feb 19, 2004, in forum: Computer Information
    Replies:
    5
    Views:
    572
    Phil Marshall
    Feb 20, 2004
  5. Au79
    Replies:
    5
    Views:
    759
    Fuzzy Logic
    Mar 15, 2007
Loading...

Share This Page