Zone Alarm Firewall Attacks

Discussion in 'Wireless Networking' started by =?Utf-8?B?TWFkRG9n?=, Oct 12, 2005.

  1. I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
    router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
    detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
    ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)

    When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.

    Should I be concerned ??

    TIA

    MadDog
     
    =?Utf-8?B?TWFkRG9n?=, Oct 12, 2005
    #1
    1. Advertisements

  2. =?Utf-8?B?TWFkRG9n?=

    N. Miller Guest

    Modem at 192.168.0.1; sounds familiar...

    From your headers:

    X-WBNR-Posting-Host: 69.226.223.162

    Ah, thought so! Either a SpeedSteam 4100 (new issue), or SpeedStream 5100B
    (older, out of production issue).

    They aren't "attacks" (does ZAP really call them "attacks"? I use Kerio
    Personal Firewall in conjunction with Kiwi Syslog Daemon. Nothing I see is
    reported as an "attack"), just logged probes.

    Hmmm. I first set up my SS4100 on August 25 this year. Looking at Kiwi
    Syslog Daemon I see the first entry subsequent to that installation:

    | 2005-08-24 21:52:00 Local7.Warning 192.168.102.1 2005 Aug 24 21:51:51 (FR114P-2c-f2-3a) 66.125.89.88 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:66.125.89.88,137 ,LAN [Drop] - [Inbound Default rule match]
    | 2005-08-24 21:52:05 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    | 2005-08-24 21:52:07 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    | 2005-08-24 21:52:09 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
    | 2005-08-24 21:52:10 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE

    Most recent entry:

    | 2005-10-07 05:36:58 Local7.Warning 192.168.102.1 2005 Oct 07 05:37:04 (FR114P-2c-f2-3a) 192.168.1.64 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:192.168.1.64,137 ,LAN [Forward] - [Inbound Rule(2) match]

    Oh, I haven't caught any KPF entries recently; probably already changed
    things. What you need to do is to set Zone Alarm Pro to trust your modem IP
    address. Your DNS server IP address should now be, "192.168.0.1". If you go
    here:

    http://192.168.0.1/

    ....you should see the modem "Connection Information" page; with a list
    similar to this (first few lines):

    | Connection Information
    |
    | DSL UP
    | Connection UP
    | User ID %UserID%@pacbell.net
    | Connected at 1536 Kbps (downstream)
    | 384 Kbps (upstream)
    | IP Address 69.226.223.162
    | IP Gateway 69.226.223.254
    | DNS Servers 206.13.31.12 dns1-sac.scrmca.sbcglobal.net
    | 206.13.28.12 dns1.snfcca.sbcglobal.net
    | Mode PPP on the modem (Public IP for LAN device)
    | Timeout Never

    Your DNS servers should be the same as my cousin's, both of you on the
    'pltn13' access concentrator. You can find your access concentrator on this
    page:

    http://192.168.0.1/techreadout.htm

    Mine is on line 292, thus:

    | 292 PPP Access Concentrator 90064060300098-rback14.sntcca

    As for that UDP packet to port 137; the SS4100, and the SS5100B are
    actually built by Siemens as routers; they are configured in firmware for
    SBC as "single device routers", so they don't work the same way as the
    generic Siemens products. The generic router would use NetBIOS to find the
    device names of the computers on the LAN. If your D-Link router is logging
    those, you can ignore those log entries.

    The main thing is, configure Zone Alarm Pro to trust IP address
    192.168.0.1. Also, if your mode is set to "PPP on the modem, use private IP
    address", you should set 192.168.1.64 as a trusted IP address in Zone Alarm
    Pro. From the same "Technician Readout" page linked above:

    | 121 DHCP Start IP Address 192.168.1.64
    | 122 DHCP End IP Address 192.168.1.64
    | 123 DHCP Default Gateway 192.168.0.1
    | 124 DHCP Default Lease Time 000 days 00:10:00
    | 125 Domain name domain_not_set.invalid

    BTW, with those UDP probes to port 147, and a computer connected directly
    to the modem, an ipconfig -all command would show:

    Host Name: %ComputerName%.domain_not_set.invalid

    If your D-Link router has a place to enter a domain name on the setup page,
    and you put "sbcglobal.net" in that field, you would see:

    Host Name: %ComputerName%.sbcglobal.net

    ....when you run ipconfig -all.

    Here is mine:

    |
    | Windows IP Configuration
    |
    | Host Name . . . . . . . . . : MEGUMI.aosake.net
    | DNS Servers . . . . . . . . : 192.168.0.1
    | Node Type . . . . . . . . . : Broadcast
    | NetBIOS Scope ID. . . . . . :
    | IP Routing Enabled. . . . . : No
    | WINS Proxy Enabled. . . . . : No
    | NetBIOS Resolution Uses DNS : No
    |
    | Ethernet adapter :
     
    N. Miller, Oct 12, 2005
    #2
    1. Advertisements

  3. =?Utf-8?B?TWFkRG9n?=

    N. Miller Guest

    Duh-oh. S/B "port 137"...
     
    N. Miller, Oct 12, 2005
    #3
  4. Norman,

    Thanks for the reply. I added 192.168.0.1 and 192.168.1.64 to ZAPs
    trusted IP address list. So far, I haven't seen any "probes".

    MD




     
    =?Utf-8?B?TWFkRG9n?=, Oct 13, 2005
    #4
  5. =?Utf-8?B?TWFkRG9n?=

    N. Miller Guest

    Any time. Not particularly germane to what you experienced, but an
    interesting anecdote for the SS5100B/SS4100 user. My SS4100 is configured
    with "PPP on the modem, use public IP address". For some reason, SBC
    decided on their own to send a technician to work on our NID. My mother
    told me about when it happened; I found the exact time (as accurate as NTP
    servers can get it) in my logs. The tech disconnected the premises for some
    testing. That stopped the PPPoE session. When the router sought to renew
    the IP address lease, with no DSL sync, the modem issued its default DHCP
    IP address to the router; for about thirty minutes my router had
    192.168.1.64 on the WAN port, and no Internet connection. It would have
    been noticeable had anyone been using the computer at that time.
     
    N. Miller, Oct 13, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.