RE: Massive port probs on 3123

["Dominick.S" <dsardina () si rr com>]

Thanks to all who replied.

I guess I was over paranoid.

Regards,

DS-


-----Original Message-----
From: Malte von dem Hagen [mailto:DocValde () gmx de] 
Sent: Thursday, June 12, 2003 9:17 PM
To: Dominick.S
Cc: security-basics () securityfocus com
Subject: Re: Massive port probs on 3123


Hallo Dominick.S,
am Freitag, 13. Juni 2003 um 01:03:59 schrieben Sie:

> Hey List:

> Need ya help please....

> Im being attacked on port 3123 as you can see on my "Incoming" router 
> = log.

<kind of a snippet of a log file>

You THINK you are being attacked, but you think wrong.


> So I pick out one of the IP's and email the hostmaster about the 
> attack, = and this is his reply below. ..  ..

> Hello,
>    These 'attacks' are you running KaZaA. This IP is your KaZaA = 
> supernode.

Here, he is possibly wrong.


> Please learn how to use and understand your firewall.

Here, he is obviously right.


> I DONT RUN KAZAA!!!=20
> WHY IS HE SAYING THIS CRAP!

do

not

shout

at

this

list

okay?



> and desktops have Firewalls.

Personal Firewalls are crap. Throw away any personal firewall. Personal
Firewalls are bad[tm].


> =20 Kazaa is nowhere
> installed!! AND... that isnt the right port for a = supernode 
> anyway!!!

AFAIK the ports can be adjusted manually, don't they? However - this is not
important.


> This is the letter I sent him..before his shitty reply.

Your reaction here is quite "shitty". His reply is just a little bit...
errrr... "half informed", i think.


> Im getting very angry over here, what should I do?

Understand the Internet. I'll explain this below...


> The port is blocked @ the firewall. What else should I do??

Now the explanation:

1. It may be someone, who had your ip address (you are getting dynamic ip
addresses, don't you?) had something (if kazaa supernode or whatever)
running at that port. Some of his former clients still try to connect to him
- but he is offline, you have "his" old ip. So now you get these requests.

2. ANY request at what-port-ever is _totally_ irrelevant a can safely be
ignored, if you are not running any application listening on that port. Why?
Because, even if your "firewall" would not block these attempts, what would
happen? NOTHING. Your computer would reject these connection attemots, the
"attacker" would get to know that (now he obviously doesn't, because a
shitty firewall configuration - some firewalls DROP packets instead of
rejecting them, as it should be) a you would never ever again hear anything
from this "attacker".

3. As you can see from 2., your firewall only causes trouble regarding this
topic. Why? Because you do not seem to understand deeply, what it does, what
it says and how IP works.

==> After all, what else should you do?
==> Calm down, relax and ignore these logfile entries, warnings or ==>
whatever.

Btw., you did not mention some _important_ facts:

- operating system of the router
- which firewall you are using
- operating system of the "target" system

Hope that helps, regards,

Malte.
-- 
Malte von dem Hagen

DocValde () gmx de
http://www.docvalde.net/


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------