Mailinglist Archive: opensuse (2629 mails)

< Previous Next >
Re: [SLE] Network security
  • From: bernie@xxxxxxxxxxxxxxxxxxxxxxx (bernie@xxxxxxxxxxxxxxxxxxxxxxx)
  • Date: Fri, 26 May 2000 23:37:43 +0800 (WST)
  • Message-id: <200005261537.XAA04219@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>



Don Hansford tapped away at the keyboard with:

> Bill Moseley wrote:

> > Anyone know what people are trying when they try to connect to port 137?
>
> I may be wrong (wouldn't be the first time) but quite a lot of these
> so-called "probes" that firewalls report, are simply your ISP doing a
> form of 'ping' to see if your network (or dialup) connection is still
> active. In this day & age of bandwidth shortages, it is in the ISPs'
> interest to kil your connection (if he uses NT), or 'renice' it (with
> Unix) to free up a few kbps.

I would think it rather silly of an ISP to do that because the LQM
is there to do that anyway.

They have no business doing that on "my" firewalls anyway; they are
24x7 connects.

If in doubt; report to the source ISP.

[Just had another (ab)user's connection pulled.]

And yes; I can confirm an attack attempt as follows:
(destination address concealed!)

May 26 03:19:20 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=51198 F=0x0000 T=110 (#76)
May 26 03:19:21 rocky kernel: Packet log: input DENY ppp0 PROTO=17 169.254.84.219:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=52478 F=0x0000 T=110 (#76)
May 26 03:19:21 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=52734 F=0x0000 T=110 (#76)
May 26 03:19:23 rocky kernel: Packet log: input DENY ppp0 PROTO=17 169.254.84.219:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=54270 F=0x0000 T=110 (#76)
May 26 03:19:23 rocky kernel: Packet log: input DENY ppp0 PROTO=17 206.230.103.21:137 mmm.59.nnn.zzz:137 L=78 S=0x00 I=54526 F=0x0000 T=110 (#76)

Note the use of two addresses from different sources at the same time.
And the connection source port!

I cannot get consistent traceroutes on those source addresses at the
moment - the 206.230.103.21 disappears at apx-1.portsmouth.zoomnet.net
(206.230.102.17)

No success at all with 169.254.84.21 which seems to wind up looping
at 203.166.7.141.


--
Bernd Felsche - Innovative Reckoning
Perth, Western Australia

--
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/


< Previous Next >
Follow Ups
References