Re: Odd UDP ports blocked
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 12 Sep 2001 17:31:56 -0700
Yes, you could do that, but why? You'd miss the log entries that help
justify getting some of these jerks shut down.
I'll take legal records over "clean logs" any day.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Peter J. Persing" <Peter@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, September 12, 2001 17:22
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org
Well, I'll take your word for it. I was of the understanding that if you
disabled NetBIOS over tapir that those packets would be dropped by the
interface, and would not get the opportunity to be identified by
anything this side of the protocol stack.
So, I will query you a query! If you enable allow packet filters for udp
137 and 138 then it sounds to me like these two errors should disappear
from the dropped packet log, but since NetBIOS over TCP/IP is disabled
on the external interface, no communication could possibly take place.
Therefore you have eliminated the NetBIOS exposure, and are also keeping
the log file cleaner by eliminating the logging of the dropped packet
activity. Is that correct???
Pete
On the Blackfoot River in the great state of Montana
-----Original Message-----
From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx]
Sent: Wednesday, September 12, 2001 5:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org
just because a port is not configured to have a daemon listening on it,
I believe a host still reads that packet..
In this case the packet was read, compared to filtering rules, and sent
to dev/null had there not been a filter, there still would have been no
connection possible.
does that help clear things up?
Jay
-----Original Message-----
From: Peter J. Persing [mailto:Peter@xxxxxxxxxxx]
Sent: Wednesday, September 12, 2001 4:20 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org
How did they even get through the external interface to get blocked if
the network card was configured with NetBIOS over TCP/IP disabled??
Pete
On the Blackfoot River in the great state of Montana
-----Original Message-----
From: Mark Strangways [mailto:strangconst@xxxxxxxx]
Sent: Wednesday, September 12, 2001 5:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org
Notice that they were blocked .
But it did get me to check though :-)
regards,
Mark
----- Original Message -----
From: Peter J. <mailto:Peter@xxxxxxxxxxx> Persing
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>
Sent: Wednesday, September 12, 2001 6:51 PM
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org <http://www.ISAserver.org>
How can UDP 137/138 (NetBios name service/Datagram Service) get through
if he has net bios over TCP/IP turned of on the external network
interface as he should have.
Pete
On the Blackfoot River in the great state of Montana
-----Original Message-----
From: Mark Strangways [ mailto:strangconst@xxxxxxxx
<mailto:strangconst@xxxxxxxx> ]
Sent: Wednesday, September 12, 2001 3:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org
Well, my ISP is @home. The ip in question isn't an @home based network
ID. It belongs to the netblock of linklocal, but that's about all I can
find out about it.
Regards,
Mark
----- Original Message -----
From: Jim <mailto:jim@xxxxxxxxxxxx> Harrison
To: [ISAserver.org Discussion <mailto:isalist@xxxxxxxxxxxxx> List]
Sent: Wednesday, September 12, 2001 5:22 PM
Subject: [isalist] Re: Odd UDP ports blocked
http://www.ISAserver.org <http://www.ISAserver.org>
Someone on your ISP side of things has a Windows 98SE or higher OS that
is using AIPA and is still trying to get an address from a DHCP server.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: Mark Strangways <mailto:strangconst@xxxxxxxx>
To: [ISAserver.org Discussion <mailto:isalist@xxxxxxxxxxxxx> List]
Sent: Wednesday, September 12, 2001 13:08
Subject: [isalist] Odd UDP ports blocked
http://www.ISAserver.org <http://www.ISAserver.org>
Included below is a clip from my Packet filter log. I understand that is
is NOT getting thru, but does anyone think I should be informing someone
of the attack.
Or am I just paranoid ?
Thanks in advance for your responses
Mark
2001-09-12 19:28:22 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:28:32 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:28:38 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:28:42 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:28:52 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:29:02 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:29:06 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:29:07 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:29:08 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:29:09 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:10 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:10 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:11 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:12 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:12 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:13 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:14 169.254.97.143 169.254.255.255 Udp 137 137 - BLOCKED
24.43.154.219
2001-09-12 19:29:15 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219 2001-09-12 19:29:15 169.254.97.143 169.254.255.255 Udp 138
138 - BLOCKED 24.43.154.219
2001-09-12 19:29:15 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:29:30 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:31:00 169.254.97.143 169.254.255.255 Udp 138 138 - BLOCKED
24.43.154.219
2001-09-12 19:31:30 169.254.97.143 169.254.255.255 Udp 138 138
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
peter@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
peter@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmobley@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
peter@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
