Re: Odd UDP ports blocked
- From: "Tom Smith" <tsmith@xxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Sep 2001 18:19:52 +1000
Gamers? This is an office of CPA accountants with no time
allowed to have a life. Then, I had to a put a block on Gator
last week, when I noticed that with 4 users it was already
consuming over 12% of web traffic, spying on us at that.
With no sand or gravel available, the crushed coral mixed
in concrete and asphalt makes wet streets like black ice
on this, as well as other tropical islands.
Despite the recent tragedies, life on Guam goes on. When
I passed Club Texas (http://www.clubtexas.com/) on my way
to work this morning at 5:10 AM, one of the girls was already
out front on Marine Drive working 'overtime'. Must be why
they built the new Federal Courthouse right across the street ;-)
Hafa
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 13, 2001 3:23 PM
Subject: [isalist] Re: Odd UDP ports blocked
> http://www.ISAserver.org
>
>
> You've got some interesting entries, all right! I wonder how many gamers
> are behind your ISA?
> Very often, you'll find that the outgoing UDP 137 entries are because the
> ISA is trying to reverse-resolve that IP using NetBIOS queries because all
> real name resolution has failed.
> The "64.4.13.213" IP address is MSIM-related, so look forward to seeing
lots
> of those entries.
> The "216.33.72.165" IP is definitely Exodus-related, but no one is
resolving
> beyond that.
>
> BTW, say "hi" to Guam for me; my family and I spent 3 1/2 years there.
Are
> the streets still snot-slick after the rains?
>
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Tom Smith" <tsmith@xxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, September 12, 2001 8:36 PM
> Subject: [isalist] Re: Odd UDP ports blocked
>
>
> http://www.ISAserver.org
>
>
> I see a generous amount of port 137 attempts, often from unreachable or
> private
> addresses. These are some log entries that leave me puzzed.
>
> We have a back-to-back ISA, private-addressed DMZ, and the following
entries
> continually cycle through UDP ports over a period of serveral days on the
> 'South' ISA server .. did I miss something in the configuration?
>
> 9/12/2001, 8:12:11, NorthISA, SouthISA, Udp, 15888, 44145, -, BLOCKED,
> SouthISA,
> 9/12/2001, 8:12:24, NorthISA, SouthISA, Udp, 15901, 44155, -, BLOCKED,
> SouthISA,
>
> 9/13/2001, 10:51:13, NorthISA, SouthISA, Udp, 43172, 61896, -, BLOCKED,
> SouthISA,
> 9/13/2001, 10:51:13, NorthISA, SouthISA, Udp, 43176, 61900, -, BLOCKED,
> SouthISA,
> 9/13/2001, 10:51:17, NorthISA, SouthISA, Udp, 43174, 61899, -, BLOCKED,
> SouthISA,
> 9/13/2001, 10:51:17, NorthISA, SouthISA, Udp, 43179, 61904, -, BLOCKED,
> SouthISA,
>
> Also puzzling (to me) are outgoing 137 requests .. why does Windows even
> attempt
> connections like this (registered to Hotmail & Exodus, not found in DNS )?
>
> 9/13/2001, 11:02:07, SouthISA, 64.4.13.213, Udp, 1025, 137, -, BLOCKED,
> SouthISA,
>
> 9/13/2001, 12:26:59, SouthISA, 216.33.72.165, Udp, 1025, 137, -, BLOCKED,
> SouthISA,
>
> Tom on Guam
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, September 13, 2001 11:17 AM
> Subject: [isalist] Re: Odd UDP ports blocked
>
>
> > http://www.ISAserver.org
> >
> >
> > Easy;
> > The guy who's just misconfigured will eventually go away.
> > The jerk who's trying to hurt you will keep trying.
> > The script kiddie will act the same as the misconfigured dude.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tsmith@xxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts:
