|
Posted by warf on December 13, 2006, 7:45 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Moe Trin wrote:
> On Wed, 13 Dec 2006, in the Usenet newsgroup comp.security.misc, in article
>
>
>>Thank you for the pointer. I looked up the following:
>>
>>1. RFC3330: http://www.rfc-zone.org/rfc3330.html
>
>
> RFCs can be found in hundreds of mirror sites on the Internet. I no
snip the good stuff.....
ISP (and thence to the world) on a second port. Note that a port
> may or may not _physically_ exist. An example of an imaginary port is the
> loopback address (127.0.0.1) used by a computer when it is talking to
> itself.
>
> Old guy
Hi O'G.
I take back my humorous post to the guy wanting to foil his
teenager...maybe only feet not lightyears ahead.
Seriously though, This thread elucidates the futility of the average
[over 20] enduser in trying to 'protect' themselves by having access to
port traffic information. I to am too plagued 2...by the deception of
firewall vendors deluging us with logs of the attacks they thwarted on
our behalf s. I have never ever ever had a single abuse admin reply to
my "why is a netbios attack[scan] originating from your network...?"
query. It is probably because his killfile is set to gobble every email
of that type and send me to email obscurity for even suggesting it is a
real threat....as he watches the soaps.
I have read that most logged requests are simply misdirected or
background internet packets....true?
NOW the MEAT of this thread for all us pleabs trying to get a leg
over..."how do we sort out the malicious from the mundane?
Do I freak when I see so&so from China running thru all ports from
135-139 three times in a row? do I wonder why PCanywhere is trying to
connect to me from RU?
Or do I just watch blissfully the blinking lights on my Dlink wireless
router [hardwire connection] and trust my ZA2007intsuite to give me as
much protection as is humanly possible under $100 and still be able to
hassle guys like you on these NGs?.......with my unworthy requests????
and saggy underwear?
Oldguy 2...miffed again [at myself now]
|
|
Posted by Sebastian Gottschalk on December 13, 2006, 9:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
warf wrote:
> Or do I just watch blissfully the blinking lights on my Dlink wireless
> router [hardwire connection] and trust my ZA2007intsuite to give me as
> much protection as is humanly possible under $100 and still be able to
> hassle guys like you on these NGs?
OK, why do you think your ZA gives you any protection? Even more protection
than not fucking up your computer with such a crappy piece of software?
Heck, Windows box here doesn't run any such crap, which is perfectly
humanly possible for exactly $0, and ZA would make it insecure in first
place!
|
|
Posted by Leythos on December 13, 2006, 9:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options > warf wrote:
>
> > Or do I just watch blissfully the blinking lights on my Dlink wireless
> > router [hardwire connection] and trust my ZA2007intsuite to give me as
> > much protection as is humanly possible under $100 and still be able to
> > hassle guys like you on these NGs?
>
> OK, why do you think your ZA gives you any protection?
I would guess he thinks it works because he's seen it block connections,
like thousands of others.
--
spam999free@rrohio.com
remove 999 in order to email me
|
|
Posted by Moe Trin on December 13, 2006, 10:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>This thread elucidates the futility of the average [over 20] enduser in
>trying to 'protect' themselves by having access to port traffic
>information.
Watch the context. The word port has several meanings, which is why I
wrote:
]Yes - port (in this context) means 'interface', or connection point that
]allows access to/from "a" network. We also call them "hoses" or "pipes",
whereas 'port' in the context you are using (port numbers), more equates
to room numbers in a hotel or office building, or telephone extension
numbers. These are places to connect to where you will find something
specific - perhaps a web server, perhaps a file server, maybe even 'Room
Service' - I dunno.
>I to am too plagued 2...by the deception of firewall vendors deluging us
>with logs of the attacks they thwarted on our behalf s.
On my home firewall, I normally have _ALL_ logging off. I'm not using
windoze, so my firewall also does not mail self-congratulatory messages
to everyone on the LAN.
>I have never ever ever had a single abuse admin reply to my "why is a
>netbios attack[scan] originating from your network...?" query.
NetBIOS is a protocol meant for local use within a windoze workgroup.
As microsoft designed the protocol (actually, it's non-routable
predecessor NETBUI) for the 10-20 PC office, and not the Internet at
large, this stuff should be blocked at the perimeter. Two of my ISPs
(I have 4) block this at the dialin terminal server, while the other
doesn't (neither does my broadband provider). The problem is as I
eluded to in my reply in the "evesdropping a computer how is it possible,
how can it be prevented ?" thread. Windoze enables crap by default on
the off-chance that you'll find it useful. If you want to share your
hard drive, and your printer with the world - bingo, no extra work on
your part. This may not be the best idea that ever came down the pike,
but they feel that "ease of operation" is more important than security.
As for ignoring reports of a netbios scan, the majority will ignore
this. They feel that you have some responsibility to not be accepting
those connections in the first place. If you block the connection (or
better yet, don't run a server on that port) then the scan is futile.
Another problem is that the majority of such abuse reports don't have
the details needed to show that they need to document to do something
to the owner of the "attacking" computer. I'd suspect that most
"attacks" are coming from computers that have successfully been
attacked - perhaps a chain of A controls B which controls C, which
controls D which is "attacking E.
>It is probably because his killfile is set to gobble every email of that
>type and send me to email obscurity for even suggesting it is a real
>threat....as he watches the soaps.
Lessee, you're posting from an 'eastlink.ca' cable address. _Most_
residential broadband providers (especially in North America) like to
pretend to be "common carrier" which is a US term meaning someone who
provides transportation service - in this case, transporting packets.
They claim that's all they do, and they are not responsible for the
_content_ of those packets. Other providers around the world have
adopted a similar concept of "we're only delivering connectivity",
because it's less of a hassle than policing their turf, inspecting
the content of those packets, and so on. Yes, they're supposed to
pay attention to abuse complaints, but kicking off customers isn't
the way to make money. That's why we (in the business) use firewalls
to block access to our systems from large parts of the world.
>I have read that most logged requests are simply misdirected or
>background internet packets....true?
Depends. Those originating from (crude measure) your ISP - your network
neighborhood may well be. Those originating from halfway around the
world are probably worms, zombies, or the inevitable skript kiddiez.
>NOW the MEAT of this thread for all us pleabs trying to get a leg
>over..."how do we sort out the malicious from the mundane?
To a large extent - you don't. You mention using XP - windoze sorta
copied a UNIX command called 'netstat' which is used to see what stuff
is open/active on your network interface. For XP, try 'netstat /ano'
and see what's open. I'm not using windoze, but what I see using the
original command is
[compton ~]$ netstat -atun
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
[compton ~]$
there is exactly one service "open" on this box (SSH or "Secure Shell").
What happens if I try to connect to some other port?
[compton ~]$ telnet localhost 139
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$
Nothing there. Nothing running means nothing to exploit. If I wanted to
have this box directly on the Internet (it's one of six boxes on the
home LAN, behind a firewall that is also NATing), I wouldn't need a
firewall application, because there is nothing (except SSH which is
only accepting connections from seven specific computers) open. If
someone tries to connect, they get the same "Connection refused" as
shown above.
>Do I freak when I see so&so from China running thru all ports from
>135-139 three times in a row?
The three times in a row is the way IP works when there is no response.
If there were a "FOAD" response, a normal computer would give up upon
receiving that response. But this is just someone trying to see if
you'd like to share your hard drive.
>do I wonder why PCanywhere is trying to connect to me from RU?
Are people still using that?
>Or do I just watch blissfully the blinking lights on my Dlink wireless
>router [hardwire connection]
OK - stop it right there. If someone tries to connect to port 80 on your
eastlink IP address, what "answers". (I haven't had a single system
setup in decades - if you connect to my broadband address, which of the
six computers should respond? Seeing as how I'm not offering services
to the world, the "new" connection isn't forwarded, but is blocked at
the router.)
>and trust my ZA2007intsuite to give me as much protection as is humanly
>possible under $100
---------------------
Their main use is telling the ones who use it that some host in Korea or
Kenya attempted to connect to a trojan that they don't have installed.
---------------------
Use 'netstat' and see what is open on your computer. Do you have some
need for that to be open? If not, disable that service (don't ask me
how, I got rid of windoze in 1992 before they discovered networking).
Did that "break" something you are using? No; then you didn't need it.
Yes; then re-enable it, and try blocking it at the router. Your
computer will run faster if it isn't running a service, and also running
a firewall of some sorts to block access to that service.
Then look at your router - and see that it isn't forwarding stuff you
don't need. If your router can't forward the request, it sends back
that same "Connection refused" message. No way in == no worries for you.
>and still be able to hassle guys like you on these NGs?.......with my
>unworthy requests???? and saggy underwear?
Can't do a thing for the saggy underwear. For the requests, I can answer
networking stuff, but not the windoze end of things.
>Oldguy 2...miffed again [at myself now]
One of the problems with computers connected to the Internet is that
many (most) people don't want to learn anything about them. They expect
to turn them on (hopefully they can find the power switch), and things
will just work - not to sure what they are, but they'll work. It doesn't
work that way. Someone else wrote:
-------------------
Congratulations. You've just figured out that they lied to you
when they told you even an untrained monkey on crack can use a
computer. Yes, there's a lot to learn
-------------------
Old guy
|
|
Posted by warf on December 14, 2006, 1:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> On Thu, 14 Dec 2006 in the Usenet newsgroup comp.security.misc, in article
.
> wrote:
snip some important but volumous and onorous content...to free up your
time while helping me..
> Lessee, you're posting from an 'eastlink.ca' cable address. _Most_
> residential broadband providers (especially in North America) like to
> pretend to be "common carrier" which is a US term meaning someone who
> provides transportation service - in this case, transporting packets.
> They claim that's all they do, and they are not responsible for the
> _content_ of those packets. Other providers around the world have
> adopted a similar concept of "we're only delivering connectivity",
> because it's less of a hassle than policing their turf, inspecting
> the content of those packets, and so on. Yes, they're supposed to
> pay attention to abuse complaints, but kicking off customers isn't
> the way to make money. That's why we (in the business) use firewalls
> to block access to our systems from large parts of the world.
You are very helpful and a valuable asset to persons like me trying to
gain some sense of awareness.
RE providers, mine in particluar: Just today I noticed a FireWall rule
had been created on my behalf [thanks, I think?] ....it passed a UDP
packet to Level-3...which WHOIS->wiki says is the premier i-net backbone
carrier in...the world.
you did say you area able to restrict your system from 'parts of the
world...but if i am compromised then you are as well....by redirection
so to speak.
....snip some other useful text.
For XP, try 'netstat /ano'
> and see what's open....snip for brevity.. they get the same "Connection
refused" as
> shown above.
Actually, ZA, Spybot S&D and Adaware provide me with those functions and
that is how I became aware of LSPs and the convoluted path from
executable to DLL to [fill in the blanks] to internet packet can
be....and I wept volumously! [How can i learn fast enough to even keep
up with the changes in protocol, never mind the tactics? hence my
intrusion on this group....and maybe so others can learn and thereby
thwart hijacking and cloaking]
F-EG:[vida supra] SCVHOST is running 6 instances of itself, each
instance has about 20 different open modules. Many instances have
different open 'ports' numbered anything but 80,110,25. Most all are
'listening' meaning awaiting incoming requests to connect right?
As you said [vida infra] if they are denied connection nothing happens.
My ports are supposed to be masked by the firewall. I wonder though if
Spybots utility has failed to differentiate a proxy port and an actual
open ethernet-internet port and is telling me I have "open ports" but no
tcp/ip packets are acknowledged unless specificaly allowed? {Easy
now...I said I am a pleab..}
snip...
>>do I wonder why PCanywhere is trying to connect to me from RU?
> Are people still using that?
My FW log says they are...kids or oldfarts I s'pose.
>Or do I just watch blissfully the blinking lights on my Dlink wireless
>>router [hardwire connection]
>
> OK - stop it right there.
>If someone tries to connect to port 80 on your
> eastlink IP address, what "answers". (I haven't had a single system
> setup in decades - if you connect to my broadband address, which of the
> six computers should respond? Seeing as how I'm not offering services
> to the world, the "new" connection isn't forwarded, but is blocked at
> the router.)
AHHH...ok??? Even though the 'watch the lights blinking was metaphoric
for "pick my nose in bliss and scratch my festering arse" I think I see
what you are saying. If I am not offering a service there is no
connection to be had? BUT, the 'service' may be offered by a trojan and
you may be saying...find out what answers when i call?? Can I call
myself on my own line, so to speak?
I do in fact have a Dlink router using hardwire to the cable modem and
cable to the e-net adapter on my laptop....do those open ports mean they
are simply forwarded to the router in no IP is associated with the open
port number? The modem, the card and the cable modem have an IP address
AND i have the internal 127.0.0.1 circuit to....no?
snip...
> One of the problems with computers connected to the Internet is that
> many (most) people don't want to learn anything about them. snip..
>
> Old guy
Thanks, I still reiterate...again and unabatedly, I feel that by the
time I get caught up It [I] will be outdated....I was a wiz at W95 [or
so I thought] about the time W2000SP3 was dessicated wannabe [g].
Defeated but optimistically....miffed.
|
| Similar Threads | Posted | | SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service, unauthorized access. | July 5, 2004, 3:43 pm |
| Top 5 Reasons to Attend LISA '05 | November 17, 2005, 4:40 pm |
| Top 5 Reasons to Attend LISA '06 | November 1, 2006, 4:23 pm |
| Top 5 Reasons to Attend USENIX '07 | May 18, 2007, 4:50 pm |
| Top 5 Reasons to Attend USENIX '08 | May 19, 2008, 5:21 pm |
| LISA '07 - Latest News and Top 5 Reasons to Attend | September 24, 2007, 4:27 pm |
| A tool for mirroring HTTP stream | October 23, 2007, 5:15 am |
| Sending CMS SignedData via http - which Content-Type?? | March 22, 2005, 8:44 am |
| SSRT3534 rev.2 HP-UX Apache HTTP Server Denial of Service (DoS) | July 5, 2004, 3:39 pm |
| SSRT3587 rev.2 HP-UX Apache HTTP Server Denial of Service (DoS) | July 5, 2004, 3:41 pm |
|
XML site map