Results 1 to 3 of 3

Thread: IDS/Firewalls: how to detect traffic which is NOT an attack

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    IDS/Firewalls: how to detect traffic which is NOT an attack

    Dear All,

    I've noticed there are loads of people, typically windows users, who have installed <insert name of firewall/IDS here> on their box and immediately reported something which they think is an attack: Examples:

    1. Help, I've just installed a packet monitor, and I'm being bombarded with tons of TCP packets from port 80 to high port numbers, are they trying to hack ing?

    -- NO, no-one is trying to hack in, that is your web pages downloading!

    2. Help, I'm seeing loads of attacks from port 53 all from my ISP's DNS server - are they trying to hack me?

    - No, these are DNS replies.

    3. I've installed <insert name of windows p2p warez sharing program here> and I'm seeing loads of connections to/from my machine all over the place and in netstat etc...

    - Yes, that's what these things do. They're really good at screwing up attempts at making a good IDS configuration because in IP terms, they are extremely promiscuous, connecting to/from anything on any port number they feel like. Also some of them send strange ICMP.

    p2p is the enemy of IDS, it creates noise.

    There are of course a lot of other situations where newbies see incoming packets and immediately assume they are attacks.

    Most incoming packets will be responses to outgoing ones. These are of course safe and if you block them, you won't be very happy.

    PLEASE CHECK before reporting something as an attack, that it isn't legitimiate incoming responses.

    If you have p2p running, shut it off for several hours beforehand, if the incoming packets continue, MAYBE then you have an attack

    Turn off IM software, auto-update on any virus scanners etc you run and anything else that generates traffic.

    If you use p2p, it is extremely likely that your machine has been invaded by some ad-ware which they usually ship with. Disable this too if you can as it will generate traffic.

    If after turning everything off, you still see attacks, then you might actually be getting attacked.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Would like to add an additional thing to a good post, if you ask about it here, please provide a SANITIZED log entry or a capture of what traffic you are asking about (With source/destination ports/ip). By SANITIZED, I mean replace all IP's with either an a.b.c.d or a private address. Otherwise it is pretty difficult to give anything other than a guess when responding to your question (i.e., What are all these connections?).

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    To perhaps simplify a little more when you go say and check your usenet n/g's your port monitoring s/w will show you an ephemeral port belonging to you going out to port 119 on
    your news server. This is normal and expected. Your stack generates a random ephemeral
    port to deal with the request. The news server is offering nntp which is of course on port 119.
    The same when you boot up your browser another ephemeral port of yours going to port 80
    on the web server.
    The only time you should see ephemeral to ephemeral is when using P2P as mentioned above.
    Anything beyond the above should twig your interest. Also packets directed at privileged ports
    on your machine, assuming you are not running any services ie: web server, ftp, and so on.
    Hope this helps clarify things further.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •