A few more SUSPICIOUS entries!!
Results 1 to 6 of 6

Thread: A few more SUSPICIOUS entries!!

  1. #1
    Member
    Join Date
    May 2002
    Posts
    54

    A few more SUSPICIOUS entries!!

    Now that I have turned off the logging of all dropped TCP/UDP/ICMP events on my real firewall.

    I turned on some others...and now this is what I see:

    06/10/2003 16:10:10.704 Denied UDP packet from LAN 192.168.168.155, 1107, LAN 192.168.168.1, 1900, LAN
    06/10/2003 16:08:55.704 Denied UDP packet from LAN 192.168.168.155, 1107, LAN 192.168.168.1, 1900, LAN
    06/10/2003 16:07:40.688 Denied UDP packet from LAN 192.168.168.155, 1107, LAN 192.168.168.1, 1900, LAN
    [glowpurple]06/10/2003 16:06:52.800 VPN TCP SYN 192.168.168.135, 35584 10.0.0.162, 53513 [/glowpurple]
    06/10/2003 16:06:25.672 Denied UDP packet from LAN 192.168.168.155, 1107, LAN 192.168.168.1, 1900, LAN
    06/10/2003 16:05:10.656 Denied UDP packet from LAN 192.168.168.155, 1107, LAN 192.168.168.1, 1900, LAN
    06/10/2003 16:03:55.640 Denied UDP packet from LAN 192.168.168.155, 1107, LAN 192.168.168.1, 1900, LAN

    two (2) questions:

    What is with the denied UDP from within my LAN?

    What is up with that VPN entry?

    and now my follow-up question:

    Should I be concerned?

    Humbly,
    refarcratS

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    115
    i'm going to take a shot here, but it may be a broadcast of sort, you might want to run ethereal to see what's on your network or what types of protocol that might be floating. second question soundsl little tricky since it's connection from outside, what is the brand of your firewall/router?

    -w0rm3y

  3. #3
    Member
    Join Date
    Feb 2003
    Posts
    35
    The udp traffic can most likely be attributed to some annoying features in Windows XP. Check the links below. If you have any XP or ME boxes on your LAN, then those entries will be a result of MSN messenger.

    http://is-it-true.org/nt/xp/registry/rtips18.shtml
    http://support.microsoft.com/default...;en-us;Q323713

    Don't know about the second entry for the VPN session. Isn't 10.x.x.x a class A private address range? Will routers on the Internet even route that traffic? I've seen strange entries from a box on my LAN before trying to reach a 10.x.x.x address. Couldn't figure out what it was, so I re-installed the box. Why not visit the offending box on your LAN or set up a sniffer like tcpdump and monitor it for a little bit.

  4. #4
    Member
    Join Date
    May 2002
    Posts
    54
    Good Morning,

    I am running a VPN. I guess its just traffic related to that. I dont know.

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    tolstoy - you are correct. 10.0.0.0/8 is the private IP address range for Class A networks. According to the IANA and RFC 1918 those private ranges are not to be routed to the Internet and can only be used internally.


    from RFC 1918

    Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error.

    Indirect references to such addresses should be contained within the enterprise. Prominent examples of such references are DNS Resource Records and other information referring to internal private addresses. In particular, Internet service providers should take measures to prevent such leakage.
    You can find that RFC here

    and the IANA can be found at http://www.iana.org


    BTW, every now and then the IANA servers will send me out of complaince UDP packets. They come in spurts and don't last long. I just find it funny that the IANA is sending me bad packets.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  6. #6
    Member
    Join Date
    Feb 2003
    Posts
    35
    Originally posted here by retfarcratS
    Good Morning,

    I am running a VPN. I guess its just traffic related to that. I dont know.
    Are you familiar with what boxes or services sit at those IP addresses? Like running and IDS, monitoring firewall logs sometimes forces you to become very familiar with your LAN traffic patterns.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •