Results 1 to 6 of 6

Thread: Something odd from my ISP

  1. #1
    Junior Member
    Join Date
    Aug 2001
    Posts
    3

    Question Something odd from my ISP

    Hi All

    I thought this might be a good venue to get this question answered:

    I run ZoneAlarm on my PC, and connect to my ISP via dial-up. Over the last two weeks I have been getting the following alert from Zonealarm : The firewall has blocked routed traffic from xxx.xxx.xxx.xxx to 224.0.0.13 (IP Protocol 103).

    The source IP belongs to my ISP and the destination IP - who knows, if memory serves it's a "D" class IP address. Source and destination ports are both 0.

    I ran Tiny Personal Firewall a few nights ago and that triggered a similar report except TPF didn't classify it as "routed traffic" and just as an "incoming connection".

    I passed this onto my ISP and they stated that the source IP was the DNS server which was sending SNMP broadcasts over the network and that I should just set my firewall to ignore the traffic because it is a (dramatic pause) trusted IP.

    Now, seeing as I have had no experience with SNMP broadcasts I would not know what one looks like, but I have never heard of DNS using SNMP. Also if it was SNMP wouldn't ZoneAlarm ID it as SNMP?

    Opinions anybody?

    Snafu

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    There are two things I can think of:

    SNMP discovery broadcasts:

    - A SNMP broadcast packet by definition is sent to all the computers in your subnet. There's some reports about SNMP discovery broadcasts caused by misconfigured HP JetDirect Print Server software on some home network. This type of packet should not be considered dangerous and can be safely ignored.
    This of course doesn't explain why the requests are coming from your ISP (unless he's running misconfigured Print Software ).

    So here's:
    False DNS spoofs:

    - Those alerts could be false DNS spoofs:

    A Domain Name Server (DNS) is a machine that your computer contacts when you surf the Internet.
    Firewall software sometimes generates warnings of UDP port probes originating from DNS servers. This is due to latency with requests to the DN servers or responses from those servers. When your computer connects to a DNS, a reply should come back immediately. There may be a delay on that server, though (caused by congestion). DN servers will also frequently request a refreshed copy of specific domain name information from a 'more authoritative server'. The time from the initial request through the final response can sometimes be longer than your firewall expects. The firewall program then may think the reply is coming from a new "hostile" address rather than the original "trusted" address.
    This might explain your problem (not the SNMP part - I haven't heard of DNS using SNMP neither).
    Someone else?

  3. #3
    Junior Member
    Join Date
    Aug 2001
    Posts
    3
    Tx for the feedback Negative

    Just another question..if memory serves DNS uses Port 53, not so?

    The traffic in question used Port 0 for both source and destination (according to TPF) - I don't think I mentioned this in my original posting.

    Also, another thing occurs to me - SNMP requires an agent on the receiving machine. If we assume that no home users are likely to running SNMP, why would you broadcast SNMP to them (if in fact it is SNMP)?

    snafu

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Question

    Just another question..if memory serves DNS uses Port 53, not so?
    Yups, 53 both TCP and UDP.

    The traffic in question used Port 0 for both source and destination (according to TPF)
    That's the part I don't get . I thought SNMP (or TFTP) was on port 161. All I know on port 0 is that it is a reserved port.

    Also, another thing occurs to me - SNMP requires an agent on the receiving machine. If we assume that no home users are likely to running SNMP, why would you broadcast SNMP to them (if in fact it is SNMP)?
    Lots of routers, hubs and bridges are equipped with SNMP.
    Maybe your ISP is just managing his network, but I don't know why you are involved...

  5. #5
    Junior Member
    Join Date
    Aug 2001
    Posts
    4
    Seniores... Snafu and Negative,

    I'm not an expert but a noble servant and have to report that port 0 is used for inter router trafic and NA translation. If "properly" mis-used a hacker could be trying to bypass a firewall like this (probably the one your ISP is using Snafu) and scan the pc's connected to your ISP (cfr: here )
    that should explain why the packet resembles an SNMP packet.(The person who scans probaly thinks he'll get the most data back with an SNMP-query.)
    The answer for you Snafu is propably to block the trafic you get on this port...

  6. #6
    Junior Member
    Join Date
    Aug 2001
    Posts
    3
    Thanks kaikcul

    I had a look at the reference URL included in your post. Don't worry, I wasn't planning to allow the traffic through..but at the same time I am looking to have enough evidence to rip the ISP a new one...arrogant SOB that they are....

    If there's anymore gen you have on this subject I would be most appreciative...
    in the meantime I am going to do some information gathering of my own...

    Thanks

    Snafu

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •