Firewall Log said Attack!

Discussion in 'other firewalls' started by xTiNcTion, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. xTiNcTion

    xTiNcTion Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    253
    Hello,

    found this in my Kerio Log,

    "TCP ack packet attack" Blocked In TCP images-aud.osdn.com (66.35.250.123:80) -> localhost:4011 Owner: no owner


    This is another:
    Netbios Block Blocked Out UDP , localhost:137 -> 224.0.0.22:137, Owner:SYSTEM

    Netbios Block Blocked Out UDP , localhost:137 -> 239.255.255.250:137, Owner:SYSTEM

    just installed NOD32
    what does it mean, am i under attack?

    thank you in advance
     
  2. xTiNcTion

    xTiNcTion Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    253
    beside... one of my ruleset has change his description.

    At the bottom of my ruleset have one to block all outbond. now it said in his description "Opera allow proxy" and my original Opera Allow Proxy rule has dissapeared.

    it supposed Kerio Admin area is password protected. My password is 20+ alphanumeric+special caracter lenght.

    What is hapenning?
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You will see these types of log entries in Kerio if you have log suspicious packets enabled under the miscellaneous settings. In this case, from the log entry, it would appear to be just a late packet that was rejected by the firewall while you were browsing. The protocol TCP, source port 80 (HTTP) and the destination port 4011 being in the emphemeral range is consistent with this.

    Do you have Kerio configured to resolve addresses? If so, a failed DNS lookup can result in the OS defaulting to netbios lookup, which your firewall should block and appears yours did.

    Edit:
    Similar entry from my fiirewall log when doing a RDNS:
    2004/04/19, 23:20:42.270, GMT -0700, 2011, Device 3, Blocked outgoing UDP packet (no matching rule), src=192.168.5.5, dst=239.255.255.250, sport=137, dport=137

    (The IP is a mutlicast address, did you have any other log entries for these IP's around the same time?)

    No, hopefully the above explanes what you are seeing in the logs.

    Regards,

    CrazyM
     
    Last edited: Apr 20, 2004
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    This 'attack' bs is why I really hate it when they use terms like attack when its not anywhere close to what it is....

    A ACK packets is a ACKnowledgement packets, and the most these packets have been used for besides acknolwledging that a packet was receieved was to try to get a response from a 'stealthed' computer. In no way is this packet an attack.

    Almost all of the packets like this are just timed out traffic, that is it. Just go into your settings, and uncheck 'log suspicious traffic' It logs 99.9% garbage...

    I think it was part of the new team at Kerio what was idiotic enough to call something an attack, attack was never used in any previous version of Tiny/Kerio.

    --

    You have netbios enabled, and are likely on a lan based network of some kind. Those two addresses are multicast/broadcast addresses. If your just on broadband make sure you secure you computer by disabling netbios/filesharing, and if your on a lan you need to separate your lan and internet traffic with your rules.
     
Loading...
Thread Status:
Not open for further replies.