ISP linked DNS server is port scanning.

Discussion in 'other firewalls' started by Ocky, Mar 24, 2007.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I am getting these port scans maybe every couple of hours each day. The log entry is from Comodo Pro. Unfortunately I am not sure why there should be a scan from my primary DNS server. I was advised to contact my ISP (Telkom) about this, but from past experience I know that this would be fruitless.
    My computer is clean. Scans with NOD32, SAS, AVG AS, a2 and RkUnhooker show no infections. Router is Netgear. Using Proxomitron localhost.
    Any ideas ?

    Date/Time :2007-03-24 12:12:02Severity :High Reporter :Network Monitor Description: UDP Port ScanAttacker: 196.25.1.11 Ports: 9733, 61700, 62468, 63236, 64004, 64772, 65284, 261, 517, 1029, 1285, 1797, 2309, 3077, 3845, 4357, 5125, 5637, 5893, 6405, 6661, 7173, 7685, 8453, 9221, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 The attacker has been temporarily blocked




    And the Whois:

    % This is the AfriNIC Whois server.

    % Note: this output has been filtered.

    % Information related to '196.25.1.0 - 196.25.1.255'

    inetnum: 196.25.1.0 - 196.25.1.255
    netname: IPNET-SRV
    descr: Telkom SA Limited
    descr: Integrated Network Planning
    descr: Private Bag X74
    descr: Pretoria
    descr: Gauteng
    descr: 0001
    country: ZA
    admin-c: MST95-AFRINIC
    tech-c: JDU24-AFRINIC
    tech-c: PB455-AFRINIC
    status: ASSIGNED PA
    remarks: noc e-mail: <nnoc@saix.net>, phone: +27-12-680-0224
    remarks: abuse e-mail: <abuse@saix.net>, phone: +27-12-680-7561
    mnt-by: TELKOM-SA-IPNET-MNT
    source: AFRINIC # Filtered
    parent: 196.25.0.0 - 196.25.255.255

    person: Markus Stoltz
    address: Integrated Network Planning
    address: Private Bag X74
    address: Pretoria
    address: Gauteng
    address: 0001
    address: ZA
    phone: +27 12 680 7816
    e-mail: stoltzmr@telkom.co.za
    nic-hdl: MST95-AFRINIC
    source: AFRINIC # Filtered

    .....Snipped the rest.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I think this may be a problem/bug with comodo, see this post,
    I dont know if the issue was looked into by comodo?
     
  3. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Many thanks Stem. I did see that post and quite a few others re. the same/similar topic on Comodo forums. So, nothing to worry about ? - your reassurance will guarantee a good nights sleep for me ! :D
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Ocky,
    As these reported scans are from your ISP,.... Personally, I would be more worried about the fact my DNS servers where being blocked.
     
  5. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Meaning what exactly Stem - that the servers are themselves compromised ? :eek:
    As the scans are being blocked, I suppose I can still count on a good nights sleep. :p
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No, the fact that comodo was blocking my DNS servers.
    Are they scans? or late DNS replies? or just a problem with comodo?.


    Out of interest, who told you to contact your ISP about this?
     
  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I posted on the Comodo forum. See here, and scroll down:-
    http://forums.comodo.com/index.php?PHPSESSID=11eeac89e171205e6c267a7a9f54ce18&topic=7376.0
    I appreciate your interest - hopefully one can track the scans
    to either a problem with Comodo or something like delayed DNS replies as you mentioned.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I will try and find time later tonight, or tomorrow, to set up to see if I can find a possible cause/explanation for this.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A slow DNS server can result in false alerts since late responses may be misinterpreted as new incoming connection attempts. The best way to check this is to review the outgoing traffic logs to see if your PC had previously made outgoing DNS connections where the local ports correspond with the ports listed on the alert.

    I'd ordinarily pass this off as an overly-sensitive firewall but the port listing in the alert seems a little odd (for late replies, I'd expect a list showing increasing values in the 1024-5000 range, though if you're running Vista this apparently has changed). The repeated 0's seem particularly odd and could well be a symptom of a bug.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Ocky,

    I have installed version 2.4.18.184
    From my quick test, Up to now the "alerts" show have been correct. Any late/unauthorized UDP would show as either "Inbound policy violation" or "DDOS attack(UDP Flood)" ~ (depending on amount of packets and your settings within comodo). UDP scans are recognised.


    The only error I have seen (up to now) is the port list shown in the scan alert(log), as this is incorrect, (so ignore the list of ports scanned).

    I will have another look tomorrow (when I have more time).
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This does look like a bug. Any scans I make give a list similar to the one posted (even though I did not scan port 0)
     
  12. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thank you Paranoid, and Stem for taking the time to run some tests. My log alert level is set to low, and the only other alerts I have noticed are ICMP outbound policy violations from my LAN router port to either the primary or secondary DNS server. There are no inbound policy violations or flood attacks thus ruling out late responses as mentioned by Stem.

    So the UDP port scans by the DNS server are normal and only the list of ports scanned is suspect maybe due a Comodo bug ?

    Regards.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No, not normal.


    Interesting. You are on a LAN?. More info on your setup please.
     
  14. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Some info. Windows XP SP2 Home. Netgear DG834v3 Firewall ADSL router. One port connected to my ethernet card, one port connected to a Netgear wireless access point for wife's laptop (downstairs). No network, no file/printer sharing, netbios over TCP/IP disabled. RPC locator disabled.
    Seconfig XP settings (for home) applied as shown. Must reiterate that both computers are clean and working tip-top. Things are starting to get confusing for a near novice like me :) What other info would be pertinent to the Comodo logging conundrum ?
     

    Attached Files:

  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Ocky,

    Any external scans, be it from an online test site, your ISP or wherever outside your LAN would be intercepted (made against) your router. So your PC firewall should not see these (if they are made)

    Go to Shields UP and perform an online scan. Then check comodo logs to see if the scans are passing the router.
     
  16. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Stem, I went to Shields Up - my firewall did not see the scans. Passed, see below:

    GRC Port Authority Report created on UTC: 2007-03-25 at 12:57:13

    Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
    1056 Ports Stealth
    ---------------------
    1056 Ports Tested

    ALL PORTS tested were found to be: STEALTH.

    TruStealth: PASSED - ALL tested ports were STEALTH,
    - NO unsolicited packets were received,
    - NO Ping reply (ICMP Echo) was received.


    EDIT: My PC Firewall did not see the scans ( as it should be)
     
    Last edited: Mar 25, 2007
  17. bigkatt74

    bigkatt74 Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    11
    Location:
    Illinois
    Have you tried using alternate DNS servers such as OpenDNS or TreeWalk? This might help you narrow down your problem by determining if the problem is indeed with your firewall or your ISP's DNS servers. Try using OpenDNS first by adding their server addresses to your router. Then reboot everything.

    http://www.opendns.com/start/at_home.php


    I use TreeWalk DNS (free program) to do my lookups (I have no router) and it uses about 6MB of ram on my system. If you decide to try it, here are some tips for this program.

    1. You need to allow full bi-directional access (both client and server rights) to the "Named.exe" process and the "Dig.exe" process when your firewall alerts you. You should still test "all stealth" when running a port scan.

    2. You need to update your root hints from ICANN (this is very easy to do). Just click start, all programs, treewalk, config, and then update from ICANN.

    3. If this program does not work for you and you uninstall it, you need to stop the local DNS service first. Just go to treewalk in the all programs menu (same steps as above) and stop the service before you uninstall.

    http://ntcanuck.com/index.htm

    This is something to try and may help you track down the problem......good luck.
     
    Last edited: Mar 25, 2007
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Ocky,

    Good to hear.
    If you where the only user of comodo to report this, then I would of maybe thought for you to have your router checked, but as you are not,... I would think this is a bug in comodo.
     
  19. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Stem, many thanks again. I suppose the decent thing to do would be for me to refer Comodo to this thread, unless there are other avenues still to be explored ? Also, I have a spare router, Netgear DG834 ( not v3) and there is no difference in Comodo logging those ubiquitous DNS server UDP scans.
    BTW. What is your opinion on bigkatt74's suggestion (post #17 above) ?

    @bigkatt74
    New to me, but interesting, especially opendns which looks/is easy peasy to setup. Would appreciate Stems comment on it.
    PS. Your security setup is practically identical to mine. Only difference is I use Opera and don't use TreeWalk DNS.

    Regards.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Ocky,
    I dont think it is a problem with your DNS servers. (they would not be able to scan passed the router)
    What you could try is place a fixed IP into your PC, then set the DNS server as the router. You could also disable the DNS client in windows.

    As for DNS alternatives, I have never looked into this (never a need), but I certainly prefer not to install a program with server rights to make DNS lookups.
     
  21. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    OK, Stem. At least I now have some idea, but please one last question. Do you mean the DNS client service in mmc ?

    Regards and thanks. :thumb:
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, the DNS service.
     
Loading...
Thread Status:
Not open for further replies.