Routed traffic?

Discussion in 'other firewalls' started by sir_carew, Dec 9, 2003.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I've now Za pro with web filtering version 4.5 and all the test show my ports stealth :D
    But I'm getting extrange alerts like The firewall has blocked.... and Direction: Routed. ??.
    I've both zone, Internet and Local zone configured as High security level. I'm not using Routers, and nothing like that, I connect directly to the Internet with a cable modem connection.
    Any idea?
    Thanks.
    PS: I put a similar post in the ZA forum, but I only get 1 answer that don't solve nothing :mad:
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi sir_carew

    Do you have some log entries you could post that would help us determine what you may be seeing? Just be sure to xxx out your WAN IP.

    Regards,

    CrazyM
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    In addition to posting some log entries like CrazyM asked, can you also tell us what type of network and ISP connection you have? Dialup? DSL? Cable? Do you have a LAN or a router?

    The standard response given when you ask about seeing "fwroute" entries in the ZA log is that these are from packets being "routed through your computer" which can occur when running ZA on certain types of networks or on a gateway machine (i.e. if you were running ICS on your PC and had other systems using it as their gateway).

    I used to see these myself though I run no LAN, ICS or any routing at all. It took a little tracking down but ended up being an odd form of ISP generated housekeeping traffic. I believe I traced it to a type of keepalive that my ISP was using. It was very precise and patterned...

    At exactly the same minute and second every hour a single fwroute alert would popup in ZAP. The packet was always from an odd IP address to an odd IP address. (I believe they were in the reserved block: 112.0.0.0/5)

    I'm on ADSL using PPPoE and it turns out that those blocked fwroute packets were related to some underlying protocol requirement for my ISP connection. In fact, the setting in ZAP that was required to prevent these alerts turned out to be one that many other people on some types of ADSL needed to set for overall network health. It's the one circled in the image below from ZAP > Firewall panel > Main tab > Advanced button > check "Allow uncommon protocols at high security".

    But, this is just one specific example. Yours could be entirely different depending upon your network and ISP setup.
     

    Attached Files:

  4. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Thanks for the answers :)
    Yes, I've the option "Allow uncommon protocols at high security" enabled. It's necessary turn on it option?, I also have the option block Internet and Local servers, if I have these option enabled, the eMule can't connect to many servers, but my ports are unreachable or something like that, are those option necessary for a good protection?
    At the moment I don't any alerts referred to Routed, only Incoming that are normal, when appear a routed alert, I will post this.
    Thanks.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    The two options on that screen that block servers override the ability for any program on your system to get "server rights". In ZA terms, granting a program server rights, (via a pop-up program alert, or in the program list in the Program tab), means that you are allowing it to be connected into from people out on either the Internet or from the sites in your Trusted Zone.

    File sharing applications are a good example of programs that ask for server rights. (They do it in order to allow people out on the Internet to get access to the files you allow them to take from your system.) So, checking those two options, "block local servers" and "block Internet servers", will override any time you gave a program server permission.

    So, yes, checking those two options does make you more secure in that you will block all programs (whether allowed previously or not) from acting as a server and getting unsolicited connections from the network.
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I finally get a "routed" alert in my computer, look at the picture and the red line for view it.
    Thanks.
     

    Attached Files:

  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi sir_carew,

    Could you actually go into the text log file itself and copy out the line that reflects this log viewer alert? The ZA log files are usually in this location and can be opened in Notepad:

    c:\windows\Internet Logs\ZALog.txt

    Edit: A routed packet should not contain your actual IP address in it, but if it does, just xxx out the last two sets of numbers but post the rest. It'd be interesting to see the whole line.
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    The most entries in the *txt log only show Incoming alerts, so I only selected one of those that are "routed".
    Thanks.


    [pre]FWROUTE,2003/12/11,19:04:34 -3:00 GMT,127.0.0.1:80,200.30.202.145:1861,TCP (flags:AR)[/pre]
    - Since it was only one entry, I pulled it out of attachment and posted it here.
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, that is extremely interesting...

    [pre]FWROUTE,2003/12/11,19:04:34 -3:00 GMT,127.0.0.1:80,200.30.202.145:1861,TCP (flags:AR)[/pre]The one in the image above was from and to IP addresses not your own, but which are most likely other users on your ISP. This one is from localhost:80 - that is odd. (Do you run a local webserver on your system?)

    I know there are many conditions in networking where a system might see packets that are not meant for it, but are visible based upon how the packets were sent or how the network is laid out, but that's the limit on my level of understanding on this. We'd probably need someone with some real networking knowledge to explain it further.

    Of course, (and I know you already know this, but for the benefit of others reading here), all packets logged in this fashion by ZA are being blocked, so there is no exposure here. The only time most "routed" packet alerts (from one external address to another) would be a concern is if the volume were very very large. In which case there might be bandwidth issues to think about. The odd routed packet block is not a big thing.

    But, this one from 127.0.0.1:80 is very interesting. :doubt:
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    No, I'm not running a local server, or something like that in my PC.
    It can be considered a hacker attack?, or can be legitimate traffic?
    Thanks
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, nothing is 100% certain, but I'm not really leaning towards hacker activity at all on this for a couple reasons.

    First, because as I said there are many conditions where routed packets can be seen on a system, especially for cable users. (While all ISPs are different, many times in cable networks an individual customer may see traffic pass by that is from their neighbors. If your cable modem light flashes a lot even when you've powered you PC down, then most likely you are seeing the activity of neighbors who share that cable network segment.)

    Second, these are being blocked by ZA which means they are not any danger to your system, and of no value to anyone who might be sending them deliberately.

    So, my opinion at this point is this is more a curiosity then anything else.
     
  12. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    >your cable modem light flashes a lot even when you've powered you PC down, then most likely you are seeing the activity of neighbors who share that cable network segment.)

    Yes, my cable modem light flashes a lot when my computer is down. In others words, my connection is being used or shared with others users??!! o_O, so my speed connection is affected?
    Thanks for your answers.
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, yes and no. All ISPs provide "shared bandwidth" in one way or the other. DSL users rarely see their activity lights flash except for packets coming to or going from their systems, but still the bandwidth is shared, usually at some point just beyond where their digital line terminates at the nearest connection point to the provider. On many cable systems though, the activity can often be seen (by the flashing lights) because you and your neighbors are on a shared network segment...

    They aren't really using your bandwidth. It's shared bandwidth made available to all people on that segment. So long as you get at least the minimum contracted transfer rates (up and down) the cable provider is fulfilling their end. It just the way most cable ISPs work.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    We had one of our systems on cable for a few months and I could not believe all the cr@p that would show up in the logs. Broadcast traffic in particular. All harmless, blocked and just a side effect of how some cable connections work as LWM mentioned. I put an older router in front of the sytem to give the software firewall a rest until we got all systems back on ADSL :D

    Regards,

    CrazyM
     
  15. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    LWM, It looks like a funny sort of IP spoofing. There's a massive thread on this at DSLR Security Forum (with lots of junk in it). It's usually people with cable/DSL routers that pick up on it, for the simple reason that many of them now highlight it. Most common speculation is that it's an artifact of MSBlast or a Q-type Trojan, although there seems to be some indication that some ISPs decided to blackhole requests to windowsupdate during the height of the MSBlast binge and this might be an unintended consequence. (I think those are the flags typical of this kind of thing.)

    I've got 66 of these in the past 100 hours or so.

    Nobody really knows (as far as I can tell) whether they're harmful or not. Part of the problem is that nobody knows what happens if they actually get to a real machine. There are finally some packet captures down near the end of that massive thread.
     
Thread Status:
Not open for further replies.