UPD Port Scan from DNS Server Happening, What"s Up?

This just started a half hour ago. I'm getting repeated alerts
irregularly spaced but about one per minute:
"Kaspersky Anti-Virus Personal Pro
Attention! Your computer has been attacked from the Internet.
Network attack UDP Port Scan from address 24.94.163.100 has
been successfully repelled."

The IP address is just that of the DNS server of my ISP, RoadRunner
http://www.dnsstuff.com/tools/whois.ch?ip=24.94.163.100
I had some time ago placed this address in the Trusted Zone of
ZoneAlarm, my firewall.

I realize this is not a big problem, but what's the explanation?

--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

> I realize this is not a big problem, but what's the explanation?

Sales and Marketing! That's what. Sales and Marketing! Sales and
Marketing to the ignorant. I don't mean ignorant in a bad sense, simply
unknowledgeable.

-Frank

Re: UPD Port Scan from DNS Server Happening, What"s Up?

> I realize this is not a big problem, but what's the explanation?

Sales and Marketing! That's what. Sales and Marketing! Sales and
Marketing to the ignorant. I don't mean ignorant in a bad sense, simply
unknowledgeable.

-Frank

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Post removed (X-No-Archive: yes)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Post removed (X-No-Archive: yes)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

That sounds reasonable. Most security programs promote themselves by
exaggerating the benefit they provide. The word "attack" is too strong,
and "repelled" is too. It seems were it not for loyal Kaspersky, my
ship would have been boarded by bloodthirsty pirates!

But I don't get these UDP Port Scans regularly. In fact, since my last
post, they've stopped. I wonder what was going on.
--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

That sounds reasonable. Most security programs promote themselves by
exaggerating the benefit they provide. The word "attack" is too strong,
and "repelled" is too. It seems were it not for loyal Kaspersky, my
ship would have been boarded by bloodthirsty pirates!

But I don't get these UDP Port Scans regularly. In fact, since my last
post, they've stopped. I wonder what was going on.
--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

In article <9pxyf.36935$7S.26095@tornado.rdc-kc.rr.com>,
"Nehmo Sergheyev" wrote:

> This just started a half hour ago. I'm getting repeated alerts
> irregularly spaced but about one per minute:
> "Kaspersky Anti-Virus Personal Pro
> Attention! Your computer has been attacked from the Internet.
> Network attack UDP Port Scan from address 24.94.163.100 has
> been successfully repelled."
>
> The IP address is just that of the DNS server of my ISP, RoadRunner
> http://www.dnsstuff.com/tools/whois.ch?ip=24.94.163.100
> I had some time ago placed this address in the Trusted Zone of
> ZoneAlarm, my firewall.
>
> I realize this is not a big problem, but what's the explanation?

Sounds to me like your firewall is misinterpreting an ordinary DNS
response. Maybe the response took a long time to arrive, and the
application that was waiting for it had already timed out and closed the
socket. Since there was no socket waiting for that return packet, the
firewall assumed it was an unwanted attack rather than an innocent, late
packet.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: UPD Port Scan from DNS Server Happening, What"s Up?

In article <9pxyf.36935$7S.26095@tornado.rdc-kc.rr.com>,
"Nehmo Sergheyev" wrote:

> This just started a half hour ago. I'm getting repeated alerts
> irregularly spaced but about one per minute:
> "Kaspersky Anti-Virus Personal Pro
> Attention! Your computer has been attacked from the Internet.
> Network attack UDP Port Scan from address 24.94.163.100 has
> been successfully repelled."
>
> The IP address is just that of the DNS server of my ISP, RoadRunner
> http://www.dnsstuff.com/tools/whois.ch?ip=24.94.163.100
> I had some time ago placed this address in the Trusted Zone of
> ZoneAlarm, my firewall.
>
> I realize this is not a big problem, but what's the explanation?

Sounds to me like your firewall is misinterpreting an ordinary DNS
response. Maybe the response took a long time to arrive, and the
application that was waiting for it had already timed out and closed the
socket. Since there was no socket waiting for that return packet, the
firewall assumed it was an unwanted attack rather than an innocent, late
packet.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Nehmo Sergheyev wrote:

> I'm getting repeated alerts irregularly spaced but about
> one per minute:
> Network attack UDP Port Scan from address 24.94.163.100 has
> been successfully repelled."
> The IP address is just that of the DNS server of my ISP

What port was it?

Maybe your ISP is checking to see if you're running any P2P software,
or checking to see if you have a trojan back-door running on your
computer?

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Nehmo Sergheyev wrote:

> I'm getting repeated alerts irregularly spaced but about
> one per minute:
> Network attack UDP Port Scan from address 24.94.163.100 has
> been successfully repelled."
> The IP address is just that of the DNS server of my ISP

What port was it?

Maybe your ISP is checking to see if you're running any P2P software,
or checking to see if you have a trojan back-door running on your
computer?

Re: UPD Port Scan from DNS Server Happening, What"s Up?

From: "Virus Guy"


|
| What port was it?
|
| Maybe your ISP is checking to see if you're running any P2P software,
| or checking to see if you have a trojan back-door running on your
| computer?

Chances are it is NOT a port scan but the DNS Server [dns-lb.rdc-kc.rr.com] is trying to
talk back to the host after a broken or incomplete communication session with the RoadRunner
host. RoadRunner DNS servers don't pertform "port scans".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Re: UPD Port Scan from DNS Server Happening, What"s Up?

From: "Virus Guy"


|
| What port was it?
|
| Maybe your ISP is checking to see if you're running any P2P software,
| or checking to see if you have a trojan back-door running on your
| computer?

Chances are it is NOT a port scan but the DNS Server [dns-lb.rdc-kc.rr.com] is trying to
talk back to the host after a broken or incomplete communication session with the RoadRunner
host. RoadRunner DNS servers don't pertform "port scans".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Re: UPD Port Scan from DNS Server Happening, What"s Up?

In comp.security.firewalls Nehmo Sergheyev wrote:
> "Kaspersky Anti-Virus Personal Pro
> Attention! Your computer has been attacked from the Internet.
> Network attack UDP Port Scan from address 24.94.163.100 has
> been successfully repelled."

Sounds like nonsense.

> The IP address is just that of the DNS server of my ISP

*ROTFL*

> RoadRunner
> http://www.dnsstuff.com/tools/whois.ch?ip=24.94.163.100
> I had some time ago placed this address in the Trusted Zone of
> ZoneAlarm, my firewall.

Oh-my-FSM.

> I realize this is not a big problem, but what's the explanation?

You're using software, which shows you ridiculous popups. Just remove
this software and better use something sensible.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: UPD Port Scan from DNS Server Happening, What"s Up?

In comp.security.firewalls Nehmo Sergheyev wrote:
> "Kaspersky Anti-Virus Personal Pro
> Attention! Your computer has been attacked from the Internet.
> Network attack UDP Port Scan from address 24.94.163.100 has
> been successfully repelled."

Sounds like nonsense.

> The IP address is just that of the DNS server of my ISP

*ROTFL*

> RoadRunner
> http://www.dnsstuff.com/tools/whois.ch?ip=24.94.163.100
> I had some time ago placed this address in the Trusted Zone of
> ZoneAlarm, my firewall.

Oh-my-FSM.

> I realize this is not a big problem, but what's the explanation?

You're using software, which shows you ridiculous popups. Just remove
this software and better use something sensible.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: UPD Port Scan from DNS Server Happening, What"s Up?

@everyone

It's not the firewall, ZA, that's producing the alerts, it's Kaspersky,
see: http://img30.imageshack.us/img30/7629/updalert1wa.gif (and I just
found the forum http://forum.kaspersky.com/ . I'll ask there too). It
doesn't name the port except for saying UDP Port Scan, as I described
in the OP.

Kaspersky does have what it calls Network Protection. From K's Help:
"Kaspersky Anti-Virus Personal Pro 5.0 allows to protect your computer
against network hacking attacks from the local area network or from the
internet.
Hacking attacks are detected based on the records contained in the
database of the attacks known at the moment. This database is updated
and the updates are installed along with the update of the anti-virus
database (details see Using the application).
By default, protection against network attacks is started at Kaspersky
Anti-Virus startup, monitors all network connections and checks all
data received from the network irrespective of the source: local
network or Internet.
As an attempt to attack your computer occurs, this attack will be
blocked. A corresponding notification will be displayed on the screen
that will contain information about the type of attack, IP address of
the attacking computer and the local port (if possible)."

But this behavior just started happening. It paused for several hours,
but then started up this evening.
I'm not alarmed by it. I'm just curious what it could be.

--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

@everyone

It's not the firewall, ZA, that's producing the alerts, it's Kaspersky,
see: http://img30.imageshack.us/img30/7629/updalert1wa.gif (and I just
found the forum http://forum.kaspersky.com/ . I'll ask there too). It
doesn't name the port except for saying UDP Port Scan, as I described
in the OP.

Kaspersky does have what it calls Network Protection. From K's Help:
"Kaspersky Anti-Virus Personal Pro 5.0 allows to protect your computer
against network hacking attacks from the local area network or from the
internet.
Hacking attacks are detected based on the records contained in the
database of the attacks known at the moment. This database is updated
and the updates are installed along with the update of the anti-virus
database (details see Using the application).
By default, protection against network attacks is started at Kaspersky
Anti-Virus startup, monitors all network connections and checks all
data received from the network irrespective of the source: local
network or Internet.
As an attempt to attack your computer occurs, this attack will be
blocked. A corresponding notification will be displayed on the screen
that will contain information about the type of attack, IP address of
the attacking computer and the local port (if possible)."

But this behavior just started happening. It paused for several hours,
but then started up this evening.
I'm not alarmed by it. I'm just curious what it could be.

--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

FSM = Flying Spaghetti Monster?

But how come this pop-up started popping up now?
--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

In comp.security.firewalls nehmo54@hotmail.com wrote:
> It's not the firewall, ZA, that's producing the alerts, it's Kaspersky,

Yes. The packet filter of Kaspersky.
But: why does this matter?

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: UPD Port Scan from DNS Server Happening, What"s Up?

In comp.security.firewalls nehmo54@hotmail.com wrote:
> It's not the firewall, ZA, that's producing the alerts, it's Kaspersky,

Yes. The packet filter of Kaspersky.
But: why does this matter?

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: UPD Port Scan from DNS Server Happening, What"s Up?

nehmo54@hotmail.com wrote:
> FSM = Flying Spaghetti Monster?

Yes.

> But how come this pop-up started popping up now?

Because you're using braindead software.

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

Re: UPD Port Scan from DNS Server

http://newhk.blogspot.com/



http://newhk.blogspot.com/

Re: UPD Port Scan from DNS Server

http://newhk.blogspot.com/



http://newhk.blogspot.com/

Re: UPD Port Scan from DNS Server Happening, What"s Up?

- Nehmo -
> > It's not the firewall, ZA, that's producing the alerts, it's Kaspersky,

- Volker Birk -
> Yes. The packet filter of Kaspersky.
> But: why does this matter?

- Nehmo -
K seems to be doing the work, to some degree, of a firewall.
The way the alerts are worded, they sure sounds like they came from a
firewall, and some participants in this thread are assuming they came
from there. I'm clarifying because which program is producing the
alerts is possibly important to understanding them.

In the K forum, I found
http://forum.kaspersky.com/index.php?showtopic=897
I can disable "Real time protection against network attacks", and I'm
doing that now.

I still don't understand why this behavior just started. Maybe
RoadRunner is doing something different now.

I'm using Kaspersky Anti-Virus Personal Pro 5.0.390
--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

nehmo54@hotmail.com wrote:
> In the K forum, I found
> http://forum.kaspersky.com/index.php?showtopic=897
> I can disable "Real time protection against network attacks", and I'm
> doing that now.

Good idea. Notifications are pointless in virtually any case (unless you
are interested in keeping track of attacks, in which case you would want
a logfile instead of popup messages), "stealth" is simply impossible
with TCP/IP networks, and automatic network shunning is pure idiocy.

cu
59cobalt
--
"Der Computer ist da, um zu rechnen, nicht um Ausreden wie 'Kann nicht
durch Null teilen' auf den Bildschirm zu schreiben."
--Marco Haschka in de.org.ccc

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Mate, that's an excellent link! I'm now replying to ther postings here
quoting you :) I'm also passing this on the family and friends who ask the
same questions. Thanks!

Wayne McGlinn
Brisbane, Oz

wrote in message
news:%3yyf.261315$qk4.80974@bgtnsc05-news.ops.worldnet.att.n et...
> "Nehmo Sergheyev" wrote in
> news:9pxyf.36935$7S.26095@tornado.rdc-kc.rr.com:
>

>
> See "Don't let your personal firewall alarm you"
> http://samspade.org/d/persfire.html
>
> J
> --
> Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Mate, that's an excellent link! I'm now replying to ther postings here
quoting you :) I'm also passing this on the family and friends who ask the
same questions. Thanks!

Wayne McGlinn
Brisbane, Oz

wrote in message
news:%3yyf.261315$qk4.80974@bgtnsc05-news.ops.worldnet.att.n et...
> "Nehmo Sergheyev" wrote in
> news:9pxyf.36935$7S.26095@tornado.rdc-kc.rr.com:
>

>
> See "Don't let your personal firewall alarm you"
> http://samspade.org/d/persfire.html
>
> J
> --
> Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom

Re: UPD Port Scan from DNS Server

Normally posting irrelevant links like that, wasting the reader's time
and irritating them, would discredit your cause rather than promote it.
However, your writing is so wandering and disjointed, I can't figure
out what cause should be discredited. You're either an Arab or a Jew,
but I'd have to decipher your writings to know. And I've already wasted
too much time on them.
--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server

Normally posting irrelevant links like that, wasting the reader's time
and irritating them, would discredit your cause rather than promote it.
However, your writing is so wandering and disjointed, I can't figure
out what cause should be discredited. You're either an Arab or a Jew,
but I'd have to decipher your writings to know. And I've already wasted
too much time on them.
--
(||) Nehmo (||)

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Nehmo Sergheyev wrote:

> [...]
> I realize this is not a big problem,

I'd call a piece of software that blocks DNS answers because it believes
that these are an attack quite a big problem because DNS is quite an
important and useful service.

> but what's the explanation?

These are DNS answer packets that ZA misinterprets as 'attacks', a typical
sign of a totally braindead software. Uninstall the ZA crap, it is useless
anyway and apart from beeing useless it claims totally normal traffic to be
an attack.

Wolfgang

Re: UPD Port Scan from DNS Server Happening, What"s Up?

Nehmo Sergheyev wrote:

> [...]
> I realize this is not a big problem,

I'd call a piece of software that blocks DNS answers because it believes
that these are an attack quite a big problem because DNS is quite an
important and useful service.

> but what's the explanation?

These are DNS answer packets that ZA misinterprets as 'attacks', a typical
sign of a totally braindead software. Uninstall the ZA crap, it is useless
anyway and apart from beeing useless it claims totally normal traffic to be
an attack.

Wolfgang