Norton NIS autoblocks cable modem DNS Scan

Hi all

The problem I have is this: every few hours, one of the computers (any
one,
not a particular one) will have a partial failure of internet
service-
I can't browse the web but email, skype and FTP still work. After
30 minutes the problem rights itself. The other computers in the
network don't usually experience this problem in the same time (i.e.
they are fine except the one that does't work). I thought my router
has a hardware problem but then I noticed that every time the problem
happens, just before it my NIS 2003 reports a "portscan" of
192.168.1.1 (domain 53-> this means port 53, I gather).
I have a 3COM router and win2k home network of PC's.

Apparently it is because the NIS2003 autoblocks the 192.168.1.1 for 30
minutes after each
'attack'. I can only assume that this is some kind of periodic DNS
ping by the system.

With the aid of this useful site,
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/securit y.html#fwconfig

I learnt that for cable modems I might have to add the Default gateway
(192.168.1.1)
(the site refers to the 'modem' address but If I have a router I am
guessing that is the same)
to the trusted zone (perhaps at least for port 53?)
Or I could set up a rule for NIS2003 to trust all traffic on port 53,
does anyone know which is safer?

If I set 192.168.1.1 to be a trusted address, doesn't that mean that
attacks could originate
from there?

I can set it to allow only port 53 from 192.168.1.1, but is this DNS
request TCP,UDP, both or ICMP?

What would be the least security vulnerable solution?

Thanks...!



(..)
Below is additional configuration info.

I have tried to have the PC's configured statically (with DNS
servers)
as well as DHCP automatic config, it doesn't imrove the issue.
If I disable NIS 2003 and then immediately enable it, internet
service
resumes...
I scanne all open ports with a web security site and it reports that
only port 113 is closed (the rest are stealthed).


NIS (Norton internet security) 2003. All
PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
the updates. L2TP Cable internet is through 3Com wireless
Officeconnect 3CRWE554G72T router.

Re: Norton NIS autoblocks cable modem DNS Scan

On Mar 7, 5:03 pm, development...@walla.com wrote:
> Hi all
>
> The problem I have is this: every few hours, one of the computers (any
> one,
> not a particular one) will have a partial failure of internet
> service-
> I can't browse the web but email, skype and FTP still work. After
> 30 minutes the problem rights itself. The other computers in the
> network don't usually experience this problem in the same time (i.e.
> they are fine except the one that does't work). I thought my router
> has a hardware problem but then I noticed that every time the problem
> happens, just before it my NIS 2003 reports a "portscan" of
> 192.168.1.1 (domain 53-> this means port 53, I gather).
> I have a 3COM router and win2k home network of PC's.
>
> Apparently it is because the NIS2003 autoblocks the 192.168.1.1 for 30
> minutes after each
> 'attack'. I can only assume that this is some kind of periodic DNS
> ping by the system.
>
> With the aid of this useful site,http://homepage.ntlworld.com/robin.d.h.walker/cmtips/se curity.html#fw...
>
> I learnt that for cable modems I might have to add the Default gateway
> (192.168.1.1)
> (the site refers to the 'modem' address but If I have a router I am
> guessing that is the same)
> to the trusted zone (perhaps at least for port 53?)
> Or I could set up a rule for NIS2003 to trust all traffic on port 53,
> does anyone know which is safer?
>
> If I set 192.168.1.1 to be a trusted address, doesn't that mean that
> attacks could originate
> from there?
>
> I can set it to allow only port 53 from 192.168.1.1, but is this DNS
> request TCP,UDP, both or ICMP?
>
> What would be the least security vulnerable solution?
>
> Thanks...!
>
> (..)
> Below is additional configuration info.
>
> I have tried to have the PC's configured statically (with DNS
> servers)
> as well as DHCP automatic config, it doesn't imrove the issue.
> If I disable NIS 2003 and then immediately enable it, internet
> service
> resumes...
> I scanne all open ports with a web security site and it reports that
> only port 113 is closed (the rest are stealthed).
>
> NIS (Norton internet security) 2003. All
> PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
> the updates. L2TP Cable internet is through 3Com wireless
> Officeconnect 3CRWE554G72T router.

FWIW, I used to be a field service technician and one of the biggest
hassles I faced were PCs with NIS installed. IMO, any computer that
has NIS installed, and the user is a techie-geek like me, would be
better off using something much less frustrating than NIS, usually,
independant software that isn't integrated together like NIS. NAV is
great... but the package suite is way too fluffy and bloats the OS
pretty bad. Needless to say, to uninstall it sometimes causes even
MORE problems...

good luck

Re: Norton NIS autoblocks cable modem DNS Scan

On Mar 7, 5:03 pm, development...@walla.com wrote:
> Hi all
>
> The problem I have is this: every few hours, one of the computers (any
> one,
> not a particular one) will have a partial failure of internet
> service-
> I can't browse the web but email, skype and FTP still work. After
> 30 minutes the problem rights itself. The other computers in the
> network don't usually experience this problem in the same time (i.e.
> they are fine except the one that does't work). I thought my router
> has a hardware problem but then I noticed that every time the problem
> happens, just before it my NIS 2003 reports a "portscan" of
> 192.168.1.1 (domain 53-> this means port 53, I gather).
> I have a 3COM router and win2k home network of PC's.
>
> Apparently it is because the NIS2003 autoblocks the 192.168.1.1 for 30
> minutes after each
> 'attack'. I can only assume that this is some kind of periodic DNS
> ping by the system.
>
> With the aid of this useful site,http://homepage.ntlworld.com/robin.d.h.walker/cmtips/se curity.html#fw...
>
> I learnt that for cable modems I might have to add the Default gateway
> (192.168.1.1)
> (the site refers to the 'modem' address but If I have a router I am
> guessing that is the same)
> to the trusted zone (perhaps at least for port 53?)
> Or I could set up a rule for NIS2003 to trust all traffic on port 53,
> does anyone know which is safer?
>
> If I set 192.168.1.1 to be a trusted address, doesn't that mean that
> attacks could originate
> from there?
>
> I can set it to allow only port 53 from 192.168.1.1, but is this DNS
> request TCP,UDP, both or ICMP?
>
> What would be the least security vulnerable solution?
>
> Thanks...!
>
> (..)
> Below is additional configuration info.
>
> I have tried to have the PC's configured statically (with DNS
> servers)
> as well as DHCP automatic config, it doesn't imrove the issue.
> If I disable NIS 2003 and then immediately enable it, internet
> service
> resumes...
> I scanne all open ports with a web security site and it reports that
> only port 113 is closed (the rest are stealthed).
>
> NIS (Norton internet security) 2003. All
> PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
> the updates. L2TP Cable internet is through 3Com wireless
> Officeconnect 3CRWE554G72T router.
FWIW, I used to be a field service technician and one of the biggest
hassles I faced were PCs with NIS installed. IMO, any computer that
has NIS installed, and the user is a techie-geek like me, would be
better off using something much less frustrating than NIS, usually,
independant software that isn't integrated together like NIS. NAV is
great... but the package suite is way too fluffy and bloats the OS
pretty bad. Needless to say, to uninstall it sometimes causes even
MORE problems...

good luck

Re: Norton NIS autoblocks cable modem DNS Scan

On Mar 12, 7:24 pm, "RedForeman" wrote:
> On Mar 7, 5:03 pm, development...@walla.com wrote:
>
>
>
> > Hi all
>
> > The problem I have is this: every few hours, one of the computers (any
> > one,
> > not a particular one) will have a partial failure of internet
> > service-
> > I can't browse the web but email, skype and FTP still work. After
> > 30 minutes the problem rights itself. The other computers in the
> > network don't usually experience this problem in the same time (i.e.
> > they are fine except the one that does't work). I thought my router
> > has a hardware problem but then I noticed that every time the problem
> > happens, just before it my NIS 2003 reports a "portscan" of
> > 192.168.1.1 (domain 53-> this means port 53, I gather).
> > I have a 3COM router and win2k home network of PC's.
>
> > Apparently it is because the NIS2003 autoblocks the 192.168.1.1 for 30
> > minutes after each
> > 'attack'. I can only assume that this is some kind of periodicDNS
> > ping by the system.
>
> > With the aid of this useful site,http://homepage.ntlworld.com/robin.d.h.walker/cmtips/se curity.html#fw...
>
> > I learnt that for cable modems I might have to add the Default gateway
> > (192.168.1.1)
> > (the site refers to the 'modem' address but If I have a router I am
> > guessing that is the same)
> > to the trusted zone (perhaps at least for port 53?)
> > Or I could set up a rule for NIS2003 to trust all traffic on port 53,
> > does anyone know which is safer?
>
> > If I set 192.168.1.1 to be a trusted address, doesn't that mean that
> > attacks could originate
> > from there?
>
> > I can set it to allow only port 53 from 192.168.1.1, but is thisDNS
> > request TCP,UDP, both or ICMP?
>
> > What would be the least security vulnerable solution?
>
> > Thanks...!
>
> > (..)
> > Below is additional configuration info.
>
> > I have tried to have the PC's configured statically (withDNS
> > servers)
> > as well as DHCP automatic config, it doesn't imrove the issue.
> > If I disable NIS 2003 and then immediately enable it, internet
> > service
> > resumes...
> > I scanne all open ports with a web security site and it reports that
> > only port 113 is closed (the rest are stealthed).
>
> > NIS (Norton internet security) 2003. All
> > PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
> > the updates. L2TP Cable internet is through 3Com wireless
> > Officeconnect 3CRWE554G72T router.
>
> FWIW, I used to be a field service technician and one of the biggest
> hassles I faced were PCs with NIS installed. IMO, any computer that
> has NIS installed, and the user is a techie-geek like me, would be
> better off using something much less frustrating than NIS, usually,
> independant software that isn't integrated together like NIS. NAV is
> great... but the package suite is way too fluffy and bloats the OS
> pretty bad. Needless to say, to uninstall it sometimes causes even
> MORE problems...
>
> good luck- Hide quoted text -
>
> - Show quoted text -


Thank you for replying. However all I would like to know whether this
phenomenon is an attack or it can be safely given an "allow" rule in
NIS. I get it 10-15 times a day now,
all from 192.168.1.1 (the router address of course) and every time
from a different port (1000-5000). If I tell NIS to allow all traffic
from said IP, that is the same as disabling NIS altogether, isn't it?

Thanks