"attack" from Router IP..?

Hi all...
I have a 3COM 3CRWE554G72T router and home network with
NIS (Norton internet security) 2003. All
PC's in the network have Win2k, SP4 IE6 SP1. L2TP Cable internet is
through 3Com wireless
Officeconnect 3CRWE554G72T router.

in recent weeks (after 2-3 years of mostly uneventful usage with NIS)
I began to get alerts from it on an attack (?):

"portscan" of 192.168.1.1 (domain 53). That is the router IP.
Then it does an autoblock on this IP which of course disables http
browsing of internet for half an hour (only FTP, email and skype
continue to work). This happens dozens of times every day.

NIS allows to include any IP or port in the DMZ, but these 'attacks'
come from different ports every time (1000-5000 range)
and If I allow all ports from 192.168.1.1 then it means NIS is
bypassed, in effect, isnt it? because all internet is coming from this
IP.

how can I determine whether this is some hack portscan or some
periodical DNS status ping by the internt provider? (why would they do
it on a different port every time?)


thanks

Re: "attack" from Router IP..?

developmental2@walla.com wrote:
>
> in recent weeks (after 2-3 years of mostly uneventful usage with NIS)
> I began to get alerts from it on an attack (?):

No
>
> "portscan" of 192.168.1.1 (domain 53). That is the router IP.
> Then it does an autoblock on this IP which of course disables http
> browsing of internet for half an hour (only FTP, email and skype
> continue to work). This happens dozens of times every day.

Well, that should be telling you that you don't block the Device IP of
the router.
>
> NIS allows to include any IP or port in the DMZ, but these 'attacks'
> come from different ports every time (1000-5000 range)
> and If I allow all ports from 192.168.1.1 then it means NIS is
> bypassed, in effect, isnt it? because all internet is coming from this
> IP.

The Device IP of the router should be allowed on all ports. And no *all
the Internet is *NOT* coming from the Device IP.
>
> how can I determine whether this is some hack portscan or some
> periodical DNS status ping by the internt provider? (why would they do
> it on a different port every time?)
>
>

There is no ping happening from the ISP. Nothing can attack the LAN
using the Device IP of the router, period.

NIS is not supposed to be blocking the Device IP of the router for any
reason. The router is communicating with machines connected to it doing
advertisements and other communications.

http://www.unix.org.ua/gated/node36.html

I suggest you configure NIS properly to deal with the router or get rid
of it.

Re: "attack" from Router IP..?

Post removed (X-No-Archive: yes)

Re: "attack" from Router IP..?

On Mar 17, 10:36 am, development...@walla.com wrote:
> Hi all...
> I have a 3COM 3CRWE554G72T router and home network with
> NIS (Norton internet security) 2003. All
> PC's in the network have Win2k, SP4 IE6 SP1. L2TP Cable internet is
> through 3Com wireless
> Officeconnect 3CRWE554G72T router.
>
> in recent weeks (after 2-3 years of mostly uneventful usage with NIS)
> I began to get alerts from it on an attack (?):
>
> "portscan" of 192.168.1.1 (domain 53). That is the router IP.
> Then it does an autoblock on this IP which of course disables http
> browsing of internet for half an hour (only FTP, email and skype
> continue to work). This happens dozens of times every day.
>
> NIS allows to include any IP or port in the DMZ, but these 'attacks'
> come from different ports every time (1000-5000 range)
> and If I allow all ports from 192.168.1.1 then it means NIS is
> bypassed, in effect, isnt it? because all internet is coming from this
> IP.
>
> how can I determine whether this is some hack portscan or some
> periodical DNS status ping by the internt provider? (why would they do
> it on a different port every time?)
>
> thanks

try turning off NAT.

Re: "attack" from Router IP..?

On 17 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1174145776.373069.110040@n76g2000hsh.googlegroups.com>,
developmental2@walla.com wrote:

>in recent weeks (after 2-3 years of mostly uneventful usage with NIS)
>I began to get alerts from it on an attack (?):

Yes, if things don't exactly meet what is expected, these products will
scream that you are being attacked. The designer, and the person who
misconfigured it should be shot for gross stupidity.

>"portscan" of 192.168.1.1 (domain 53). That is the router IP.

An application on one of your computers asked for a hostname to IP
address lookup. The firewall allows a few seconds for the reply, and if
no reply occurs, forgets that there was a question. The nameserver that
is answering the question was slow, and replied a second or two after
the firewall forgot the question, and the firewall thinks this is some
new packet - not associated with anything, and SCREAMS THAT YOU ARE
BEING ATTACKED!!! Idiots!

>Then it does an autoblock on this IP which of course disables http
>browsing of internet for half an hour (only FTP, email and skype
>continue to work). This happens dozens of times every day.

Perhaps you should get a real firewall instead of the toy.

>NIS allows to include any IP or port in the DMZ, but these 'attacks'
>come from different ports every time (1000-5000 range) and If I allow
>all ports from 192.168.1.1 then it means NIS is bypassed, in effect,
>isnt it? because all internet is coming from this IP

That's funny - you also need a better log reader

>how can I determine whether this is some hack portscan or some
>periodical DNS status ping by the internt provider?

"ping" is using a completely different protocol (ICMP). There are
TCP and UDP versions, but no one uses those, because virtually no
application exists to create them.

>(why would they do it on a different port every time?)

You really need to learn about the fundamentals of networking, or stop
using such a crap "firewall". You're posting from a search engine
named google, perhaps you should use that for it's primary purpose and
search for the answer.

Old guy

Re: "attack" from Router IP..?

Moe Trin wrote:
...
> An application on one of your computers asked for a hostname to IP
> address lookup. The firewall allows a few seconds for the reply, and if
> no reply occurs, forgets that there was a question. The nameserver that
> is answering the question was slow, and replied a second or two after
> the firewall forgot the question, and the firewall thinks this is some
> new packet - not associated with anything, and SCREAMS THAT YOU ARE
> BEING ATTACKED!!! Idiots!

I've been seeing those for a long time - thanks for the explanation!

I have to turn off the firewall to clear its log. Is there some other
way to clear the log for Win Xp "firewall"?

Re: "attack" from Router IP..?

Rick Merrill wrote:


>
> I've been seeing those for a long time - thanks for the explanation!
>
> I have to turn off the firewall to clear its log. Is there some other
> way to clear the log for Win Xp "firewall"?

You're asking the wrong person about this. Old Moe Trin knows nothing
about a PFW/personal packet filter and the features in them,
particularly XP's FW. As I recall, he might not use the MS platform period.

Re: "attack" from Router IP..?

Post removed (X-No-Archive: yes)

Re: "attack" from Router IP..?

On Sun, 18 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Rick Merrill wrote:

>Moe Trin wrote:

>> An application on one of your computers asked for a hostname to IP
>> address lookup. The firewall allows a few seconds for the reply, and if
>> no reply occurs, forgets that there was a question. The nameserver that
>> is answering the question was slow, and replied a second or two after
>> the firewall forgot the question, and the firewall thinks this is some
>> new packet - not associated with anything, and SCREAMS THAT YOU ARE
>> BEING ATTACKED!!! Idiots!

>I've been seeing those for a long time - thanks for the explanation!

You're welcome! It's been fairly well reported in this group among others.
As you can tell, I'm not pleased with the crap designers who thought up
that brain dead idea. In fact, the delayed response _could_ take tens of
seconds as the DNS server asks recursively starting at the root servers.
Each level _could_ be busy - this is especially the case with domains
other than .com, or .net.

>I have to turn off the firewall to clear its log. Is there some other
>way to clear the log for Win Xp "firewall"?

Sorry - I got rid of windoze before they invented the Internet, or what
ever they claim to have done. The only microsoft product in the house is
two old "Dove Bar" mice, which my wife prefers.

Old guy