Security...

[Drewski]

Ive noticed alot of activity on my Zone alarm Firewall. Internet broadcasts and internet access from a spoofed IP of 0.0.0.0 at 10 attempts an hour for 2-3 hours a day, for about 4 days now, all of them on port 68. Also this message...

The firewall has blocked Internet access to your computer (NetBIOS Name) from 216.178.19.122 (NetBIOS Name).

Time: 7/12/01 2:34:22 PM

2 times from 2 diffrent IPs
Finally, alot of the same stuff from diffrent IPs and diffrent port numbers, I know this could be background noise, 3 of them were from France, 1 from Germany and 2 from China, the rest I didn't bother to check.

The 0.0.0.0 and the NetBIOS port are my main concerns. Any advice?

------------------
Member of GanG Green
[GanG]Drewski

[The Wraith]

Port 68 is an older bootstrap protocol similiar to how DHCP works, assigning an IP address to requesting hosts. A Bootp/DHCP request is sent in the form of a broadcast. In essence, a machine configured to obtain an IP address from an authoritative source sends out a broadcast to all machines, "CAN ANYONE GIVE ME AN ADDRESS!?" This is generally transmitted in what is called an "IP directed broadcast". It is not uncommon for older Bootp packets to be sent via 0.0.0.0, which would denote "all networks".

Now, why these remote machines would be sending data to YOUR particular network segment of the world has to do with a network engineer with their head up their arse...somewhere. A router will not forward broadcast packets, by default. A router has to be specfically configured to accept and forward broadcast, identifying WHAT broadcasts and WHERE to send them. The packets you are seeing are machines attempting to get the information they need to log onto their perspective networks. You most likely see repeated packets as their network administrator has incorrectly configured their local router and they are NOT able to actually communicate to the necessary server.

The example you gave was sourced from http://www.loyolaacademy.org. As I visit that website it doesn't surprise me it was made using Front Page 4 and is "under construction". Looks like the data you have been receiving is due to people who don't know what they are doing. The information you're seeing on your logs is nothing to be concerned about. However, if you wanted to contact these individuals and essentially tell them to get their heads from their arse (That would be my course of action), you can contact them with the information provided below:

Frank Corley
Loyola Academy
3854 Washington Ave
St. Louis , MO 63108
314-531-9091

Brick Network (Perhaps standing for "dumb as a...")
1000 Macklind Ave
St. Louis, MO 63110
314-645-5550
314-535-5966


[This message has been edited by The Wraith (edited 06-12-2001).]

[Drewski]

Thanks for the help Wraith.
I have 1 more question. I receved this today

The firewall has blocked Internet access to your computer (Ssh) from 194.216.214.90 (Ssh) [TCP Flags: S].

along with the normal crap, I tryed to get some info on what Ssh means, but I came up empty.
Its a UK HTTP server running apache/1.3.19(Unix)
Thats all I know...

------------------
Member of GanG Green
[GanG]Drewski

[This message has been edited by Drewski (edited 06-13-2001).]

[Zorro]

ssh = Secure Shell. ssh is used to access a shell in a secure method. Typically, you see this service available on Unix boxes or other hosts where telnet access is available. ssh usually runs on TCP port 22 and utilizes a keyed encryption protocol such as 3DEs, blowfish, twofish, or simple crypt (based upon the encryption algorithm used in the old-time Nazi Enigma machine). I doubt it was anything malicious if it was a one time thing. What you probably want to look for is port scans from single hosts... Those are the bad ones...

[AK]Zorro

Chief Operations Officer
AugustKnights.com WizOp

[Drewski]

...and my knowledge of networking grows
Thanks.

------------------
Member of GanG Green
[GanG]Drewski