Hackers and "Client filtering settings blocked connection from IP address"

Hi,

I have enabled both WEP and MAC filtering on my MN-500 with
a cablemodem. In the security log file, I have recently
started seeing messages like this:

Client filtering settings blocked connection from IP
address <a.b.c.d>

What does the above message really mean? The link at
http://www.microsoft.com/hardware/br...log_file..mspx
says the basestation blocked a user with <a.b.c.d> from
trying to acces the Internet.

I honestly don't understand this as it seems to make no
sense: 1) WEP and MAC filtering should stop users from
Wireless access, and 2) the only other users *are* on the
Internet, and why would the Basestation say they are trying
to gain access?

Finally, should I send abuse reports to the IP block's
abuse@ address?

Dear Cris,


Client filtering is a form of Association Control for
wirless clients of the MN-500. It is based on IP, not
MAC, as you have correctly determined.

I suspect that somewhere along the line, you have
initiated or left default Clinet Filtering. Check your
DHCP client list. After you have determined if the IP
address matches one of your MN-500 clients, go to your
Security setting adn change/maintain Client filtering.
See MN-500 manual instructions below:

Client Filtering
You can use client filtering to control the Internet
access of each client on your network. This feature is
particularly useful if, for example, you want to restrict
the time that your children spend surfing the Web. To
configure client filtering, you must have the following
information:

O The private IP address assigned to the client computer.
To determine the IP address assigned to the client
computer, check the DHCP client list on the Home page of
the Base Station Management Tool.

O The ports for the type of application data to which you
want to control access.

For example, if you want to control Web browsing, specify
TCP Port 80 on client 192.168.2.XX. It is recommended
that you assign static IP addresses to each of the client
devices whose access to the Internet you want to control.

To enable client filtering

1. Open the Base Station Management Tool, and then click
Security.

2. On the Security menu, click Client Filtering.

3. In the appropriate box, type the IP address of the
client device whose access to the Internet you want to
control.

4. In the Outbound port(s) boxes, type the outbound port
protocol and port number for the data that you want
to control.

5. In the appropriate boxes, specify the date and time
range when you want to block access to this data. If you
want to filter access on a particular day, for example,
every Sunday, enter the same time and the same date for
the start and end period. If you want to block access all
the time, click Always.

6. Select the Block check box, and then click Apply to
activate the client filtering.


>-----Original Message-----
>Hi,
>
>I have enabled both WEP and MAC filtering on my MN-500
with
>a cablemodem. In the security log file, I have recently
>started seeing messages like this:
>
>Client filtering settings blocked connection from IP
>address <a.b.c.d>
>
>What does the above message really mean? The link at
>http://www.microsoft.com/hardware/br...networking/10_
concept_log_file..mspx
>says the basestation blocked a user with <a.b.c.d> from
>trying to acces the Internet.
>
>I honestly don't understand this as it seems to make no
>sense: 1) WEP and MAC filtering should stop users from
>Wireless access, and 2) the only other users *are* on the
>Internet, and why would the Basestation say they are
trying
>to gain access?
>
>Finally, should I send abuse reports to the IP block's
>abuse@ address?
>.
>

It's a bug in the message text. The message appears when
you disable Pings on the router, and an attacker sends an
ICMP packet (a Ping) to your IP ^_^

It has nothing to do with client filtering.

>-----Original Message-----
>Hi,
>
>I have enabled both WEP and MAC filtering on my MN-500 with
>a cablemodem. In the security log file, I have recently
>started seeing messages like this:
>
>Client filtering settings blocked connection from IP
>address <a.b.c.d>
>
>What does the above message really mean? The link at
>http://www.microsoft.com/hardware/br...log_file..mspx
>says the basestation blocked a user with <a.b.c.d> from
>trying to acces the Internet.
>
>I honestly don't understand this as it seems to make no
>sense: 1) WEP and MAC filtering should stop users from
>Wireless access, and 2) the only other users *are* on the
>Internet, and why would the Basestation say they are trying
>to gain access?
>
>Finally, should I send abuse reports to the IP block's
>abuse@ address?
>.
>

Gotta love MS top-posting-biased software...

Anyway...

Thanks for the response. I confirm that I've disabled pings
in the security settings. I'll try to find some
confirmation about this bug (knowledgebase article?); it's
a more logical explanation that the response by Ken.

By the way, not all Pings are from attackers, but probably
most are ;-)

Regards,

Cris

>-----Original Message-----
>It's a bug in the message text. The message appears when
>you disable Pings on the router, and an attacker sends an
>ICMP packet (a Ping) to your IP ^_^
>
>It has nothing to do with client filtering.
>
>>-----Original Message-----
>>Hi,
>>
>>I have enabled both WEP and MAC filtering on my MN-500 with
>>a cablemodem. In the security log file, I have recently
>>started seeing messages like this:
>>
>>Client filtering settings blocked connection from IP
>>address <a.b.c.d>
>>
>>What does the above message really mean? The link at
>>http://www.microsoft.com/hardware/br...log_file..mspx
>>says the basestation blocked a user with <a.b.c.d> from
>>trying to acces the Internet.
>>
>>I honestly don't understand this as it seems to make no
>>sense: 1) WEP and MAC filtering should stop users from
>>Wireless access, and 2) the only other users *are* on the
>>Internet, and why would the Basestation say they are trying
>>to gain access?
>>
>>Finally, should I send abuse reports to the IP block's
>>abuse@ address?
>>.
>>
>.
>

Hi Ken,

Thanks for the response. I'm using the MN-500 in my home
LAN. I don't have any DHCP client list that I've done myself.

I think that lilo's explanation makes more sense -- i.e.,
it's a bug -- printing a message like that instead of
saying that an ICMP message has been blocked by the user at
the IP address.

Regards,

Cris

>-----Original Message-----
>
>Dear Cris,
>
>
>Client filtering is a form of Association Control for
>wirless clients of the MN-500. It is based on IP, not
>MAC, as you have correctly determined.
>
>I suspect that somewhere along the line, you have
>initiated or left default Clinet Filtering. Check your
>DHCP client list. After you have determined if the IP
>address matches one of your MN-500 clients, go to your
>Security setting adn change/maintain Client filtering.
>See MN-500 manual instructions below:
>
>Client Filtering
>You can use client filtering to control the Internet
>access of each client on your network. This feature is
>particularly useful if, for example, you want to restrict
>the time that your children spend surfing the Web. To
>configure client filtering, you must have the following
>information:
>
>O The private IP address assigned to the client computer.
>To determine the IP address assigned to the client
>computer, check the DHCP client list on the Home page of
>the Base Station Management Tool.
>
>O The ports for the type of application data to which you
>want to control access.
>
>For example, if you want to control Web browsing, specify
>TCP Port 80 on client 192.168.2.XX. It is recommended
>that you assign static IP addresses to each of the client
>devices whose access to the Internet you want to control.
>
>To enable client filtering
>
>1. Open the Base Station Management Tool, and then click
>Security.
>
>2. On the Security menu, click Client Filtering.
>
>3. In the appropriate box, type the IP address of the
>client device whose access to the Internet you want to
>control.
>
>4. In the Outbound port(s) boxes, type the outbound port
>protocol and port number for the data that you want
>to control.
>
>5. In the appropriate boxes, specify the date and time
>range when you want to block access to this data. If you
>want to filter access on a particular day, for example,
>every Sunday, enter the same time and the same date for
>the start and end period. If you want to block access all
>the time, click Always.
>
>6. Select the Block check box, and then click Apply to
>activate the client filtering.
>
>
>>-----Original Message-----
>>Hi,
>>
>>I have enabled both WEP and MAC filtering on my MN-500
>with
>>a cablemodem. In the security log file, I have recently
>>started seeing messages like this:
>>
>>Client filtering settings blocked connection from IP
>>address <a.b.c.d>
>>
>>What does the above message really mean? The link at
>>http://www.microsoft.com/hardware/br...networking/10_
>concept_log_file..mspx
>>says the basestation blocked a user with <a.b.c.d> from
>>trying to acces the Internet.
>>
>>I honestly don't understand this as it seems to make no
>>sense: 1) WEP and MAC filtering should stop users from
>>Wireless access, and 2) the only other users *are* on the
>>Internet, and why would the Basestation say they are
>trying
>>to gain access?
>>
>>Finally, should I send abuse reports to the IP block's
>>abuse@ address?
>>.
>>
>.
>

I must have been working way too hard on crypto -- if it's
not Alice or Bob, it's always an atacker, heh ^.^

I found this experimentally, and has been quite known in
the newsgroup for a while -- I remember posting it to
hnbugs@microsoft...

>-----Original Message-----
>Gotta love MS top-posting-biased software...
>
>Anyway...
>
>Thanks for the response. I confirm that I've disabled pings
>in the security settings. I'll try to find some
>confirmation about this bug (knowledgebase article?); it's
>a more logical explanation that the response by Ken.
>
>By the way, not all Pings are from attackers, but probably
>most are ;-)
>
>Regards,
>
>Cris
>
>>-----Original Message-----
>>It's a bug in the message text. The message appears when
>>you disable Pings on the router, and an attacker sends an
>>ICMP packet (a Ping) to your IP ^_^
>>
>>It has nothing to do with client filtering.
>>
>>>-----Original Message-----
>>>Hi,
>>>
>>>I have enabled both WEP and MAC filtering on my MN-500 with
>>>a cablemodem. In the security log file, I have recently
>>>started seeing messages like this:
>>>
>>>Client filtering settings blocked connection from IP
>>>address <a.b.c.d>
>>>
>>>What does the above message really mean? The link at
>>>http://www.microsoft.com/hardware/br...log_file..mspx
>>>says the basestation blocked a user with <a.b.c.d> from
>>>trying to acces the Internet.
>>>
>>>I honestly don't understand this as it seems to make no
>>>sense: 1) WEP and MAC filtering should stop users from
>>>Wireless access, and 2) the only other users *are* on the
>>>Internet, and why would the Basestation say they are trying
>>>to gain access?
>>>
>>>Finally, should I send abuse reports to the IP block's
>>>abuse@ address?
>>>.
>>>
>>.
>>
>.
>