Zone Alarm Firewall Attacks

I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)

When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.

Should I be concerned ??

TIA

MadDog

On Tue, 11 Oct 2005 23:08:02 -0700, MadDog wrote:

> I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
> router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
> detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
> ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)
>
> When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.
>
> Should I be concerned ??

Modem at 192.168.0.1; sounds familiar...

From your headers:

X-WBNR-Posting-Host: 69.226.223.162

Ah, thought so! Either a SpeedSteam 4100 (new issue), or SpeedStream 5100B
(older, out of production issue).

They aren't "attacks" (does ZAP really call them "attacks"? I use Kerio
Personal Firewall in conjunction with Kiwi Syslog Daemon. Nothing I see is
reported as an "attack"), just logged probes.

Hmmm. I first set up my SS4100 on August 25 this year. Looking at Kiwi
Syslog Daemon I see the first entry subsequent to that installation:

| 2005-08-24 21:52:00 Local7.Warning 192.168.102.1 2005 Aug 24 21:51:51 (FR114P-2c-f2-3a) 66.125.89.88 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:66.125.89.88,137 ,LAN [Drop] - [Inbound Default rule match]
| 2005-08-24 21:52:05 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
| 2005-08-24 21:52:07 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
| 2005-08-24 21:52:09 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
| 2005-08-24 21:52:10 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE

Most recent entry:

| 2005-10-07 05:36:58 Local7.Warning 192.168.102.1 2005 Oct 07 05:37:04 (FR114P-2c-f2-3a) 192.168.1.64 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:192.168.1.64,137 ,LAN [Forward] - [Inbound Rule(2) match]

Oh, I haven't caught any KPF entries recently; probably already changed
things. What you need to do is to set Zone Alarm Pro to trust your modem IP
address. Your DNS server IP address should now be, "192.168.0.1". If you go
here:

http://192.168.0.1/

....you should see the modem "Connection Information" page; with a list
similar to this (first few lines):

| Connection Information
|
| DSL UP
| Connection UP
| User ID %UserID%@pacbell.net
| Connected at 1536 Kbps (downstream)
| 384 Kbps (upstream)
| IP Address 69.226.223.162
| IP Gateway 69.226.223.254
| DNS Servers 206.13.31.12 dns1-sac.scrmca.sbcglobal.net
| 206.13.28.12 dns1.snfcca.sbcglobal.net
| Mode PPP on the modem (Public IP for LAN device)
| Timeout Never

Your DNS servers should be the same as my cousin's, both of you on the
'pltn13' access concentrator. You can find your access concentrator on this
page:

http://192.168.0.1/techreadout.htm

Mine is on line 292, thus:

| 292 PPP Access Concentrator 90064060300098-rback14.sntcca

As for that UDP packet to port 137; the SS4100, and the SS5100B are
actually built by Siemens as routers; they are configured in firmware for
SBC as "single device routers", so they don't work the same way as the
generic Siemens products. The generic router would use NetBIOS to find the
device names of the computers on the LAN. If your D-Link router is logging
those, you can ignore those log entries.

The main thing is, configure Zone Alarm Pro to trust IP address
192.168.0.1. Also, if your mode is set to "PPP on the modem, use private IP
address", you should set 192.168.1.64 as a trusted IP address in Zone Alarm
Pro. From the same "Technician Readout" page linked above:

| 121 DHCP Start IP Address 192.168.1.64
| 122 DHCP End IP Address 192.168.1.64
| 123 DHCP Default Gateway 192.168.0.1
| 124 DHCP Default Lease Time 000 days 00:10:00
| 125 Domain name domain_not_set.invalid

BTW, with those UDP probes to port 147, and a computer connected directly
to the modem, an ipconfig -all command would show:

Host Name: %ComputerName%.domain_not_set.invalid

If your D-Link router has a place to enter a domain name on the setup page,
and you put "sbcglobal.net" in that field, you would see:

Host Name: %ComputerName%.sbcglobal.net

....when you run ipconfig -all.

Here is mine:

|
| Windows IP Configuration
|
| Host Name . . . . . . . . . : MEGUMI.aosake.net
| DNS Servers . . . . . . . . : 192.168.0.1
| Node Type . . . . . . . . . : Broadcast
| NetBIOS Scope ID. . . . . . :
| IP Routing Enabled. . . . . : No
| WINS Proxy Enabled. . . . . : No
| NetBIOS Resolution Uses DNS : No
|
| Ethernet adapter :

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

On Wed, 12 Oct 2005 09:20:07 -0700, N. Miller wrote:

> BTW, with those UDP probes to port 147...

Duh-oh. S/B "port 137"...

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Norman,

Thanks for the reply. I added 192.168.0.1 and 192.168.1.64 to ZAPs
trusted IP address list. So far, I haven't seen any "probes".

MD




"N. Miller" wrote:

> On Tue, 11 Oct 2005 23:08:02 -0700, MadDog wrote:
>
> > I have a DSL modem (IP address 192.168.0.1) and a Linksys DI-524 wireless
> > router. I am using ZoneAlarm Pro on my PC, Windows XP Pro. ZoneAlarm keeps
> > detecting what seems to be the modem (192.168.0.1:53) pinging the computer's
> > ports (192.168.10.100:nnnn where nnnn is anywhere from 1000 - 5000)
> >
> > When I had an AirLink router (802.11b), ZoneAlarm never reported any attacks.
> >
> > Should I be concerned ??
>
> Modem at 192.168.0.1; sounds familiar...
>
> From your headers:
>
> X-WBNR-Posting-Host: 69.226.223.162
>
> Ah, thought so! Either a SpeedSteam 4100 (new issue), or SpeedStream 5100B
> (older, out of production issue).
>
> They aren't "attacks" (does ZAP really call them "attacks"? I use Kerio
> Personal Firewall in conjunction with Kiwi Syslog Daemon. Nothing I see is
> reported as an "attack"), just logged probes.
>
> Hmmm. I first set up my SS4100 on August 25 this year. Looking at Kiwi
> Syslog Daemon I see the first entry subsequent to that installation:
>
> | 2005-08-24 21:52:00 Local7.Warning 192.168.102.1 2005 Aug 24 21:51:51 (FR114P-2c-f2-3a) 66.125.89.88 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:66.125.89.88,137 ,LAN [Drop] - [Inbound Default rule match]
> | 2005-08-24 21:52:05 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
> | 2005-08-24 21:52:07 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1141->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
> | 2005-08-24 21:52:09 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
> | 2005-08-24 21:52:10 Local7.Debug 192.168.102.101 Rule 'Other DNS (Logged)': Blocked: Out UDP, localhost:1144->(null) [192.168.0.1:53], Owner: C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGINET.EXE
>
> Most recent entry:
>
> | 2005-10-07 05:36:58 Local7.Warning 192.168.102.1 2005 Oct 07 05:37:04 (FR114P-2c-f2-3a) 192.168.1.64 UDP packet - Source:192.168.0.1,137 ,WAN - Destination:192.168.1.64,137 ,LAN [Forward] - [Inbound Rule(2) match]
>
> Oh, I haven't caught any KPF entries recently; probably already changed
> things. What you need to do is to set Zone Alarm Pro to trust your modem IP
> address. Your DNS server IP address should now be, "192.168.0.1". If you go
> here:
>
> http://192.168.0.1/
>
> ....you should see the modem "Connection Information" page; with a list
> similar to this (first few lines):
>
> | Connection Information
> |
> | DSL UP
> | Connection UP
> | User ID %UserID%@pacbell.net
> | Connected at 1536 Kbps (downstream)
> | 384 Kbps (upstream)
> | IP Address 69.226.223.162
> | IP Gateway 69.226.223.254
> | DNS Servers 206.13.31.12 dns1-sac.scrmca.sbcglobal.net
> | 206.13.28.12 dns1.snfcca.sbcglobal.net
> | Mode PPP on the modem (Public IP for LAN device)
> | Timeout Never
>
> Your DNS servers should be the same as my cousin's, both of you on the
> 'pltn13' access concentrator. You can find your access concentrator on this
> page:
>
> http://192.168.0.1/techreadout.htm
>
> Mine is on line 292, thus:
>
> | 292 PPP Access Concentrator 90064060300098-rback14.sntcca
>
> As for that UDP packet to port 137; the SS4100, and the SS5100B are
> actually built by Siemens as routers; they are configured in firmware for
> SBC as "single device routers", so they don't work the same way as the
> generic Siemens products. The generic router would use NetBIOS to find the
> device names of the computers on the LAN. If your D-Link router is logging
> those, you can ignore those log entries.
>
> The main thing is, configure Zone Alarm Pro to trust IP address
> 192.168.0.1. Also, if your mode is set to "PPP on the modem, use private IP
> address", you should set 192.168.1.64 as a trusted IP address in Zone Alarm
> Pro. From the same "Technician Readout" page linked above:
>
> | 121 DHCP Start IP Address 192.168.1.64
> | 122 DHCP End IP Address 192.168.1.64
> | 123 DHCP Default Gateway 192.168.0.1
> | 124 DHCP Default Lease Time 000 days 00:10:00
> | 125 Domain name domain_not_set.invalid
>
> BTW, with those UDP probes to port 147, and a computer connected directly
> to the modem, an ipconfig -all command would show:
>
> Host Name: %ComputerName%.domain_not_set.invalid
>
> If your D-Link router has a place to enter a domain name on the setup page,
> and you put "sbcglobal.net" in that field, you would see:
>
> Host Name: %ComputerName%.sbcglobal.net
>
> ....when you run ipconfig -all.
>
> Here is mine:
>
> |
> | Windows IP Configuration
> |
> | Host Name . . . . . . . . . : MEGUMI.aosake.net
> | DNS Servers . . . . . . . . : 192.168.0.1
> | Node Type . . . . . . . . . : Broadcast
> | NetBIOS Scope ID. . . . . . :
> | IP Routing Enabled. . . . . : No
> | WINS Proxy Enabled. . . . . : No
> | NetBIOS Resolution Uses DNS : No
> |
> | Ethernet adapter :
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint
>

On Wed, 12 Oct 2005 19:57:02 -0700, MadDog wrote:

> Thanks for the reply. I added 192.168.0.1 and 192.168.1.64 to ZAPs
> trusted IP address list. So far, I haven't seen any "probes".

Any time. Not particularly germane to what you experienced, but an
interesting anecdote for the SS5100B/SS4100 user. My SS4100 is configured
with "PPP on the modem, use public IP address". For some reason, SBC
decided on their own to send a technician to work on our NID. My mother
told me about when it happened; I found the exact time (as accurate as NTP
servers can get it) in my logs. The tech disconnected the premises for some
testing. That stopped the PPPoE session. When the router sought to renew
the IP address lease, with no DSL sync, the modem issued its default DHCP
IP address to the router; for about thirty minutes my router had
192.168.1.64 on the WAN port, and no Internet connection. It would have
been noticeable had anyone been using the computer at that time.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint