Firewalls - Use them!

[zs6cey]

Hi All,

Here is a list of attacks detected by the Telkom ADSL router for last night:

09/15/2005 20:39:20> Firewall:Winnuke detected,from 165.146.119.12 to 165.146.69.143
09/15/2005 20:39:23> Firewall:Winnuke detected,from 165.146.119.12 to 165.146.69.143
09/15/2005 21:02:10> Firewall:Winnuke detected,from 165.146.164.194 to 165.146.69.143
09/15/2005 21:02:13> Firewall:Winnuke detected,from 165.146.164.194 to 165.146.69.143
09/15/2005 21:17:21> Firewall:Winnuke detected,from 165.146.66.240 to 165.146.69.143
09/15/2005 21:17:24> Firewall:Winnuke detected,from 165.146.66.240 to 165.146.69.143
09/15/2005 21:48:58> Firewall:Winnuke detected,from 165.146.148.114 to 165.146.69.143
09/15/2005 21:49:01> Firewall:Winnuke detected,from 165.146.148.114 to 165.146.69.143
09/15/2005 22:07:42> Firewall:Winnuke detected,from 165.146.1.200 to 165.146.69.143
09/15/2005 22:07:45> Firewall:Winnuke detected,from 165.146.1.200 to 165.146.69.143
09/15/2005 22:17:56> Firewall:Winnuke detected,from 165.146.255.164 to 165.146.69.143
09/15/2005 22:17:59> Firewall:Winnuke detected,from 165.146.255.164 to 165.146.69.143
09/15/2005 22:26:41> Firewall:Winnuke detected,from 165.146.199.27 to 165.146.69.143
09/15/2005 22:26:44> Firewall:Winnuke detected,from 165.146.199.27 to 165.146.69.143
09/15/2005 22:40:16> Firewall:Winnuke detected,from 165.146.164.194 to 165.146.69.143
09/15/2005 22:40:19> Firewall:Winnuke detected,from 165.146.164.194 to 165.146.69.143
09/15/2005 23:11:11> Firewall:Winnuke detected,from 165.146.215.108 to 165.146.69.143
09/15/2005 23:33:47> Firewall:Winnuke detected,from 165.146.40.136 to 165.146.69.143
09/15/2005 23:33:50> Firewall:Winnuke detected,from 165.146.40.136 to 165.146.69.143
09/16/2005 01:12:12> Firewall:Winnuke detected,from 165.146.250.118 to 165.146.69.143

09/16/2005 01:12:15> Firewall:Winnuke detected,from 165.146.250.118 to 165.146.69.143
09/16/2005 01:34:11> Firewall:Winnuke detected,from 165.146.199.27 to 165.146.69.143
09/16/2005 01:34:14> Firewall:Winnuke detected,from 165.146.199.27 to 165.146.69.143
09/16/2005 02:02:44> Firewall:Winnuke detected,from 165.146.255.164 to 165.146.69.143
09/16/2005 02:02:47> Firewall:Winnuke detected,from 165.146.255.164 to 165.146.69.143
09/16/2005 02:53:33> Firewall:Winnuke detected,from 165.146.63.236 to 165.146.69.143
09/16/2005 02:53:36> Firewall:Winnuke detected,from 165.146.63.236 to 165.146.69.143
09/16/2005 03:45:01> Firewall:Winnuke detected,from 165.146.239.83 to 165.146.69.143
09/16/2005 03:45:04> Firewall:Winnuke detected,from 165.146.239.83 to 165.146.69.143
09/16/2005 03:47:15> Firewall:Winnuke detected,from 165.146.16.83 to 165.146.69.143
09/16/2005 03:47:18> Firewall:Winnuke detected,from 165.146.16.83 to 165.146.69.143
09/16/2005 04:04:17> Firewall:Winnuke detected,from 165.146.239.83 to 165.146.69.143
09/16/2005 04:04:20> Firewall:Winnuke detected,from 165.146.239.83 to 165.146.69.143
09/16/2005 04:38:00> Firewall:Winnuke detected,from 165.146.148.114 to 165.146.69.143
09/16/2005 04:38:03> Firewall:Winnuke detected,from 165.146.148.114 to 165.146.69.143
09/16/2005 05:17:27> Firewall:Winnuke detected,from 165.146.63.236 to 165.146.69.143
09/16/2005 05:17:30> Firewall:Winnuke detected,from 165.146.63.236 to 165.146.69.143
09/16/2005 05:48:00> Firewall:Winnuke detected,from 165.146.63.236 to 165.146.69.143
09/16/2005 05:48:03> Firewall:Winnuke detected,from 165.146.63.236 to 165.146.69.143

These are all from within the SAIX/Axxess subnet. I also get IP spoofing attacks. Quite scary!

Regards
Andy

 

[gkm]

Yes, and all these attacks are eating our bandwidth cap as well. I guess we can only dream of telkom actually phoning a couple of these people and telling them that their machines have been compromised.

 

[justinct]

How do u see that from your firewall?
My modem has a built in firewall (billion 5102)
I am assuming i should also activate windows firewall?
Or wot?
Thanks
J

 

[zs6cey]

Hi Justinct,

On the Marconi ADSL Router, it is a configuration in the router whare you setup the firewall. I then look at the log daily to see how it is performing.

When it came to setting up my firewall, I used the attack site http://www.grc.com to test my setup.

Not much help, but my limited knowledge.

Regards
Andy

 

[krycor]

my d-link has a built in firewall for those things... and i use the win firewall too for some more security

 

[!!DV!!]

I Have a Static IP on IS ADSL, my firewall gets hammered with attacks... any thing from MS 445 to WINNuke and more...and most of the fraffic is local and some Int.

 

[justinct]

Thanks andy, but i use a billion modem,but i will check that site, thanks.
J

 

[slimothy]

oh yeah i must use a firewall? geez thanks man, cuz everyone besides you is obviously too thick to do that extremely obvious piece of advise.

Yeah and those winnuke attacks are nasty, oh wait scratch thatm they were nasty... in 1998 when they actually did something

 

[Crash]

I prefer to leave my Broadband connection open to everyone on the internet.
I enjoy becoming a zombie for a bot net.

</me adds SARCASM>

 

[Clipse]

oh yeah i must use a firewall? geez thanks man, cuz everyone besides you is obviously too thick to do that extremely obvious piece of advise.

Yeah and those winnuke attacks are nasty, oh wait scratch thatm they were nasty... in 1998 when they actually did something

Lol I was about to say the same, but you stole my comments :/

 

[!!DV!!]

Those are the oldest.. If I look at my logs it is , malformed packets, fragmented packets, port scans, 445 broadcast, Login attempts and lots more... I get about 50+ login attempts in 24 hours. Then there is the ICMP requests and other crap..

The biggest problem now is not the ports that are open but what is going throught them.. Is port 80 really carrying HTTP traffic or is is some new super worm or trojan.

 

[James]

Thanks for the advise zs6cey and welcome to the forums.

Many people on these forums are not as wise as Slimothy and Clipse and the like so your advise to those will be well taken. Slimothy what do you actually gain with your comments?

 

[.geek]

Thanks for the advise zs6cey and welcome to the forums.

Many people on these forums are not as wise as Slimothy and Clipse and the like so your advise to those will be well taken. Slimothy what do you actually gain with your comments?

+1 to the post count.

 

[!!DV!!]

So slimothy:

I Take it that you are running Checkpoint VPN-1 NGX / Cisco PIX or a Netscreen box to keep you little world clean ??? Because in the real world you need something more that just a freeware app. to keep the nasties out.

 

[doobiwan]

My favourite firewall friend

http://www.grc.com/x/ne.dll?rh1dkyd2

 

[Nocturne]

Why do you have to say it in such a nasty way, Slimothy? As previously mentioned, there are plenty of newbies on this thread who aren't aware of the facts about TCP/IP attacks and firewalls and such. Your comments could have been helpful to them as well, if you didn't make them feel like complete morons for reading the thread in the process.

And anyway, ALL attacks do something - they chew bandwidth! We have usage caps, in case you've forgotten. Of course, a firewall isn't going to stop THAT, but it bares mentioning...

Be a bit more patient. You can make a lot of enemies by being arrogant and condescending. Besides, the WinNuke stuff was just an example. The original poster obviously knows there are other, far more serious attacks to worry about. WinNuke may be the least of those, but it does illustrate a point.

 

[slimothy]

oh they chew bandwidth, that is true, i agree totally but you might want to realise that we are talking bytes of bandwidth, not kilobytes, for instance if you were port scanned 24/7 for a month and the scan used was a syn scan you would use... approx (just calculating in my head real quick) about 2MB of data.

Infact the only sort of attack you would get that would be significant enough on your bandwidth usage to notice would be a dos/ddos attack and basically your firewall cant stop that, it can stop it reaching applications, it can stop it flowing freely past your pc/router but that doesnt matter because it would still use all your bandwidth, even if you blocked all traffic it would eat it up.

as for the enemies thing... come on, you're words on the internet to me, i really couldnt give a toss if i piss any idiots off today on the internet, come on this guy comes here saying i must use a firewall for winnuke attacks, give me a break

 

[Maskie]

come on this muppet comes here saying i must use a firewall for winnuke attacks, give me a break

what makes you think he spoke to you if the hat fits then ......

 

[sh1]

bla bla bla -

i really couldnt give a toss if i piss any idiots off today on the internet.

bla bla bla - I still sit here all day trying to flame up a thread with my sarcasm and unhelpful comment just so I can show all of you what an empty life I have.
bla bla bla

Why don’t you say something constructive or shut your pie-hole. Newbie’s are going to stop posting on this site, if some idiots shot them down every time they say something wrong.

 

[slimothy]

well id love the newbies to go somewhere else

ok so im abrasive but what about the point someone else made about how it doesnt matter which ports you close but what matters is which ones are open and whats going through them.

winnuke wont work, so the firewall isnt helpful there and at the same time this guy probably has ports open that arent being logged and he probably doesnt have an IDS so basicaly all hes sees being blocked ar elame ancient attacks and could be hit by a zombie bot on any of his open ports.