Thread: interesting traffic
View Single Post
  #10 (permalink)  
Old 12-30-2006, 08:23 PM
David H. Lipman
Guest
  
Posts: n/a
Default Re: interesting traffic
From: "Moe Trin" <ibuprofin@painkiller.example.tld>


|
| Depending on the capabilities of your firewall (recognizing incoming
| packets in those ranges as being replies to something your systems sent
| out - verses unsolicited packets inbound) blocking those ports is quite
| reasonable. On my home firewall, I've been dropping incoming unrelated
| UDP to those ports for several years now. It's just ordinary messenger
| spam such as:
|
| STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
|
| Windows has found 55 Critical System Errors.
|
| To fix the errors please do the following:
|
| 1. Download Registry Update from: www.some.spammers.website
| 2. Install Registry Update
| 3. Run Registry Update
| 4. Reboot your computer
|
| FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!
|
| That one was captured on the firewall a couple of weeks ago when I was
| running a packet sniffer. Source address was bogus. Oh, and I know it's
| not real because I don't have any microsoft boxes, and the the spammers
| web site isn't microsoft.com - not that they give a hoot if your systems
| are 0wn3d.
|
| At work, we port shift any outgoing packets out of the 1025-1050 range
| (nearly all are DNS queries outbound) and drop any inbound to that range
| as they can't be valid replies to anything we've sent out. Last I bothered
| to measure, it was averaging a half Megabyte per day per IP address, so
| for a /16 network, that saves about a Gigabyte of bandwidth every _month_
|
| Using a packet sniffer to capture this crap, it's usually pretty obvious
| based on IP and UDP headers that the source is fake, and this most often
| seems to be coming from zombie windoze boxes on your ISPs local range.
| You _could_ bitch to your ISP about it, but the O/P is posting from
| Comcast which probably isn't going to know how to spell 'IP' much less
| know about port numbers and protocols.
|
| Old guy

Thanx Moe Trin and Happy New Year.

Hopefully this "Old guy" will grace us with his presence more often in 2007. :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Reply With Quote
Sponsored Links