Guest AndyHancock Posted April 20, 2008 Posted April 20, 2008 A few newly installed applications required a modification of firewall rules, which prompted me to clean up the convolution of rules that I've amassed over the years. Afterward, I started to get regular outbound UDP connections from "SYSTEM" to 192.168.1.255, ports 137-138. Much web searching ensued. It could be bad (http:// www.linklogger.com/UDP137.htm) or just IP/name resolutions (http:// www.iss.net/security_center/advice/Exploits/Ports/137/default.htm and others). This is a very simple home network, consisting of a DSL modem/router, and zero to two laptops connected via LAN cable to WiFi (either Windows 2000 or WindowsXP). One page visited was http://support.microsoft.com/default.aspx?...kb;en-us;832017. It looks like it was meant for non-home IT folk, possibly with a degree in the area. For the schmoe home user, what is the advisability of allowing such accesses to addresses within the home network? A bit of rummaging turns up RFC 1918, which says what such address ranges are. In my case, it seems to be the 16-bit block at 192.168.xxx.yyy. Laptops on this "network" are likely to be installed with standard security applications (firewall, AV, Spybot Search&Destroy). Aside for the advisability of the access rule, why would such accesses be attempted to 192.168.1.255? There is nothing there. Quote
Guest Mr. Arnold Posted April 20, 2008 Posted April 20, 2008 "AndyHancock" <AndyMHancock@gmail.com> wrote in message news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com... <span style="color:blue"> > Aside for the advisability of the access rule, why would such accesses > be attempted to 192.168.1.255? There is nothing there.</span> The operative word here is wireless . I'll assume that the other machines are using an IP in the 192.168.1.xxx range. I'll assume you're using the DHCP server on the router to issue DHCP IP(s) to the computers on the network, which are being kept in the DHCP table on the router so that you can see them. The wireless side of your network could be hacked, the hacker could be using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that far so none of your machines are going to use that IP out that far. Static IP(s) are are not kept in the router's DHCP table, so you can't see them in use. So, there can be a machine that is using that IP wirelessly by a wireless hacker. It's a possibility. Quote
Guest Sebastian G. Posted April 20, 2008 Posted April 20, 2008 AndyHancock wrote: <span style="color:blue"> > Laptops on this "network" are likely to be installed with standard > security applications (firewall, AV, Spybot Search&Destroy).</span> So they're likely to be compromised. Quote
Guest Steve Riley [MSFT] Posted April 21, 2008 Posted April 21, 2008 192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24 (192.168.1.xxx) -- in this case, your home network. It's highly unlikely that there's an attacker on this address, because TCP/IP doesn't allow a machine to be configured with an IP address the same as a broadcast address. When a computer wants to send broadcast traffic to all other computers in the subnet, it creates traffic with a destination address of that subnet's broadcast address. So in this case, your computer is simply doing its normal thing in Windows networking, using broadcasts to announce itself and discover other computers nearby. It's nothing to worry about. Your DSL router won't be allowing these to go beyond your home network. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message news:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com...<span style="color:blue"> > > "AndyHancock" <AndyMHancock@gmail.com> wrote in message > news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com... ><span style="color:green"> >> Aside for the advisability of the access rule, why would such accesses >> be attempted to 192.168.1.255? There is nothing there.</span> > > The operative word here is wireless . I'll assume that the other > machines are using an IP in the 192.168.1.xxx range. I'll assume you're > using the DHCP server on the router to issue DHCP IP(s) to the computers > on the network, which are being kept in the DHCP table on the router so > that you can see them. > > The wireless side of your network could be hacked, the hacker could be > using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) > out that far so none of your machines are going to use that IP out that > far. Static IP(s) are are not kept in the router's DHCP table, so you > can't see them in use. > > So, there can be a machine that is using that IP wirelessly by a wireless > hacker. > > It's a possibility. > > > </span> Quote
Guest AndyHancock Posted April 21, 2008 Posted April 21, 2008 On Apr 20, 3:56 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:<span style="color:blue"> > "AndyHancock" <AndyMHanc...@gmail.com> wrote in message > > news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com... ><span style="color:green"> > > Aside for the advisability of the access rule, why would such accesses > > be attempted to 192.168.1.255? There is nothing there.</span> > > The operative word here is wireless . I'll assume that the other machines > are using an IP in the 192.168.1.xxx range. I'll assume you're using the > DHCP server on the router to issue DHCP IP(s) to the computers on the > network, which are being kept in the DHCP table on the router so that you > can see them. > > The wireless side of your network could be hacked, the hacker could be using > a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that > far so none of your machines are going to use that IP out that far. Static > IP(s) are are not kept in the router's DHCP table, so you can't see them in > use. > > So, there can be a machine that is using that IP wirelessly by a wireless > hacker. > > It's a possibility.</span> I agree that the possibility is always present. However, the WiFi does use WEP, and the wireless interface is turned off most of the time. As well, the DSL side is disconnected when not in use. Finally, the modem shows all devices connected to it, and only the two known laptops show up.. Quote
Guest AndyHancock Posted April 21, 2008 Posted April 21, 2008 On Apr 20, 10:34 pm, "Steve Riley [MSFT]" <steve.ri...@microsoft.com> wrote:<span style="color:blue"> > 192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24 > (192.168.1.xxx) -- in this case, your home network. It's highly unlikely > that there's an attacker on this address, because TCP/IP doesn't allow a > machine to be configured with an IP address the same as a broadcast address. > When a computer wants to send broadcast traffic to all other computers in > the subnet, it creates traffic with a destination address of that subnet's > broadcast address. > > So in this case, your computer is simply doing its normal thing in Windows > networking, using broadcasts to announce itself and discover other computers > nearby. It's nothing to worry about. Your DSL router won't be allowing these > to go beyond your home network.</span> Thank you, Steve. I've allowed UDP's to/from 192.168.1.0/24, ports 137-138. <span style="color:blue"> > steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com > > "Mr. Arnold" <MR. Arn...@Arnold.com> wrote in messagenews:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com... > > ><span style="color:green"> > > "AndyHancock" <AndyMHanc...@gmail.com> wrote in message > >news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...</span> ><span style="color:green"><span style="color:darkred"> > >> Aside for the advisability of the access rule, why would such accesses > >> be attempted to 192.168.1.255? There is nothing there.</span></span> ><span style="color:green"> > > The operative word here is wireless . I'll assume that the other > > machines are using an IP in the 192.168.1.xxx range. I'll assume you're > > using the DHCP server on the router to issue DHCP IP(s) to the computers > > on the network, which are being kept in the DHCP table on the router so > > that you can see them.</span> ><span style="color:green"> > > The wireless side of your network could be hacked, the hacker could be > > using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) > > out that far so none of your machines are going to use that IP out that > > far. Static IP(s) are are not kept in the router's DHCP table, so you > > can't see them in use.</span> ><span style="color:green"> > > So, there can be a machine that is using that IP wirelessly by a wireless > > hacker.</span> ><span style="color:green"> > > It's a possibility.</span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.