Hi fellas I hope you can help me with the following problem.I think Zone Alarm Pro (or Win2k) behaves in a strange way under a scan attempt from an IP address which can't be reverse-resolved. I'm running NAT/ICS over PPPoE/ADSL using Windows 2000 on the ICS server and the clients. It turns out that when an NBNS/NBSTAT scan attempt, or a TCP/IP SYN packet comes in, (and DNS can't reverse resolve), the computer tries to respond and do a NetBIOS query, although by looking at ZA logs, ZA claims it has blocked the incoming query (I have ZoneAlarm Pro). I am attaching here the ZoneAlarm log, and a snort/Ethereal log. The interesting packets are 1)-->, 2)<--, 3)--> and 4) <-- (incoming/outgoing pairs). 2) & 4) shouldn't have happened, unless ZoneAlarm is trying to resolve the attacking host name using NetBIOS after DNS failed in doing it. But then, if this theory is right, ZA shouldn't block it from going out (in the same way it doesn't block reverse DNS queries, see the attached Ethereal dump). Thanking in advance Jack ZoneAlarm Pro, Ethereal log excerpts: Note: my Internet Address is (obtained by DHCP through PPPoE): my.net.182.84 My DNS server (my ISP's DNS is): isp.dns.106.46 ZoneAlarm log excerpt: FWIN,2002/12/04,17:37:44 +2:00 GMT,212.179.194.99:4787, my.net.182.84:445,TCP (flags:S) FWIN,2002/12/04,17:40:48 +2:00 GMT,80.56.132.234:1546, my.net.182.84:2592,TCP (flags:S) FWIN,2002/12/04,17:43:00 +2:00 GMT,80.56.132.234:2165, my.net.182.84:2592,TCP (flags:S) FWIN,2002/12/04,17:46:42 +2:00 GMT,80.56.132.234:3077,my.net.182.84:2592,TCP (flags:S) 1) --> FWIN,2002/12/04,17:47:48 +2:00 GMT,12.106.207.130:1025,my.net.182.84:137,UDP 2) <-- FWOUT,2002/12/04,17:47:48 +2:00 GMT,my.net.182.84:1025,12.106.207.130:137,UDP 3) --> FWIN,2002/12/04,17:48:34 +2:00 GMT,195.244.38.252:2146,my.net.182.84:1433,TCP (flags:S) 4) <-- FWOUT,2002/12/04,17:48:34 +2:00 GMT,my.net.182.84:1025,195.244.38.252:137,UDP .FWIN,2002/12/04,17:48:34 +2:00 GMT,195.244.38.252:2146,my.net.182.84:1433,TCP (flags:S) FWIN,2002/12/04,17:50:30 +2:00 GMT,80.56.132.234:3941,my.net.182.84:2592,TCP (flags:S) FWIN,2002/12/04,17:57:48 +2:00 GMT,212.179.222.24:3682,my.net.182.84:445,TCP (flags:S) FWIN,2002/12/04,17:58:04 +2:00 GMT,80.56.132.234:1876,my.net.182.84:2592,TCP (flags:S) FWIN,2002/12/04,18:03:16 +2:00 GMT,200.170.151.242:10024,my.net.182.84:137,UDP FWIN,2002/12/04,18:03:18 +2:00 GMT,206.48.252.243:1030,my.net.182.84:137,UDP Consequences of 1) and 2) in the snort/Ethereal capture log: 1) --> Frame 234 (128 bytes on wire, 128 bytes captured) Arrival Time: Dec 4, 2002 17:47:48.762915000 Ethernet II, Src: 00:90:d0:0e:94:67, Dst: 00:10:5a:46:e9:15 Destination: 00:10:5a:46:e9:15 (3COM_46:e9:15) Source: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Type: IP (0x0800) Internet Protocol, Src Addr: 10.0.0.138 (10.0.0.138), Dst Addr: 10.0.0.1 (10.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total Length: 114 Identification: 0x913b Time to live: 64 Protocol: GRE (0x2f) Source: 10.0.0.138 (10.0.0.138) Destination: 10.0.0.1 (10.0.0.1) Generic Routing Encapsulation (PPP) Flags and version: 0x3001 Payload length: 82 Call ID: 32768 Sequence number: 1300 Protocol: IP (0x0021) Internet Protocol, Src Addr: 12.106.207.130 (12.106.207.130), Dst Addr: my.net.182.84 Version: 4 Header length: 20 bytes User Datagram Protocol, Src Port: 1025 (1025), Dst Port: netbios-ns (137) Length: 58 NetBIOS Name Service Transaction ID: 0x0100 *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>: type NBSTAT, class inet Name: *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> (Workstation/Redirector) Frame 235 (127 bytes on wire, 127 bytes captured) Arrival Time: Dec 4, 2002 17:47:48.785067000 Ethernet II, Destination: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67)Source: 00:10:5a:46:e9:15 (3COM_46:e9:15) Type: IP (0x0800) Internet Protocol, Src Addr: 10.0.0.1 (10.0.0.1), Dst Addr: 10.0.0.138 (10.0.0.138) Version: 4 Header length: 20 bytes Total Length: 113 Time to live: 128 Protocol: GRE (0x2f) Source: 10.0.0.1 (10.0.0.1) Destination: 10.0.0.138 (10.0.0.138) Generic Routing Encapsulation (PPP) Payload length: 77 Protocol: IP (0x0021) Internet Protocol, Src Addr: my.net.182.84, Dst Addr: isp.dns.106.46 Version: 4 Header length: 20 bytes Time to live: 128 Protocol: UDP (0x11) Source: my.net.182.84 Destination: isp.dns.106.46 User Datagram Protocol, Src Port: 4474 (4474), Dst Port: domain (53) Length: 53 Domain Name System (query) Transaction ID: 0x033a 130.207.106.12.in-addr.arpa: type PTR, class inet Frame 236 (230 bytes on wire, 230 bytes captured) Arrival Time: Dec 4, 2002 17:47:48.845598000 Destination: 00:10:5a:46:e9:15 (3COM_46:e9:15) Source: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Internet Protocol, Src Addr: 10.0.0.138 (10.0.0.138), Dst Addr: 10.0.0.1 (10.0.0.1) Version: 4 Header length: 20 bytes Total Length: 216 Identification: 0x913c Time to live: 64 Protocol: GRE (0x2f) Source: 10.0.0.138 Destination: 10.0.0.1 Generic Routing Encapsulation (PPP) Protocol Type: PPP (0x880b) Payload length: 180 Call ID: 32768 Protocol: IP (0x0021) Src Addr: isp.dns.106.46, Dst Addr: my.net.182.84 Version: 4 Header length: 20 bytes Total Length: 176 Identification: 0x0be7 Time to live: 249 Protocol: UDP (0x11) Source: isp.dns.106.46 Destination: my.net.182.84 User Datagram Protocol, Src Port: domain (53), Dst Port: 4474 (4474) Length: 156 Domain Name System (response) Transaction ID: 0x033a 0011 = Reply code: No such name (3) Queries 130.207.106.12.in-addr.arpa: type PTR, class inet Answers Class: inet Time to live: 1 day, 23 hours, 57 minutes, 46 seconds Data length: 13 Primary name: 130.128/25.207.106.12.in-addr.arpa Authoritative nameservers 128/25.207.106.12.in-addr.arpa: type SOA, class inet, mname cbru.br.ns.els-gms.att.net Type: Start of zone of authority Class: inet Time to live: 2 hours, 57 minutes, 46 seconds Data length: 66 Primary name server: cbru.br.ns.els-gms.att.net Responsible authority's mailbox: hostmaster.mail.att.net Serial number: 1 Refresh interval: 23 hours, 3 minutes, 20 seconds Retry interval: 2 hours, 46 minutes, 40 seconds Expiration limit: 6 days, 22 hours, 40 minutes Minimum TTL: 1 day Consequences of 3) and 4) in the snort/Ethereal capture log: 3) --> Frame 269 (98 bytes on wire, 98 bytes captured) Arrival Time: Dec 4, 2002 17:48:35.850847000 Destination: 00:10:5a:46:e9:15 (3COM_46:e9:15) Source: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Type: IP (0x0800) Src Addr: 10.0.0.138, Dst Addr: 10.0.0.1 Version: 4 Header length: 20 bytes Total Length: 84 Identification: 0x9157 Flags: 0x00 Time to live: 64 Protocol: GRE (0x2f) Source: 10.0.0.138 Destination: 10.0.0.1 Generic Routing Encapsulation (PPP) Flags and version: 0x3001 Protocol Type: PPP (0x880b) Payload length: 52 Call ID: 32768 Sequence number: 1304 Protocol: IP (0x0021) Internet Protocol, Src Addr: 195.244.38.252, Dst Addr: my.net.182.84 Version: 4 Header length: 20 bytes Total Length: 48 Identification: 0x4589 Flags: 0x04 Time to live: 114 Protocol: TCP (0x06) Source: 195.244.38.252 Destination: my.net.182.84 Src Port: 2146 (2146), Dst Port: ms-sql-s (1433), Seq: 2379778499, Ack: Header length: 28 bytes Flags: 0x0002 (SYN) Window size: 64240 Maximum segment size: 1460 bytes NOP NOP SACK permitted Frame 270 (127 bytes on wire, 127 bytes captured) Arrival Time: Dec 4, 2002 17:48:35.888012000 Ethernet II, Dest: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Source: 00:10:5a:46:e9:15 (3COM_46:e9:15) Type: IP (0x0800), Src Addr: 10.0.0.1, Dst Addr: 10.0.0.138 Version: 4 Header length: 20 bytes Total Length: 113 Identification: 0xbde3 Flags: 0x00 Time to live: 128 Protocol: GRE (0x2f) Generic Routing Encapsulation (PPP) Flags and version: 0x3081 Protocol Type: PPP (0x880b) Payload length: 77 Call ID: 0 Sequence number: 958 Ack number: 1304 Protocol: IP (0x0021) Src Addr: my.net.182.84, Dst Addr: isp.dns.106.46 Version: 4 Header length: 20 bytes Total Length: 73 Identification: 0xbde2 Flags: 0x00 Protocol: UDP (0x11) Src Port: 4477 (4477), Dst Port: domain (53) Length: 53 Domain Name System (query) Transaction ID: 0x033d Flags: 0x0100 (Standard query) Queries 252.38.244.195.in-addr.arpa: type PTR, class inet Frame 271 (182 bytes on wire, 182 bytes captured) Arrival Time: Dec 4, 2002 17:48:35.952346000 Ethernet II, Dst: 00:10:5a:46:e9:15 (3COM_46:e9:15) Src: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Type: IP (0x0800) Src: 10.0.0.138, Dst: 10.0.0.1 Version: 4 Header length: 20 bytes Total Length: 168 Identification: 0x9158 Flags: 0x00 Time to live: 64 Protocol: GRE (0x2f) Source: 10.0.0.138 Destination: 10.0.0.1 Generic Routing Encapsulation (PPP) Flags and version: 0x3081 Type: PPP (0x880b) Payload length: 132 Call ID: 32768 Sequence number: 1305 Acknowledgement number: 958 Protocol: IP (0x0021) Src: isp.dns.106.46, Dst: my.net.182.84 Version: 4 Header length: 20 bytes Total Length: 128 Identification: 0x0bea Flags: 0x04 Time to live: 249 Protocol: UDP (0x11) Src Port: domain (53), Dst Port: 4477 Length: 108 Domain Name System (response) Transaction ID: 0x033d Flags: 0x8183 (Standard query response, No such name) Queries 252.38.244.195.in-addr.arpa: type PTR, class inet Authoritative nameservers 195.in-addr.arpa: type SOA, class inet, mname ns.ripe.net Type: Start of zone of authority Time to live: 1 hour, 58 minutes, 53 seconds Data length: 43 Primary name server: ns.ripe.net Responsible authority's mailbox: ops-195.ripe.net Refresh interval: 12 hours Retry interval: 2 hours Expiration limit: 14 days Minimum TTL: 2 hours ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 19:37:24 PST