Although firewalls are meant to provide complete protection from port-scan probes and the like, several popular firewall products contain holes just waiting to be exploited. This section focuses on a hole in ZoneAlarm, Versions 2.1.10 to 2.0.26, that allows attackers to port-scan the target system. Specifically, if you system uses port 67 as the source port of a TCP or UDP scan, Zone-Alarm will let the packet through and will not notify you. That means an attacker can TCP or UDP port-scan a ZoneAlarm-protected computer as if there were no firewall, if he or she uses port 67 as the source port on the packets.
For example, in the case of a UDP scan, an attacker can use nmap to port scan the host with the following command line (notice -g67, which specifies the source port):
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
After you have installed a firewall on your system, you may get a number of warnings, seemingly indicating that someone is trying to break into your system. In most cases, however, they are in fact bogus messages that are caused either by your OS or by the process of allocating dynamic IPs. For example, when you dial in to your ISP, you may receive a message that certain IP is probing a particular port on your system. This is because someone disconnected from your ISP just before you dialed in and you were assigned that person's IP address. What you are seeing are the remains of the ISP's communication with the previous user. This is most common when the person to whom the IP was previously assigned was using ICQ or a chat program, was connected to a game server, or had simply turned off his modem before his communication with remote servers was complete. Another common message is that a certain IP is trying to initiate a Net BIOS session on a particular port on your system (in fact, Net BIOS requests to UDP port 137 are among the most common items you'll see in your firewall reject logs). This stems from a feature in Windows: When a program resolves an IP address to a name, it may send a NEt BIOS query to an IP address. This process is just part of the background radiation of the Internet and is nothing to be concerned about. Likewise, for a TCP scan, an attacker can use nmap to port-scan the host with the folowing command line (again, notice -g67, specifying source port):
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
For example, in the case of a UDP scan, an attacker can use nmap to port scan the host with the following command line (notice -g67, which specifies the source port):
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
After you have installed a firewall on your system, you may get a number of warnings, seemingly indicating that someone is trying to break into your system. In most cases, however, they are in fact bogus messages that are caused either by your OS or by the process of allocating dynamic IPs. For example, when you dial in to your ISP, you may receive a message that certain IP is probing a particular port on your system. This is because someone disconnected from your ISP just before you dialed in and you were assigned that person's IP address. What you are seeing are the remains of the ISP's communication with the previous user. This is most common when the person to whom the IP was previously assigned was using ICQ or a chat program, was connected to a game server, or had simply turned off his modem before his communication with remote servers was complete. Another common message is that a certain IP is trying to initiate a Net BIOS session on a particular port on your system (in fact, Net BIOS requests to UDP port 137 are among the most common items you'll see in your firewall reject logs). This stems from a feature in Windows: When a program resolves an IP address to a name, it may send a NEt BIOS query to an IP address. This process is just part of the background radiation of the Internet and is nothing to be concerned about. Likewise, for a TCP scan, an attacker can use nmap to port-scan the host with the folowing command line (again, notice -g67, specifying source port):
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(By Dushyant Pandya)
0 comments:
Post a Comment