Topic: Dizzy, here is my log file for all the attemped attacks

[IAF Lyrkiller]

Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 85.140.156.190.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 84.24.81.179.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 578 signatures.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 84.30.194.140.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 80.100.34.178.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 581 signatures.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 84.30.194.140.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 84.104.126.72.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.3.91.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 581 signatures.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 581 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 581 signatures.
Intrusion Prevention Signature File Version: 9/1/2005 Rev. 36. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 496 signatures.
Intrusion Prevention is monitoring 496 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 496 signatures.
Intrusion Prevention Signature File Version: 9/1/2005 Rev. 36. Intrusion Prevention Engine Version: 2.0.0.50707.


interperate as you wish, but I am not dropping my last line of defense against intruders.

[Bonk]

Allow me some time to go through this list and explain to you how none of those entries represent any real threat. In fact it is possible that blocking some of these may hamper your network functionality.

I assume you have made exceptions for your ISP's gateway, DHCP and DNS servers?

[Dizzy]

That was me testing your system to see if you actually had a FW... j/k. 

Let's see what Bonk comes up with 1st. Personally, I've not had an issue with port security while playing with my pants down on OP since 2001. You ought to try going naked for once. It's so liberating...

[Bonk]

I think people are misunderstanding what we are asking for. We are not asking you to go without a firewall at all times, only while playing on the dynaverse.

Also before commenting further please read this post in full if you have not already:
http://www.dynaverse.net/forum/index.php/topic,163366481.msg1122703163.html#msg1122703163

Further, some of my comments posted elsewhere:

It occurs to me that most who run a firewall also have a system tray clogged up with tons of unnecessary crap that is probably auto-updating left and right. If your system tray does not look like the attached image - before disabling the windows XP firewall (see below), then think real hard about why it doesn't and what the implications are. (hint: start...run...taskmgr...processes [Show processes from all users]...view...select columns - CPU Usage, CPU Time, Memory Usage, Peak Memory Usage, User Name, Virtual Memory Size, Handle Count, Thread Count)

If you want to see what is happening on your network connecions try a "netstat /?" at the command prompt, then use it with the explained parameters, no firewall needed, and you can inspect all connections for legitimacy...)

I have an alternate solution to the firewall issue that might ba a more positive approach:

What if we kept a "safelist" where players can sign up saying they are willing to disable all firewalls and background crap while playing, and if using NAT they know how to.

edit: addendum to the proposed "safe drafting list" - if you are drafted by a player who has not signed up on the safelist you are free to alt out and proceed on your merry way unpenalised. And let me be clear that this is a suggestion, not an absolute decree.

You have to understand that we are not asking people to do their porn and warez browsing unprotected (pure insanity), but if your OS (and router firmware) are up-to date and you have not enabled filesharing over the internet you are perfectly safe to play SFC with no firewall running. Perfectly safe. Just be sure to turn it back on before you go porn browsing.

Most if not all of the hits that you see on a software firwall would stll have no effect if the firewall was not running and you are running a secure configuration on an up-to-date OS.

Want to secure your machine? Get rid of: MSN, ICQ, Kazaa, any bitorrent client that is not the original, Morpheus, Limewire, DC++, Quicktime, Flash, Norton AV... you will find all of a sudden that your PC is more secure than ever (insert obligatory MacOS fanboy comment here  Roll Eyes)

The main point is that playing SFC does not draw negative attention like so many other activities on the web, if your OS is up to date and configured securely, you have nothing to worry about.

A little off topic perhaps... but if people insist on browsing malicious porn sites, they should at least use a spider set to download only image files from the desired url n links deep...

http://www.tenmax.com/teleport/pro/home.htm

More porn than any normal person should want, without exposing yourself (no pun intended) to a single line of malicious html, javascript, java or activex code.

Requires some caution though, as such spidering ventures can easily land in illegal or thoroughly disgusting territory quickly and deeply.

I have been running without a firewall for the last six years on the dynaverse, I have not been hacked once...

OK, my next posts will address your log entries Lyrkiller...

[Bonk]

First piece of information:

http://www.iana.org/assignments/port-numbers

Another critical tool:

http://www.arin.net

(other areas):
http://www.apnic.net/
http://www.ripe.net/
http://lacnic.net/

[Bonk]

For the purposes of this analysis I will assume you are running a completely up-to-date Windows XP install.

First entry in Lyrkiller's firewall log:

Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.

First thing to notice is that the source is YOU!
Second thing to notice is that UDP port 0 is reserved and no known services use it.

RIPE whois results:

inetnum:         83.129.0.0 - 83.129.127.255
netname:         TISCALI-ADSL
descr:           Tiscali  - Online Services
country:         DE
admin-c:         TRR1-RIPE
tech-c:          TRR1-RIPE
remarks:         Concerning abuse and spam mailto: team@abuse.tiscali.de
status:          ASSIGNED PA "status:" definitions
mnt-by:          TISCALI-NET
source:          RIPE # Filtered

role:            TISCALI RIPE REGISTRY
address:         Tiscali Business GmbH
address:         Robert-Bosch-Str. 32
address:         D-63303 Dreieich
address:         Germany

OK the destination is somewhat suspicious, since the source is YOU, what kind of spyware or P2P apps are you running on your machine? What does your processlist look like?

Though perhaps this is one of your games being denied a ping to a game server in germany, give me a bit to identify the source and destination ports.

I notice your firewall log is missing the critical information of what time and date the item was blocked... What firewall is this that you are running?

More to come... stay with me...

[Bonk]

Observation: you are on a dynamic IP addres provided by earthlink which appears to change frequently, which is a measure of security in itself. (the forums only have one post on record from your last IP address...)

Some information on UDP port 0:

Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications.

However, port 0 sometimes takes on a special meaning in network programming, particularly Unix socket programming. In this environment, port 0 is a programming technique for specifying system-allocated (dynamic) ports.

Instead of "hard-coding" a particular port number, or writing code that searches for an open port, Unix programmers simply specify port 0 as a connection parameter. That triggers the operating system to automatically search for and return the next available port in the dynamic port number range.

This programming technique does not work the same way in Microsoft Windows as it does in Unix.

http://compnetworking.about.com/od/tcpip/l/blports_0.htm

Test ID:   10074
Category:   Denial of Service
Title:   Firewall/1 UDP port 0 DoS
Summary:   Crashes the remote host by sending a UDP packet going to port 0
Description:   It was possible to
crash either the remote host or the firewall
in between us and the remote host by sending
an UDP packet going to port 0.

This flaw may allow an attacker to shut down
your network.

Solution : contact your firewall vendor if
it was the firewall which crashed, or filter
incoming UDP traffic if the remote host crashed.

Risk factor : High
Cross-Ref:   BugTraq ID: 576
Common Vulnerability Exposure (CVE) ID: CVE-1999-0675
Bugtraq: 19990809 FW1 UDP Port 0 DoS (Google Search)
XForce ISS Database: checkpoint-port
Copyright   This script is Copyright (C) 1999 Renaud Deraison

http://www.securityspace.com/smysecure/catid.html?id=10074


Were you actively trying something funny on this german machine? It is possible there is a worm on your machine... though I still suspect a game looking for the next open port on a *nix game server...

[Bonk]

It looks like all your entries are from UDP port 61069 to UDP port 0... Interesting... Wonder what the heck that is.

What does a "netstat -a" tell you when these items are being blocked.... (oh wait, probably not much, as the connections are blocked, but it will still tell us what applications are listening, connected and sending...which might give us the necessary clue...)

[Strat]

It should be also worth mentioning that the firewall does protect you from attacks on unknown weaknesses of the OS.  This is what SPI accomplishes.

Prime example was the MS Blaster virus.  I did contract work for part of a School Distrcts network just before it came out.  Part of what I did was properly set up and configure the XP firewall on a few hundred machines.

Good for the name of my business, ALL the school computers were infected **EXCEPT** for the machines I configured for thier upgrade.  The school's systems Dept had the FW disabled.    Mine were crystal clean and operating properly.

It does help, but for certain programs not written with the FW in mind, it may have adverse affects.  This is becuase mainly by the way it works, the prinicple of least privledge, and by how it scans the data sent and recieved by the interface.

I used to use Norton Internet Security too, it actually helped me to locate and inform my ISP of several client's computers on thier network infected by virus's attempting to spread locally by IP.  Apparently (not a big ISP mind you), they had no idea, and contacted the people that were infected.

Its bacially a nessesary evil.

I should also mention that an upgraded OS and by not visiting certain web-sites, you can GREALTY reduce the likely hood of being hacked.  Only by random scan or a person specifically looking for you, or if you already have a virus are you likely to have a problem.

[Bonk]

How come I have never gotten a worm or virus in the last six years I have been playing on the dynaverse without a firewall? (no its not luck...)

It is extremely unlikely that in the course of playing a session on the Dynaverse form an up-to-date copy of windows that a new security exploit for Windows will be discovered and your machine will be directly targetted.

Did you play SFC before software firewalls were commonplace?

[Strat]

I've never had one either, and %90 of the time my FW are disabled. (Except for now as I'm beta testing a new product)

I've never had a virus either.  But not everyone is as tech savvy as we are.

I know a lot of poeple get viruses in thier email (again, from work exprience), and don't it for months or even years!

Many people have no idea what 'Windows updates' are, or virus definitions, or that email can carry them, or even that an email attachment could be an virus.

Its not a matter of being technilogically prepaired, its a matter of ID10T error profing a PC.

[IAF Lyrkiller]

Ok Bonk, right now I am at work. I am going to run my syst w/o the router for several days and see what attacks I come across.

[Bonk]

Ok Bonk, right now I am at work. I am going to run my syst w/o the router for several days and see what attacks I come across.

A router is fine as long as it and your lan are configured properly.

Also, I am not suggesting running with no firewall all the time, only while playing on the dynaverse.

But go ahead and try it for a few days if you want though, I think you'll be suprised at the lack of sucessful attacks. (though, please do not hold me resposible if there is a successful attack, I do not know what you are running on your machine)

edit: before doing so, try and figure out what you're running that is hitting udp port 0 on remote machines from your udp port 61069... use a "netstat -a" at the command prompt and examine all connections carefully. (and use "netstat -a -b" to list the applications involved... use a "netstat /?" to see all the parameters that can be used with netstat and their explanation...)

If you have no P2P or instant messaging apps, do not browse for warez, porn or mp3s, and keep your OS updated and configured securely, and do not use IE, I can virtually guarantee there will be very few attacks and no successful ones.

[Bonk]

In related news - Firewall Blocks EAW Install! 

http://www.dynaverse.net/forum/index.php/topic,163366261.msg1122703730.html#msg1122703730

WTF?  These firewall authors really need to chill and take a good hard look at their code. Methinks they are a little super-horny. (or really have no clue what they are doing...)   

[IAF Lyrkiller]

Ok Bonk, you win.

So far I have not had a port attack over the weekend or the times that I did leave my pc on. (bypassed router).

But it does not mean that it can happen when playing on one of our servers.

and yes I have been attacked. I am going to load OP and try the Forge and see what happens.

[Bonk]

Glad to hear it, common sense is the best defense.

For me, one of the most important things is to be able discern genuine mission bugs from connection/firewall issues. I don't want scripters forever chasing red herrings based on unreliable feedback.

Worms and simple hackers will forever be knocking on your door, but an up to date OS and secure configuration will keep them all out. The average SFC player is a pretty unlikely target for a DoS attack on a secure box.

[IAF Lyrkiller]

Well, Bonk it happened, while playing on The Forge, I was port attacked.

Here is the log:

Intrusion: MS ASN1 Integer Overflow TCP.
Intruder: 66.18.200.221(2359).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: microsoft-ds(445).
Intrusion detected and blocked. All communication with 66.18.200.221 will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with 66.244.71.212 will be blocked for 30 minutes.
Intrusion: MS RPCSS Attack (2).
Intruder: 66.244.71.212(1194).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: epmap(135).

Whoever they were, they did not succeed very far. the port attack sw is for SP1

I have SP2

[Bonk]

Well, Bonk it happened, while playing on The Forge, I was port attacked.

Here is the log:

Intrusion: MS ASN1 Integer Overflow TCP.
Intruder: 66.18.200.221(2359).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: microsoft-ds(445).
Intrusion detected and blocked. All communication with 66.18.200.221 will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with 66.244.71.212 will be blocked for 30 minutes.
Intrusion: MS RPCSS Attack (2).
Intruder: 66.244.71.212(1194).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: epmap(135).

Whoever they were, they did not succeed very far. the port attack sw is for SP1

I have SP2

Give me a break man, if the firewall was off absolutely nothing would have happened if the OS is up to date and properly configured. As you have indicated yourself, the attack was targetted at an out of date OS. If the firewall were left off nothing would have happened and your firewall wouldn't be unneccessarily filtering tcp/ip packets in God only knows how horrible and botched a fashion...

Thank you for helping me to make my case that these software firewalls are completely redundant and do more harm than good.

Out of curiosity, what are your DNS, DHCP and gateway servers on the WAN? Also, do you have UPnP enabled on the router/DSL modem/gateway? I find DSL to be a pain because it takes a lot of these factors out of your control. What model DSL modem do you have? Is this firewall part of the modem firmware?

[Soreyes]

Out of curiosity, what are your DNS, DHCP and gateway servers on the WAN? Also, do you have UPnP enabled on the router/DSL modem/gateway? I find DSL to be a pain because it takes a lot of these factors out of your control. What model DSL modem do you have? Is this firewall part of the modem firmware?

There he goes speaking Greek again

[Soreyes]

On a serious note. While playing on the Forge the other morning. I was teaming up with Deadman and Thrain. We started doing some Planet Assalts. I was doing the Drafting, and a whole bunch of problems started to happen. Players dropping, Host Left messages, or the mission just would not load. It was then with my Kitty brain that I figured out that I was the problem. I had turned off my MS firewall, but had forgotten to turn off my Norten Security,witch has it's own Firewall.  Turned that off and the problem was solved

[IAF Lyrkiller]

Well, Bonk it happened, while playing on The Forge, I was port attacked.

Here is the log:

Intrusion: MS ASN1 Integer Overflow TCP.
Intruder: 66.18.200.221(2359).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: microsoft-ds(445).
Intrusion detected and blocked. All communication with 66.18.200.221 will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with 66.244.71.212 will be blocked for 30 minutes.
Intrusion: MS RPCSS Attack (2).
Intruder: 66.244.71.212(1194).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: epmap(135).

Whoever they were, they did not succeed very far. the port attack sw is for SP1

I have SP2

Give me a break man, if the firewall was off absolutely nothing would have happened if the OS is up to date and properly configured. As you have indicated yourself, the attack was targetted at an out of date OS. If the firewall were left off nothing would have happened and your firewall wouldn't be unneccessarily filtering tcp/ip packets in God only knows how horrible and botched a fashion...

Thank you for helping me to make my case that these software firewalls are completely redundant and do more harm than good.

Out of curiosity, what are your DNS, DHCP and gateway servers on the WAN? Also, do you have UPnP enabled on the router/DSL modem/gateway? I find DSL to be a pain because it takes a lot of these factors out of your control. What model DSL modem do you have? Is this firewall part of the modem firmware?

Bonk, I bypassed my router. I did leave my AV running at least. As for the mdm, it is a ZyXel Prestige 600 series.
The mdm does not have a firmware firewall.

[Bonk]

I can't seem to find a P-600 here:
http://www.zyxel.com/web/support_download_list.php?indexflag=20040906173729
or
http://www.zyxel.com/web/index.php
there are lots of models listed in the product finder drop-down at the left, but no plain old P-600... wanted to download the manual to have a look... ah I have a P330W_V2.0 manual here... seems I went through that Zyxel broadband router with another user... but it looks like the P-600 family is in their DSL CPE product class

Oh yes, here it is, it was Jackle:
http://www.dynaverse.net/forum/index.php/topic,163363947.0.html

It appears the P-600 family has a router and firewall built in...
http://www.portforward.com/english/routers/port_forwarding/ZyXEL/Prestige600/

Have you identified your DNS, DHCP and gateway servers yet? (to allow them full access at your software and modem firewall).

I'll assume you have the oldest model P-623... are you connected to it by ethernet or USB? (please say ethernet...)

[Bonk]

I had a look at the manual for the P623-41_v1-3 it appears it does have a firewall and router/NAT capabilites. These Zyxel products look pretty good. Lots of features...

It is possible that your ISP has configured the Prestige with an admin password you do not have and enabled remote administration... or entirely disabled most of its advanced functions...

P.S. Had your OS been out of date and your firewall off, the AV would not have helped anyway...

[IAF Lyrkiller]

Bonk try this link

http://us.zyxel.com/web/search_result.php

[Bonk]

I think you mean:

http://us.zyxel.com/web/search.php

And it doesn't work for me... I'll try IE <sigh> Just as Zyxel was beginning to impress me.

[Bonk]

Yup their search page works in IE but not Firefox. 

And a search for "Prestige 600" comes up with zero results... 

Got a direct link to the some of the search results you got?
(http://us.zyxel.com/web/search_result.php gives a mysql result error as nothing is submitted to the script when directly linked, it must be called form their search form)

[Bonk]

Does the modem have a sticker or id plate on the bottom or back that indicates the exact model and version?

[IAF Lyrkiller]

My bad Bonk, the actual model is the 645-M.

it has a slew of info for you.

[Bonk]

My bad Bonk, the actual model is the 645-M.

it has a slew of info for you.

Cool, I'll check it out. Overall, I'm pretty impressed with the Zyxel products, never used one myself, but they seem to have lots of features and comprehensive manuals.

edit: would that be the P-645-M-11 or the P-645-M-A1?

[Bonk]

Seems there is no manual for the 11 but there is for the A1:
http://us.zyxel.com/web/download/200409098564552005011710400020040811211941_20030512_3.40-P645M-A1_v3.40_UsersGuide.pdf

No USB on this one (thank God). No web interface but telnet administration... interesting.

Seems this one is not a router, just the modem (ADSL bridge), but it does have packet filtering with up to 72 rules. I wonder if the ISP has you locked out?

[IAF Lyrkiller]

Bonk, I have come across a very serious iss.

Disabling UPnP caused some really strange things. will not try that again.

had to reset the router just to get back on.

[Bonk]

That is very strange. I always found it best to disable UPnP, there's just something about automatic port forwarding that is not under my direct control that strikes me as very, very wrong and potentially insecure.

Besides, from what I can tell the P645M-A1 ADSL bridge does not have any UPnP fucntionality anyway? Are you sure its the P645M-A1? Are you configuring it by telnet or with your web browser?

[IAF Lyrkiller]

correction enabling UPnP causes problems. and no I am not able to configure the mdm either way.

Oh well...

[Bonk]

Ah, that makes more sense, you're talking about your router... yeah, UPnP is bad news in general.