Topic: Dizzy, here is my log file for all the attemped attacks

[IAF Lyrkiller]

Well, Bonk it happened, while playing on The Forge, I was port attacked.

Here is the log:

Intrusion: MS ASN1 Integer Overflow TCP.
Intruder: 66.18.200.221(2359).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: microsoft-ds(445).
Intrusion detected and blocked. All communication with 66.18.200.221 will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with 66.244.71.212 will be blocked for 30 minutes.
Intrusion: MS RPCSS Attack (2).
Intruder: 66.244.71.212(1194).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: epmap(135).

Whoever they were, they did not succeed very far. the port attack sw is for SP1

I have SP2

Give me a break man, if the firewall was off absolutely nothing would have happened if the OS is up to date and properly configured. As you have indicated yourself, the attack was targetted at an out of date OS. If the firewall were left off nothing would have happened and your firewall wouldn't be unneccessarily filtering tcp/ip packets in God only knows how horrible and botched a fashion...

Thank you for helping me to make my case that these software firewalls are completely redundant and do more harm than good.

Out of curiosity, what are your DNS, DHCP and gateway servers on the WAN? Also, do you have UPnP enabled on the router/DSL modem/gateway? I find DSL to be a pain because it takes a lot of these factors out of your control. What model DSL modem do you have? Is this firewall part of the modem firmware?

Bonk, I bypassed my router. I did leave my AV running at least. As for the mdm, it is a ZyXel Prestige 600 series.
The mdm does not have a firmware firewall.

[Bonk]

I can't seem to find a P-600 here:
http://www.zyxel.com/web/support_download_list.php?indexflag=20040906173729
or
http://www.zyxel.com/web/index.php
there are lots of models listed in the product finder drop-down at the left, but no plain old P-600... wanted to download the manual to have a look... ah I have a P330W_V2.0 manual here... seems I went through that Zyxel broadband router with another user... but it looks like the P-600 family is in their DSL CPE product class

Oh yes, here it is, it was Jackle:
http://www.dynaverse.net/forum/index.php/topic,163363947.0.html

It appears the P-600 family has a router and firewall built in...
http://www.portforward.com/english/routers/port_forwarding/ZyXEL/Prestige600/

Have you identified your DNS, DHCP and gateway servers yet? (to allow them full access at your software and modem firewall).

I'll assume you have the oldest model P-623... are you connected to it by ethernet or USB? (please say ethernet...)

[Bonk]

I had a look at the manual for the P623-41_v1-3 it appears it does have a firewall and router/NAT capabilites. These Zyxel products look pretty good. Lots of features...

It is possible that your ISP has configured the Prestige with an admin password you do not have and enabled remote administration... or entirely disabled most of its advanced functions...

P.S. Had your OS been out of date and your firewall off, the AV would not have helped anyway...

[IAF Lyrkiller]

Bonk try this link

http://us.zyxel.com/web/search_result.php

[Bonk]

I think you mean:

http://us.zyxel.com/web/search.php

And it doesn't work for me... I'll try IE <sigh> Just as Zyxel was beginning to impress me.

[Bonk]

Yup their search page works in IE but not Firefox. 

And a search for "Prestige 600" comes up with zero results... 

Got a direct link to the some of the search results you got?
(http://us.zyxel.com/web/search_result.php gives a mysql result error as nothing is submitted to the script when directly linked, it must be called form their search form)

[Bonk]

Does the modem have a sticker or id plate on the bottom or back that indicates the exact model and version?

[IAF Lyrkiller]

My bad Bonk, the actual model is the 645-M.

it has a slew of info for you.

[Bonk]

My bad Bonk, the actual model is the 645-M.

it has a slew of info for you.

Cool, I'll check it out. Overall, I'm pretty impressed with the Zyxel products, never used one myself, but they seem to have lots of features and comprehensive manuals.

edit: would that be the P-645-M-11 or the P-645-M-A1?

[Bonk]

Seems there is no manual for the 11 but there is for the A1:
http://us.zyxel.com/web/download/200409098564552005011710400020040811211941_20030512_3.40-P645M-A1_v3.40_UsersGuide.pdf

No USB on this one (thank God). No web interface but telnet administration... interesting.

Seems this one is not a router, just the modem (ADSL bridge), but it does have packet filtering with up to 72 rules. I wonder if the ISP has you locked out?

[IAF Lyrkiller]

Bonk, I have come across a very serious iss.

Disabling UPnP caused some really strange things. will not try that again.

had to reset the router just to get back on.

[Bonk]

That is very strange. I always found it best to disable UPnP, there's just something about automatic port forwarding that is not under my direct control that strikes me as very, very wrong and potentially insecure.

Besides, from what I can tell the P645M-A1 ADSL bridge does not have any UPnP fucntionality anyway? Are you sure its the P645M-A1? Are you configuring it by telnet or with your web browser?

[IAF Lyrkiller]

correction enabling UPnP causes problems. and no I am not able to configure the mdm either way.

Oh well...

[Bonk]

Ah, that makes more sense, you're talking about your router... yeah, UPnP is bad news in general.