Jump to content

ICMP Flood Attacks????

LinkinForcer
 Share

Recommended Posts

LinkinForcer

LinkinForcer 1

Posted
Posted

Hello,

So today I shut down my computer and upon turning it back on and logging in I was met with a message from ESET Smart Security Premium about a detected ICMP Flood Attack. I looked at my logs and I actually have 4 different times an ICMP Flood Attack was blocked starting on 1/5/17 at about 9:45 PM then 10:56 PM then on 1/6/17 at 10:11 PM and then on 1/7/17 at 12:01 AM. The only one I was notified about was the most recent one.

Is this a false positive?

How serious is this?

All attacks came from my router and were targeting my computer according to ESET.

I just have no idea what could be causing this. No device on my router is unknown to me. Just confused as to why the logs are actually saying my router is trying to attack my computer.

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted

Normally, your router should be configured to block external ICMP echo requests. You can test if that is functional by going to this web site: https://www.grc.com/shieldsup then click on the "Proceed" tab in the displayed web page. Then select the "Common Ports" scan. When it completes, note the results of the "Echo Ping" test. It should state that you passed. If you didn't pass, then your router is not properly configured to prevent ICMP Flood attacks. The router is your first line of defense against ICMP Flood attacks.

If you passed the Echo Ping test, then a number of other scenarios might be occurring. An external DDoS attack might be occurring against your router and it is overwhelming the capability of the router to block such traffic. You should examine your router's log file to determine if this is the case. If an external DDoS ICMP Flood attack is occurring, you need to create a router firewall rule, assuming your router has a configurable firewall, to block all inbound traffic for the IP addresses that are the source of the DDoS attack.

If an external DDoS attack is not the case, then it is possible that your router is "misbehaving." It is normal for some routers to issue an ICMP echo request to establish connectivity with a target device. If there is a problem with this request being acknowledged by the targeted device, it could be the router is stuck in a loop where it is repeatedly sending ICMP echo request transactions and Eset's IPS protection is interpreting this activity as an ICMP Flood attack. 

Link to comment
Share on other sites
LinkinForcer

LinkinForcer 1

Posted
  • Author
Posted

Ok thank you very much for this information.

 

i am wanting to lean more towards the fact that the router is acting up. I have AT&T U-verse and we have been experiencing problems on the internet and TV side where I've had to reset my router more than once. 

The main IP address keeps changing as well. We bounce between to normal 192.168 address to the default 169.254 address. I'm thinking the router is failing.

I'll check it out more when I get home.

im going to call AT&T and have them replace the router anyway due to the problems. Hopefully that will fix everything.

 

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted

It so happens I also have AT&T Uverse. My Pace 3801 HGV Gateway's firewall does indeed block incoming external ICMP echo ping requests.

3 hours ago, LinkinForcer said:

The main IP address keeps changing as well. We bounce between to normal 192.168 address to the default 169.254 address. I'm thinking the router is failing.

If your PC is falling back to APIPA addresses, it means it is having a problem establishing a DHCP connection w/AT&T servers. Are you running Eset's firewall w/default settings i.e. Automatic with Windows incoming firewall rules also included? When I was running Eset's firewall in Interactive mode, I was having issues on occasion with DHCP. However, frequent APIPA address fallback can also be due to router issues. 

Link to comment
Share on other sites
LinkinForcer

LinkinForcer 1

Posted
  • Author
Posted (edited)

Well I actually just got off the phone with AT&T and they did a reset on the router and a software update and also sending out a tech to "more than likely" replace my router.

With the router being reset by them as well as a software update I'd feel safe to say that everything is in default settings.

As for before the call. As far as I know everything was in default settings. I had just done a full reset on the router about a week ago because of connectivity issues we were having with our TV and internet.

Also I haven't touched the settings for Eset since installed or Windows since I got the computer a week ago so they are all in default settings as well.

Edited by LinkinForcer
Link to comment
Share on other sites
TomFace

TomFace 539

Posted
Posted (edited)

Thanks for the link itman. I too have U-verse so I have been following this thread. Just did the common port test and it came back a perfect "TruStealth" rating. Keep us posted LinkinForcer.

Edited by TomFace
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted

Eset firewall has a default firewall rule that blocks inbound ICMP echo request. However for ICMPv6, it allows all inbound requests to the Trusted Zone. I never worried about that one since I have Windows firewall configured to use the Public profile. As such, no network devices are trusted.

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
23 minutes ago, TomFace said:

Thanks for the link itman. I too have U-verse so I have been following this thread. Just did the common port test and it came back a perfect "TruStealth" rating. Keep us posted LinkinForcer.

That's interesting .......... On my Pace gateway, port 443 is open on the WAN side since it is used by desktop TV boxes. I love how AT&T chose port 443 to do so. Port 443 is locked down on the LAN side of the gateway but still something I don't especially like.

Do you also have U-Verse TV?

Link to comment
Share on other sites
LinkinForcer

LinkinForcer 1

Posted
  • Author
Posted

See I ran a scan of the router last night in ESET and port 443 triggered a threat alert. I knew it was there because of my wireless TV DVR so I wasn't really worried. 

Now after having the reset and software update done that port is no longer there. I scanned the network again and no threats were triggered.

As far as Windows Firewall goes that's all being managed by ESET.

Link to comment
Share on other sites
TomFace

TomFace 539

Posted
Posted (edited)
2 hours ago, itman said:

That's interesting .......... On my Pace gateway, port 443 is open on the WAN side since it is used by desktop TV boxes. I love how AT&T chose port 443 to do so. Port 443 is locked down on the LAN side of the gateway but still something I don't especially like.

Do you also have U-Verse TV?

Yes I have u-Verse TV as well. Funny you should mention port 443...I did a scan using the ESS router scan and if kept showing a vulnerability on port 443. Let me say that I am not the brightest bulb in the marque when it comes to ports and the like. I was nosing around online in my router settings>firewall and found a hosted application entry  under NAT/Gaming for "Act of War-Direct Action" needed by device "Cisco_AP_ATT" using port TCP:443 (service: connectToCiscoAP).

 

I am not a gamer and have not added anything for gaming, so I was puzzled and deleted it. I have had no ill effects and now my ESS Router scams are clean. I run my internet settings in public mode as I do not require sharing.  Also let me say I have NOT received any notification of any flood attacks.

Edited by TomFace
Link to comment
Share on other sites
TomFace

TomFace 539

Posted
Posted
1 hour ago, LinkinForcer said:

Also since this whole ICMP thing has come about I went and turned on Covert data in ICMP protocol detection in ESET as it is disabled by default.

What benefit will doing that add?

Link to comment
Share on other sites
LinkinForcer

LinkinForcer 1

Posted
  • Author
Posted

If it's an actual attack it will block any attempts that the hacker would do "behind the mask" of the attack. Basically if they used the ICMP as a decoy to try and do real harm it will block it.

At least that's what I gathered from what I read.

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted

Eset has two ICMP packet inspection settings within IDS settings:

• ICMP protocol message checking – Prevents attacks that exploit the weaknesses of the ICMP protocol, which could lead to computer unresponsiveness - also see DoS (Denial of service attacks).

• Covert data in ICMP protocol detection – Checks to see if the ICMP protocol is used for data transfer. Many malicious techniques use the ICMP protocol to bypass the Personal firewall.

I believe both of these are set on by default.

Another factor in play here is the network connection in regards to U-Verse. My DVR recorder is connected via Ethernet from the gateway. However, all my other computer based connections including Smart phones are all wireless connections via the AT&T provided WAP. My primary reason for using the Public firewall profile is to prevent these devices especially the crap-ola android devices in my household from interacting with my PC.

 

Link to comment
Share on other sites
LinkinForcer

LinkinForcer 1

Posted
  • Author
Posted

The second option is off by default but I turned it on. 

I had my connection set to public but when I trusted my network on Windows 10 it switched to private, or home and work connection.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,704

Posted
  • Administrators
Posted

You can enable advanced firewall logging in the advanced setup -> Tools -> Diagnostics, restart the computer and reproduce the alert. Then disable logging and navigate to the C:\ProgramData\ESET\%ProgramName%\Diagnostics folder. Compress the file EpfwLog.pcapng and send it to me as an attachment via PM. Also include ELC logs (see my signature for instructions).

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)

I will also add that unless you're a gamer, use certain Internet phone service, or the like, your AT&T gateway firewall and for that matter any router w/firewall setting should be set to block "unsolicited inbound traffic" as noted by the below screen shot. This feature is technically noted as statefull packet inspection(SPI). When you shop for a router, this a must have feature along with network address translation(NAT).

Also, you should make it a habit to occasionally review your router/gateway firewall logs. For example, mine shows persistent probing of port 23 and lesser to port 22. These are used by the file transfer protocol for bulk file transfers and are often allowed by third party software firewalls.

I have always stated that your router/gateway firewall is your primary and first line of Internet defense and any Windows based firewall is secondary to it.

 

   ATT_Router.png

Edited by itman
Link to comment
Share on other sites
LinkinForcer

LinkinForcer 1

Posted
  • Author
Posted

As far as I could tell I'm at maximum protection. We have different routers so our options are different but under the Blocked Attacks section I've got everything checked off. 

Every attack that that router is configured to recognize it will block it now.

Link to comment
Share on other sites
  • 4 months later...
scgt1

scgt1 1

Posted
Posted (edited)
On 1/7/2017 at 9:27 AM, itman said:

Normally, your router should be configured to block external ICMP echo requests. You can test if that is functional by going to this web site: https://www.grc.com/shieldsup then click on the "Proceed" tab in the displayed web page. Then select the "Common Ports" scan. When it completes, note the results of the "Echo Ping" test. It should state that you passed. If you didn't pass, then your router is not properly configured to prevent ICMP Flood attacks. The router is your first line of defense against ICMP Flood attacks.

If you passed the Echo Ping test, then a number of other scenarios might be occurring. An external DDoS attack might be occurring against your router and it is overwhelming the capability of the router to block such traffic. You should examine your router's log file to determine if this is the case. If an external DDoS ICMP Flood attack is occurring, you need to create a router firewall rule, assuming your router has a configurable firewall, to block all inbound traffic for the IP addresses that are the source of the DDoS attack.

If an external DDoS attack is not the case, then it is possible that your router is "misbehaving." It is normal for some routers to issue an ICMP echo request to establish connectivity with a target device. If there is a problem with this request being acknowledged by the targeted device, it could be the router is stuck in a loop where it is repeatedly sending ICMP echo request transactions and Eset's IPS protection is interpreting this activity as an ICMP Flood attack. 

I have recently been getting this notice while my computer is connecting to AirVPN after reboot. (The VPN service has it's own tunneling adapter which bypasses the windows network from my understanding. Running the link above I yield the following results:

Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .
transpixel.gif
graypixel.gif
transpixel.gif
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
transpixel.gif
graypixel.gif
transpixel.gif
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

transpixel.gifI will add that with using AirVPN I'm claimed to be actually invisible. My IP that comes up is the one from AirVPN and not my actual IP address nor my routers.

While running the other test (upnp) from that page I got these results:

 

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

File Sharing test:

1.gif Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
reddash.gif Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
reddash.gif Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

 

 

darkredpixel.gif

 

Service port check yielded the following:

0 / <nil> / Reserved 1 / tcpmux / TCP Port Service Multiplexer 2 / compressnet / Management Utility 3 / compressnet / Compression Process 4 5 / rje / Remote Job Entry 6 7 / echo / Echo 8 9 / discard / Discard 10 11 / systat / Active Users 12 13 / daytime / Daytime 14 15 16 17 / qotd / Quote of the Day 18 / msp / Message Send Protocol 19 / chargen / Character Generator 20 / ftp-data / File Transfer Protocol / Default Data Channel 21 / ftp / File Transfer Protocol / Control Channel 22 / ssh / SSH Remote Login Protocol 23 / telnet / Telnet 24 / privmail / Private Mail System 25 / smtp / Simple Mail Transfer Protocol 26 27 / nsw-fe / NSW User System FE 28 / - / (Used by 'Amanda' Trojan) 29 / msg-icp / MSG ICP 30 / - / (Used by 'Agent 40421' Trojan) 31 / msg-auth / MSG Authentication 31
32  32 33 / dsp / Display Support Protocol 34 35 / privprnt / Private Printer Server 36 37 / time / Time 38 / rap / Route Access Protocol 39 / rlp / Resource Location Protocol 40 41 / graphics / Graphics 42 / nameserver / Host Name Server 43 / nicname / Who Is 44 / mpm-flags / Message Processing Module / Flags 45 / mpm / Message Processing Module / Receive 46 / mpm-snd / Message Processing Module / Send 47 / ni-ftp / NI FTP 48 / auditd / Digital Audit Daemon 49 / tacacs / Login Host Protocol 50 / re-mail-ck / Remote Mail Checking Protocol 51 / la-maint / IMP Logical Address Maintenance 52 / xns-time / XNS Time Protocol 53 / domain / Domain Name Server 54 / xns-ch / XNS Clearinghouse 55 / isi-gl / ISI Graphics Language 56 / xns-auth / XNS Authentication 57 / privterm / Private Terminal Access 58 / xns-mail / XNS Mail 59 / privfs / Private File Service 60 61 / ni-mail / NI MAIL 62 / acas / ACA Services 63 / whois++ / whois++ 63
64  64 / covia / Communications Integrator (CI) 65 / tacacs-ds / TACACS-Database Service 66 / sql*net / Oracle SQL*NET 67 / bootps / Bootstrap Protocol Server 68 / bootpc / Bootstrap Protocol Client 69 / tftp / Trivial File Transfer 70 / gopher / Gopher 71 / netrjs-1 / Remote Job Service 72 / netrjs-2 / Remote Job Service 73 / netrjs-3 / Remote Job Service 74 / netrjs-4 / Remote Job Service 75 / privdial / Private Dial Out Service 76 / deos / Distributed External Object Store 77 / privRJE / Private RJE Service 78 / vettcp / vettcp 79 / finger / Finger 80 / http / World Wide Web HTTP Protocol 81 / hosts2-ns / HOSTS2 Name Server 82 / xfer / XFER Utility 83 / mit-ml-dev / MIT ML Device 84 / ctf / Common Trace Facility 85 / mit-ml-dev / MIT ML Device 86 / mfcobol / Micro Focus Cobol 87 / privlnk / Private Terminal Link 88 / kerberos / Kerberos 89 / su-mit-tg / SU/MIT Telnet Gateway 90 / dnsix / DNSIX Securit Attribute Token Map 91 / mit-dov / MIT Dover Spooler 92 / npp / Network Printing Protocol 93 / dcp / Device Control Protocol 94 / objcall / Tivoli Object Dispatcher 95 / supdup / SUPDUP 95
96  96 / dixie / DIXIE Protocol Specification 97 / swift-rvf / Swift Remote Virtural File Protocol 98 / tacnews / TAC News 99 / metagram / Metagram Relay 100 101 / hostname / NIC Host Name Server 102 / iso-tsap / ISO-TSAP Class 0 103 / gppitnp / Genesis Point-to-Point Trans Net 104 / acr-nema / ACR-NEMA Digital Imag. & Comm. 300 105 / csnet-ns / Mailbox Name Nameserver 106 / 3com-tsmux / 3COM-TSMUX 107 / rtelnet / Remote Telnet Service 108 / snagas / SNA Gateway Access Server 109 / pop2 / Post Office Protocol - Version 2 110 / pop3 / Post Office Protocol - Version 3 111 / sunrpc / SUN Remote Procedure Call 112 / mcidas / McIDAS Data Transmission Protocol 113 / ident / Authentication Service 114 / audionews / Audio News Multicast 115 / sftp / Simple File Transfer Protocol 116 / ansanotify / ANSA REX Notify 117 / uucp-path / UUCP Path Service 118 / sqlserv / SQL Services 119 / nntp / Network News Transfer Protocol 120 / cfdptkt / CFDPTKT 121 / erpc / Encore Expedited Remote Pro.Call 122 / smakynet / SMAKYNET 123 / ntp / Network Time Protocol 124 / ansatrader / ANSA REX Trader 125 / locus-map / Locus PC-Interface Net Map Ser 126 / nxedit / NXEdit 127 / locus-con / Locus PC-Interface Conn Server 127
128  128 / gss-xlicen / GSS X License Verification 129 / pwdgen / Password Generator Protocol 130 / cisco-fna / cisco FNATIVE 131 / cisco-tna / cisco TNATIVE 132 / cisco-sys / cisco SYSMAINT 133 / statsrv / Statistics Service 134 / ingres-net / INGRES-NET Service 135 / epmap / DCE endpoint resolution 136 / profile / PROFILE Naming System 137 / netbios-ns / NetBIOS Name Service 138 / netbios-dgm / NetBIOS Datagram Service 139 / netbios-ssn / NetBIOS Session Service 140 / emfis-data / EMFIS Data Service 141 / emfis-cntl / EMFIS Control Service 142 / bl-idm / Britton-Lee IDM 143 / imap / Internet Message Access Protocol 144 / uma / Universal Management Architecture 145 / uaac / UAAC Protocol 146 / iso-tp0 / ISO-IP0 147 / iso-ip / ISO-IP 148 / jargon / Jargon 149 / aed-512 / AED 512 Emulation Service 150 / sql-net / SQL-NET 151 / hems / HEMS 152 / bftp / Background File Transfer Protocol 153 / sgmp / SGMP 154 / netsc-prod / NETSC 155 / netsc-dev / NETSC 156 / sqlsrv / SQL Service 157 / knet-cmp / KNET/VM Command/Message Protocol 158 / pcmail-srv / PCMail Server 159 / nss-routing / NSS-Routing 159
160  160 / sgmp-traps / SGMP-TRAPS 161 / snmp / SNMP 162 / snmptrap / SNMPTRAP 163 / cmip-man / CMIP Manager 164 / cmip-agent / CMIP Agent 165 / xns-courier / Xerox 166 / s-net / Sirius Systems 167 / namp / NAMP 168 / rsvd / RSVD 169 / send / SEND 170 / print-srv / Network PostScript 171 / multiplex / Network Innovations Multiplex 172 / cl/1 / Network Innovations CL/1 173 / xyplex-mux / Xyplex 174 / mailq / MAILQ 175 / vmnet / VMNET 176 / genrad-mux / GENRAD-MUX 177 / xdmcp / X Display Manager Control Protocol 178 / nextstep / NextStep Window Server 179 / bgp / Border Gateway Protocol 180 / ris / Intergraph 181 / unify / Unify 182 / audit / Unisys Audit SITP 183 / ocbinder / OCBinder 184 / ocserver / OCServer 185 / remote-kis / Remote-KIS 186 / kis / KIS Protocol 187 / aci / Application Communication Interface 188 / mumps / Plus Five's MUMPS 189 / qft / Queued File Transport 190 / gacp / Gateway Access Control Protocol 191 / prospero / Prospero Directory Service 191
192  192 / osu-nms / OSU Network Monitoring System 193 / srmp / Spider Remote Monitoring Protocol 194 / irc / Internet Relay Chat Protocol 195 / dn6-nlm-aud / DNSIX Network Level Module Audit 196 / dn6-smm-red / DNSIX Session Mgt Module Audit Redir 197 / dls / Directory Location Service 198 / dls-mon / Directory Location Service Monitor 199 / smux / SMUX 200 / src / IBM System Resource Controller 201 / at-rtmp / AppleTalk Routing Maintenance 202 / at-nbp / AppleTalk Name Binding 203 / at-3 / AppleTalk Unused 204 / at-echo / AppleTalk Echo 205 / at-5 / AppleTalk Unused 206 / at-zis / AppleTalk Zone Information 207 / at-7 / AppleTalk Unused 208 / at-8 / AppleTalk Unused 209 / qmtp / The Quick Mail Transfer Protocol 210 / z39.50 / ANSI Z39.50 211 / 914c/g / Texas Instruments 914C/G Terminal 212 / anet / ATEXSSTR 213 / ipx / IPX 214 / vmpwscs / VM PWSCS 215 / softpc / Insignia Solutions 216 / CAIlic / Computer Associates Int'l License Server 217 / dbase / dBASE Unix 218 / mpp / Netix Message Posting Protocol 219 / uarps / Unisys ARPs 220 / imap3 / Interactive Mail Access Protocol v3 221 / fln-spx / Berkeley rlogind with SPX auth 222 / rsh-spx / Berkeley rshd with SPX auth 223 / cdc / Certificate Distribution Center 223
224  224 / masqdialer / masqdialer 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 / direct / Direct 243 / sur-meas / Survey Measurement 244 / inbusiness / inbusiness 245 / link / LINK 246 / dsp3270 / Display Systems Protocol 247 / subntbcst_tftp / SUBNTBCST_TFTP 248 / bhfhs / bhfhs 249 250 251 252 253 254 255 255
256  256 / rap / RAP 257 / set / Secure Electronic Transaction 258 / yak-chat / Yak Winsock Personal Chat 259 / esro-gen / Efficient Short Remote Operations 260 / openport / Openport 261 / nsiiops / IIOP Name Service over SSL 262 / arcisdms / Arcisdms 263 / hdap / HDAP 264 / bgmp / BGMP 265 / x-bone-ctl / X-Bone CTL 266 / sst / SCSI on ST 267 / td-service / Tobit David Service Layer 268 / td-replica / Tobit David Replica 269 270 271 272 273 274 275 276 277 278 279 280 / http-mgmt / http-mgmt 281 / personal-link / Personal Link 282 / cableport-ax / Cable Port A/X 283 / rescap / rescap 284 / corerjd / corerjd 285 / - / (Used by 'WCTrojan' Trojan) 286 / fxp-1 / FXP-1 287 / k-block / K-BLOCK 287
288  288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 / novastorbakcup / Novastor Backup 309 / entrusttime / EntrustTime 310 / bhmds / bhmds 311 / asip-webadmin / AppleShare IP WebAdmin 312 / vslmp / VSLMP 313 / magenta-logic / Magenta Logic 314 / opalis-robot / Opalis Robot 315 / dpsi / DPSI 316 / decauth / decAuth 317 / zannet / Zannet 318 / pkix-timestamp / PKIX TimeStamp 319 / ptp-event / PTP Event 319
320  320 / ptp-general / PTP General 321 / pip / PIP 322 / rtsps / RTSPS 323 324 325 326 327 328 329 330 331 332 333 / texar / Texar Security Port 334 / - / (Used by 'Backage' Trojan) 335 336 337 338 339 340 341 342 343 344 / pdap / Prospero Data Access Protocol 345 / pawserv / Perf Analysis Workbench 346 / zserv / Zebra server 347 / fatserv / Fatmen Server 348 / csi-sgwp / Cabletron Management Protocol 349 / mftp / mftp 350 / matip-type-a / MATIP Type A 351 / matip-type-b / MATIP Type B 351
352  352 / dtag-ste-sb / DTAG 353 / ndsauth / NDSAUTH 354 / bh611 / bh611 355 / datex-asn / DATEX-ASN 356 / cloanto-net-1 / Cloanto Net 1 357 / bhevent / bhevent 358 / shrinkwrap / Shrinkwrap 359 / nsrmp / Network Security Risk Management Protocol 360 / scoi2odialog / scoi2odialog 361 / semantix / Semantix 362 / srssend / SRS Send 363 / rsvp_tunnel / RSVP Tunnel 364 / aurora-cmgr / Aurora CMGR 365 / dtk / DTK 366 / odmr / ODMR 367 / mortgageware / MortgageWare 368 / qbikgdp / QbikGDP 369 / rpc2portmap / rpc2portmap 370 / codaauth2 / codaauth2 371 / clearcase / Clearcase 372 / ulistproc / ListProcessor 373 / legent-1 / Legent Corporation 374 / legent-2 / Legent Corporation 375 / hassle / Hassle 376 / nip / Amiga Envoy Network Inquiry Proto 377 / tnETOS / NEC Corporation 378 / dsETOS / NEC Corporation 379 / is99c / TIA/EIA/IS-99 modem client 380 / is99s / TIA/EIA/IS-99 modem server 381 / hp-collector / hp performance data collector 382 / hp-managed-node / hp performance data managed node 383 / hp-alarm-mgr / hp performance data alarm manager 383
384  384 / arns / A Remote Network Server System 385 / ibm-app / IBM Application 386 / asa / ASA Message Router Object Def. 387 / aurp / Appletalk Update-Based Routing Pro. 388 / unidata-ldm / Unidata LDM 389 / ldap / Lightweight Directory Access Protocol 390 / uis / UIS 391 / synotics-relay / SynOptics SNMP Relay Port 392 / synotics-broker / SynOptics Port Broker Port 393 / meta5 / Meta5 394 / embl-ndt / EMBL Nucleic Data Transfer 395 / netcp / NETscout Control Protocol 396 / netware-ip / Novell Netware over IP 397 / mptn / Multi Protocol Trans. Net. 398 / kryptolan / Kryptolan 399 / iso-tsap-c2 / ISO Transport Class 2 Non-Control over TCP 400 / work-sol / Workstation Solutions 401 / ups / Uninterruptible Power Supply 402 / genie / Genie Protocol 403 / decap / decap 404 / nced / nced 405 / ncld / ncld 406 / imsp / Interactive Mail Support Protocol 407 / timbuktu / Timbuktu 408 / prm-sm / Prospero Resource Manager Sys. Man. 409 / prm-nm / Prospero Resource Manager Node Man. 410 / decladebug / DECLadebug Remote Debug Protocol 411 / rmt / Remote MT Protocol 412 / synoptics-trap / Trap Convention Port 413 / smsp / Storage Management Services Protocol 414 / infoseek / InfoSeek 415 / bnet / BNet 415
416  416 / silverplatter / Silverplatter 417 / onmux / Onmux 418 / hyper-g / Hyper-G 419 / ariel1 / Ariel 1 420 / smpte / SMPTE 421 / ariel2 / Ariel 2 422 / ariel3 / Ariel 3 423 / opc-job-start / IBM Operations Planning and Control Start 424 / opc-job-track / IBM Operations Planning and Control Track 425 / icad-el / ICAD 426 / smartsdp / smartsdp 427 / svrloc / Server Location 428 / ocs_cmu / OCS_CMU 429 / ocs_amu / OCS_AMU 430 / utmpsd / UTMPSD 431 / utmpcd / UTMPCD 432 / iasd / IASD 433 / nnsp / NNSP 434 / mobileip-agent / MobileIP-Agent 435 / mobilip-mn / MobilIP-MN 436 / dna-cml / DNA-CML 437 / comscm / comscm 438 / dsfgw / dsfgw 439 / dasp / dasp Thomas Obermair 440 / sgcp / sgcp 441 / decvms-sysmgt / decvms-sysmgt 442 / cvc_hostd / cvc_hostd 443 / https / secure http protocol (SSL) 444 / snpp / Simple Network Paging Protocol 445 / microsoft-ds / Microsoft Directory Service 446 / ddm-rdb / DDM-RDB 447 / ddm-dfm / DDM-RFM 447
448  448 / ddm-ssl / DDM-SSL 449 / as-servermap / AS Server Mapper 450 / tserver / Computer Supported Telecomunication Applications 451 / sfs-smp-net / Cray Network Semaphore server 452 / sfs-config / Cray SFS config server 453 / creativeserver / CreativeServer 454 / contentserver / ContentServer 455 / creativepartnr / CreativePartnr 456 / macon-tcp / macon-tcp 457 / scohelp / scohelp 458 / appleqtc / apple quick time 459 / ampr-rcmd / ampr-rcmd 460 / skronk / skronk 461 / datasurfsrv / DataRampSrv 462 / datasurfsrvsec / DataRampSrvSec 463 / alpes / alpes 464 / kpasswd / kpasswd 465 / urd / URL Rendesvous Directory for SSM 466 / digital-vrc / digital-vrc 467 / mylex-mapd / mylex-mapd 468 / photuris / proturis 469 / rcp / Radio Control Protocol 470 / scx-proxy / scx-proxy 471 / mondex / Mondex 472 / ljk-login / ljk-login 473 / hybrid-pop / hybrid-pop 474 / tn-tl-w1 / tn-tl-w1 475 / tcpnethaspsrv / tcpnethaspsrv 476 / tn-tl-fd1 / tn-tl-fd1 477 / ss7ns / ss7ns 478 / spsc / spsc 479 / iafserver / iafserver 479
480  480 / iafdbase / iafdbase 481 / ph / Ph service 482 / bgs-nsi / bgs-nsi 483 / ulpnet / ulpnet 484 / integra-sme / Integra Software Management Environment 485 / powerburst / Air Soft Power Burst 486 / avian / avian 487 / saft / saft Simple Asynchronous File Transfer 488 / gss-http / gss-http 489 / nest-protocol / nest-protocol 490 / micom-pfs / micom-pfs 491 / go-login / go-login 492 / ticf-1 / Transport Independent Convergence for FNA 493 / ticf-2 / Transport Independent Convergence for FNA 494 / pov-ray / POV-Ray 495 / intecourier / intecourier 496 / pim-rp-disc / PIM-RP-DISC 497 / dantz / dantz 498 / siam / siam 499 / iso-ill / ISO ILL Protocol 500 / isakmp / isakmp 501 / stmf / STMF 502 / asa-appl-proto / asa-appl-proto 503 / intrinsa / Intrinsa 504 / citadel / citadel 505 / mailbox-lm / mailbox-lm 506 / ohimsrv / ohimsrv 507 / crs / crs 508 / xvttp / xvttp 509 / snare / snare 510 / fcp / FirstClass Protocol 511 / passgo / PassGo 511
512  512 / exec / remote process execution 513 / login / remote login a la telnet 514 / syslog / syslog 515 / printer / spooler 516 / videotex / videotex 517 / talk / like tenex link 518 519 / utime / unixtime 520 / efs / extended file name server 521 / ripng / ripng 522 / ulp / ULP 523 / ibm-db2 / IBM-DB2 524 / ncp / NCP 525 / timed / timeserver 526 / tempo / newdate 527 / stx / Stock IXChange 528 / custix / Customer IXChange 529 / irc-serv / IRC-SERV 530 / courier / rpc 531 / conference / chat 532 / netnews / readnews 533 / netwall / for emergency broadcasts 534 / mm-admin / MegaMedia Admin 535 / iiop / iiop 536 / opalis-rdv / opalis-rdv 537 / nmsp / Networked Media Streaming Protocol 538 / gdomap / gdomap 539 / apertus-ldp / Apertus Technologies Load Determination 540 / uucp / uucpd 541 / uucp-rlogin / uucp-rlogin 542 / commerce / commerce 543 543
544  544 / kshell / krcmd 545 / appleqtcsrvr / appleqtcsrvr 546 / dhcpv6-client / DHCPv6 Client 547 / dhcpv6-server / DHCPv6 Server 548 / afpovertcp / AFP over TCP 549 / idfp / IDFP 550 / new-rwho / new-who 551 / cybercash / cybercash 552 / devshr-nts / DeviceShare 553 / pirp / pirp 554 / rtsp / Real Time Stream Control Protocol 555 556 / remotefs / rfs server 557 / openvms-sysipc / openvms-sysipc 558 / sdnskmp / SDNSKMP 559 / teedtap / TEEDTAP 560 / rmonitor / rmonitord 561 562 / chshell / chcmd 563 / nntps / secure nntp protocol (SSL) (was snntp) 564 / 9pfs / plan 9 file service 565 / whoami / whoami 566 / streettalk / streettalk 567 / banyan-rpc / banyan-rpc 568 / ms-shuttle / microsoft shuttle 569 / ms-rome / microsoft rome 570 / meter / demon 571 / meter / udemon 572 / sonar / sonar 573 / banyan-vip / banyan-vip 574 / ftp-agent / FTP Software Agent System 575 / vemmi / VEMMI 575
576  576 / ipcd / ipcd 577 / vnas / vnas 578 / ipdd / ipdd 579 / decbsrv / decbsrv 580 / sntp-heartbeat / SNTP HEARTBEAT 581 / bdp / Bundle Discovery Protocol 582 / scc-security / SCC Security 583 / philips-vc / Philips Video-Conferencing 584 / keyserver / Key Server 585 / imap4-ssl / IMAP4+SSL (use 993 instead) 586 / password-chg / Password Change 587 / submission / Submission 588 / cal / CAL 589 / eyelink / EyeLink 590 / tns-cml / TNS CML 591 / http-alt / FileMaker Inc. - HTTP Alternate (see Port 80) 592 / eudora-set / Eudora Set 593 / http-rpc-epmap / HTTP RPC Ep Map 594 / tpip / TPIP 595 / cab-protocol / CAB Protocol 596 / smsd / SMSD 597 / ptcnameservice / PTC Name Service 598 / sco-websrvrmg3 / SCO Web Server Manager 3 599 / acp / Aeolon Core Protocol 600 / ipcserver / Sun IPC server 601 / syslog-conn / Reliable Syslog Service 602 / xmlrpc-beep / XML-RPC over BEEP 603 / idxp / IDXP 604 / tunnel / TUNNEL 605 / soap-beep / SOAP over BEEP 606 / urm / Cray Unified Resource Manager 607 / nqs / nqs 607
608  608 / sift-uft / Sender-Initiated/Unsolicited File Transfer 609 / npmp-trap / npmp-trap 610 / npmp-local / npmp-local 611 / npmp-gui / npmp-gui 612 / hmmp-ind / HMMP Indication 613 / hmmp-op / HMMP Operation 614 / sshell / Secure SSLshell 615 / sco-inetmgr / Internet Configuration Manager 616 / sco-sysmgr / SCO System Administration Server 617 / sco-dtmgr / SCO Desktop Administration Server 618 / dei-icda / DEI-ICDA 619 / compaq-evm / Compaq EVM 620 / sco-websrvrmgr / SCO WebServer Manager 621 / escp-ip / ESCP 622 / collaborator / Collaborator 623 / asf-rmcp / ASF Remote Management and Control Protocol 624 / cryptoadmin / Crypto Admin 625 / dec_dlm / DEC DLM 626 / asia / ASIA 627 / passgo-tivoli / PassGo Tivoli 628 / qmqp / QMQP 629 / 3com-amp3 / 3Com AMP3 630 / rda / RDA 631 / ipp / IPP (Internet Printing Protocol) 632 / bmpp / bmpp 633 / servstat / Service Status update (Sterling Software) 634 / ginad / ginad 635 / rlzdbase / RLZ DBase 636 / ldaps / secure ldap protocol (SSL) (was sldap) 637 / lanserver / lanserver 638 / mcns-sec / mcns-sec 639 / msdp / MSDP 639
640  640 / entrust-sps / entrust-sps 641 / repcmd / repcmd 642 / esro-emsdp / ESRO-EMSDP V1.3 643 / sanity / SANity 644 / dwr / dwr 645 / pssc / PSSC 646 / ldp / LDP 647 / dhcp-failover / DHCP Failover 648 / rrp / Registry Registrar Protocol (RRP) 649 / cadview-3d / Cadview-3d - streaming 3d models over the internet 650 / obex / OBEX 651 / ieee-mms / IEEE MMS 652 / hello-port / HELLO_PORT 653 / repscmd / RepCmd 654 / aodv / AODV 655 / tinc / TINC 656 / spmp / SPMP 657 / rmc / RMC 658 / tenfold / TenFold 659 660 / mac-srvr-admin / MacOS Server Admin 661 / hap / HAP 662 / pftp / PFTP 663 / purenoise / PureNoise 664 / asf-secure-rmcp / ASF Secure Remote Management and Control Protocol 665 / sun-dr / Sun DR 666 667 / disclose / campaign contribution disclosures - SDR Technologies 668 / mecomm / MeComm 669 / meregister / MeRegister 670 / vacdsm-sws / VACDSM-SWS 671 / vacdsm-app / VACDSM-APP 671
672  672 / vpps-qua / VPPS-QUA 673 / cimplex / CIMPLEX 674 / acap / ACAP 675 / dctp / DCTP 676 / vpps-via / VPPS Via 677 / vpp / Virtual Presence Protocol 678 / ggf-ncp / GNU Generation Foundation NCP 679 / mrm / MRM 680 / entrust-aaas / entrust-aaas 681 / entrust-aams / entrust-aams 682 / xfr / XFR 683 / corba-iiop / CORBA IIOP 684 / corba-iiop-ssl / CORBA IIOP SSL 685 / mdc-portmapper / MDC Port Mapper 686 / hcp-wismar / Hardware Control Protocol Wismar 687 / asipregistry / asipregistry 688 / realm-rusd / REALM-RUSD 689 / nmap / NMAP 690 / vatp / VATP 691 / msexch-routing / MS Exchange Routing 692 / hyperwave-isp / Hyperwave-ISP 693 / connendp / connendp 694 / ha-cluster / ha-cluster 695 / ieee-mms-ssl / IEEE-MMS-SSL 696 / rushd / RUSHD 697 / uuidgen / UUIDGEN 698 / olsr / OLSR 699 / accessnetwork / Access Network 700 701 702 703 703
704  704 / elcsd / errlog copy/server daemon 705 / agentx / AgentX 706 / silc / SILC 707 / borland-dsj / Borland DSJ 708 709 / entrust-kmsh / Entrust Key Management Service Handler 710 / entrust-ash / Entrust Administration Service Handler 711 / cisco-tdp / Cisco TDP 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 / netviewdm1 / IBM NetView DM/6000 Server/Client 730 / netviewdm2 / IBM NetView DM/6000 send 731 / netviewdm3 / IBM NetView DM/6000 receive 732 733 734 735 735
736  736 737 738 739 740 741 / netgw / netGW 742 / netrcs / Network based Rev. Cont. Sys. 743 744 / flexlm / Flexible License Manager 745 746 747 / fujitsu-dev / Fujitsu Device Control 748 / ris-cm / Russell Info Sci Calendar Manager 749 / kerberos-adm / kerberos administration 750 751 752 753 754 / tell / send 755 756 757 758 759 760 761 762 763 764 765 766 767 / phonebook / phone 767
768  768 769 770 771 772 773 774 775 776 777 / multiling-http / Multiling HTTP 778 779 780 781 782 783 784 785 / - / (Used by 'Network Terrorist' Trojan) 786 787 788 789 790 791 792 793 794 795 796 797 798 799 799
800  800 801 802 803 804 805 806 807 808 / - / (Used by 'WinHole' Trojan) 809 810 / fcp-udp / FCP 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 / itm-mcell-s / itm-mcell-s 829 / pkix-3-ca-ra / PKIX-3 CA/RA 830 831 / - / (Used by 'Neurotic Kat' Trojan) 831
832  832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 / dhcp-failover2 / dhcp-failover 2 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 863
864  864 865 866 867 868 869 870 871 872 873 / rsync / rsync 874 875 876 877 878 879 880 881 882 883 884 885 886 / iclcnet-locate / ICL coNETion locate server 887 / iclcnet_svinfo / ICL coNETion server info 888 / cddbp / CD Database Protocol 889 890 891 892 893 894 895 895
896  896 897 898 899 900 / omginitialrefs / OMG Initial Refs 901 / smpnameres / SMPNAMERES 902 / ideafarm-chat / IDEAFARM-CHAT 903 / ideafarm-catch / IDEAFARM-CATCH 904 905 906 907 908 909 910 911 / xact-backup / xact-backup 912 / apex-mesh / APEX relay-relay service 913 / apex-edge / APEX endpoint-relay service 914 915 916 917 918 919 920 921 922 923 924 925 926 927 927
928  928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 959
960  960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 / ftps-data / secure ftp protocol / data over SSL 990 / ftps / secure ftp protocol / control over SSL 991 / nas / Netnews Administration System 991
992  992 / telnets / secure telnet protocol over SSL 993 / imaps / secure imap4 protocol over SSL 994 / ircs / secure irc protocol over SSL 995 / pop3s / secure pop3 protocol over SSL (was spop3) 996 / vsinet / vsinet 997 998 999 1000 1001 / - / (popular with Trojans - see details) 1002 / ms-ils / Microsoft Netmeeting ILS Service 1003 1004 1005 / - / (Used by 'Theef' Trojan) 1006 1007 1008 / - / (Used by 'Lion' & 'AutoSpy' Trojans) 1009 1010 / surf / surf (also used by 'Doly' Trojan) 1011 / - / (Used by 'Doly' Trojan) 1012 / - / (Used by 'Doly' Trojan) 1013 1014 1015 / - / (Used by 'Doly' Trojan) 1016 / - / (Used by 'Doly' Trojan) 1017 1018 1019 1020 / - / (Used by 'Doly' Trojan) 1021 1022 1023 / - / Reserved 1023
1024  1024 / ms-svchost / Microsoft Generic Service Host 1025 / ms-svchost / Microsoft Generic Service Host 1026 / ms-svchost / Microsoft Generic Service Host 1027 / ms-svchost / Microsoft Generic Service Host 1028 / ms-svchost / Microsoft Generic Service Host 1029 / ms-svchost / Microsoft Generic Service Host 1030 / ms-svchost / Microsoft Generic Service Host 1031 / iad2 / BBN IAD 1032 / iad3 / BBN IAD 1033 / netinfo-local / local netinfo port 1034 / activesync / ActiveSync Notifications 1035 / - / (Used by 'Multidropper' Trojan) 1036 / pcg-radar / RADAR Service Protocol 1037 1038 1039 1040 / netarx / Netarx 1041 1042 / - / (Used by 'BLA' Trojan) 1043 1044 1045 / fpitp / Fingerprint Image Transfer Protocol 1046 1047 / neod1 / Sun's NEO Object Request Broker 1048 / neod2 / Sun's NEO Object Request Broker 1049 / td-postman / Tobit David Postman VPMN 1050 / cma / CORBA Management Agent 1051 / optima-vnet / Optima VNET 1052 / ddt / Dynamic DNS Tools 1053 / remote-as / Remote Assistant (RA) 1054 / brvread / BRVREAD 1055 / ansyslmd / ANSYS - License Manager 1055
Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
transpixel.gif
graypixel.gif
transpixel.gif
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
transpixel.gif
graypixel.gif
transpixel.gif
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

transpixel.gif
Alot of network stuff is always way over my head but it seems I have two ports open from the above check and that could be where this icmp bit is coming from?

Edited by scgt1
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)

Port 88 is used by Xbox Live 360.

Port 89 only use I know of is:

port 89 is a dedicated services port used as a Telnet Gateway between Mass Institue of Technology (MIT) and ___ University (SU)

Note that if you are using a router, the GRC test is reflecting the inbound port status of the router.

Your Flood attacks are most likely due to this:

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

Again, this can be controlled via router firewall settings. However with some ISP provided routers, ICMP Echo Reply requests are allowed since the ISP uses such to ensure connectivity exists.

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...