Recommended Posts

Posted (edited)

I know we kicked this around previously (https://forum.eset.com/topic/10660-icmp-flood-attacks/?do=findComment&comment=54320), but on occasion I am getting a warning when I scan my network

59dbaf45867d5_Ports1.jpg.662cf96d18230b88b788d9558933bbe3.jpg

and at the same tome I also get this notice (which seems contradictory to me).

59dbaf677a414_Ports2.jpg.9d0b9ba15c725ab4ba82febfb553d803.jpg

When I go into my router webpage I am finding this

59dbafbce94c4_Ports33.jpg.5afce9dc18c393e4a3a441067251f337.jpg

after I delete that service, I do not get any (either notice) warning notice from ESS when doing a network scan (I am NOT a gamer).

I also see that ESS shows this

59dbb07563a68_Ports5.thumb.jpg.791fbc7addc2ccd9f8c29d56f9ef5182.jpg

Not being the brightest bulb in the box, I am confused as to what to make of all this and if I should be concerned. Could someone please explain it to me in plain English and what if any actions I need to take. I am running Win 7 Home Prem and ESS 10.1.219.0 (ESS Firewall in Automatic/default mode). I do not take any actions to change ports as I do not have that knowledge, so I don't think it's anything that I am doing. What else could be causing this?

 

 

 

Edited by TomFace

Share this post


Link to post
Share on other sites

As far as ESS is concerned you have everything set correctly :) . Your router must come with a built in rule to allow port forwarding for that port if you have never added it manually.

If you delete it and it comes back in the future, then i can only assume that AT&T are adding it every time they are running a pushed firmware update for your router.

Service name "ConnectToCiscoAP" is to allow router access to AT&T's wireless set-top boxes
 

Share this post


Link to post
Share on other sites
Posted (edited)
41 minutes ago, cyberhash said:

As far as ESS is concerned you have everything set correctly :) . Your router must come with a built in rule to allow port forwarding for that port if you have never added it manually.

If you delete it and it comes back in the future, then i can only assume that AT&T are adding it every time they are running a pushed firmware update for your router.

Service name "ConnectToCiscoAP" is to allow router access to AT&T's wireless set-top boxes
 

Thanks Hash...seems to be a hit and miss type thing...when I delete it I notice no restrictions in PC behavior.

But why the conflicting reports from ESET? If it's necessary for HTTPS protocol why warn me about it?

Maybe I am over simplifying it, but if it's OK then it's OK, if it's bad then it's bad. ESS is telling me both things at the same time in the same notice (one on top of the other).

Edited by TomFace

Share this post


Link to post
Share on other sites
1 minute ago, TomFace said:

Thanks Hash...seems to be a hit and miss type thing...when I delete it I notice no restrictions in PC behavior.

But why the conflicting reports from ESET? If it's necessary for HTTPS protocol why warn me about it?

HTTPS scanning on port 443 is standard in any security suite , where as port 443 either being open or forwarded on your router could pose a security risk and why it's giving you the warning.

Although it might not seem like it , these are 2 different things entirely. The only similarity is the port number and why it's a bit confusing.

 

Share this post


Link to post
Share on other sites

You could also run the various tests from this site to double check things from the internet > your network.
Rather than the Eset > home network tests you are running just now.

https://www.grc.com/x/ne.dll?bh0bkyd2

Share this post


Link to post
Share on other sites
3 minutes ago, cyberhash said:

You could also run the various tests from this site to double check things from the internet > your network.
Rather than the Eset > home network tests you are running just now.

https://www.grc.com/x/ne.dll?bh0bkyd2

I've run the exposure test before and it comes back

"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!"

Which I guess is good.

Share this post


Link to post
Share on other sites

Yes no response/answer is a good thing :D

Share this post


Link to post
Share on other sites

So should I be concerned about

59dbd13dce568_Ports1.jpg.07e24ceb424eb2a462aa68c42791a6ab.jpg

Can I do anything to stop this silliness?

Share this post


Link to post
Share on other sites

Is this screenshot from before you deleted that rule within your routers firewall ? . If you remove the rule and re-run the home network test within ESET it should no longer be an issue.

 

Share this post


Link to post
Share on other sites

Do you have U-Verse?

AT&T in their "infinite wisdom" uses port 443 on the WAN side of thier PACE routers for the desktop TV boxes. If you run GRC Shields UP test, you will see that port 443 is open. It is closed on the LAN side which is all that counts.

Share this post


Link to post
Share on other sites
3 hours ago, itman said:

Do you have U-Verse?

AT&T in their "infinite wisdom" uses port 443 on the WAN side of thier PACE routers for the desktop TV boxes. If you run GRC Shields UP test, you will see that port 443 is open. It is closed on the LAN side which is all that counts.

Yes to U-Verse...how do I see the LAN side to know for sure? I have not fooled with the router settings (except deleting this service as explained above).

The GRC Instant UPnP Exposure Test give a reply of

"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!"...am I running the correct test?

Edited by TomFace

Share this post


Link to post
Share on other sites
15 hours ago, TomFace said:

The GRC Instant UPnP Exposure Test give a reply of

"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!"...am I running the correct test?

No. You want to run the "Common Ports" test. It will show that port 443 is open on your router. Again, all it is testing is the WAN side of your router.

As far as your AT&T router goes, your firewall settings should correspond to what is shown in the below screen shot. Verify that the IP address shown corresponds to your ISP address. Again, what is being shown is that port 443 is open on the WAN side of the router and it can only connect to your AT&T assigned IP address. Don't "fool" with that setting or you will lose connectivity to your TV desktop devices.

The NAT/Gaming screen shot you posted are default NAT settings for popular games. I never fooled with those settings and they are only used to bypass NAT when playing one of the referenced games. 

As far as Eset's router checking goes, all it is checking it the port status on the LAN side of your router. I have never used it because I have always used Eset's firewall public profile. The test is only for the private network profile. 

Eset_ATT.png.6d2a4d3718621e0550d191fc3b486fe9.png

 

Edited by itman

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

No. You want to run the "Common Ports" test. It will show that port 443 is open on your router. Again, all it is testing is the WAN side of your router.

As far as your AT&T router goes, your firewall settings should correspond to what is shown in the below screen shot. Verify that the IP address shown corresponds to your ISP address. Again, what is being shown is that port 443 is open on the WAN side of the router and it can only connect to your AT&T assigned IP address. Don't "fool" with that setting or you will lose connectivity to your TV desktop devices.

The NAT/Gaming screen shot you posted are default NAT settings for popular games. I never fooled with those settings and they are only used to bypass NAT when playing one of the referenced games. 

As far as Eset's router checking goes, all it is checking it the port status on the LAN side of your router. I have never used it because I have always used Eset's firewall public profile. The test is only for the private network profile. 

Eset_ATT.png.6d2a4d3718621e0550d191fc3b486fe9.png

 

The AT&T screen you are showing does not look like what I have...This is what I see at my IP web address without logging in...where are you finding that screen? I have never seen that before. I have U-Verse interne and TV (no U-Verse phone).

Firewall.jpg.f8667249b145c1dc0edb7d1ea6c0cf3f.jpg

I cannot locate the common port test at GRC...can you please provide a link to it?

 

 

Edited by TomFace

Share this post


Link to post
Share on other sites

Continuing .............

Eset's router diagnostic tool is not the issue in this instance. What it alerted to is:

1. There is an open connection on the WAN side of the router.

2. That connection is active i.e. connected to an IP address.

3. It is theoretically possible that an attacker is using the connection.

The tool "can't look inside" existing router firewall rules to determine the above is by design.

 

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

This is what I get (and also received yesterday) when trying that link

Browser Reload Suppressed

For your security, your web browser's "reload"
function has been temporarily disabled

Allowing a web browser to "reload" a page which has already been sent to you creates a "security hole" that would allow someone using your computer at any later time to attain potentially private and personal information.

To safeguard your privacy we have disabled the browser's "reload" or "refresh" facility while you are in sensitive areas of our web site. Reloading pages will function normally once you have left this area . . . but until then please refrain from "reloading" pages.

You may press your browser's  [BACK]  button now to return to the page prior to the one you were just viewing.

Thanks very much for your interest and patronage.

Share this post


Link to post
Share on other sites
8 minutes ago, TomFace said:

The AT&T screen you are showing does not look like what I have...This is what I see without logging in

Obviously, were have different routers. Appears you might have any older one. You will probably have to go into "Firewall Advanced" settings to find the hardcoded port 443 rule to AT&T

Share this post


Link to post
Share on other sites
1 minute ago, TomFace said:

This is what I get (and also received yesterday) when trying that link

Works for me in IE11 running Win 10 1703.

Share this post


Link to post
Share on other sites
4 minutes ago, itman said:

Works for me in IE11 running Win 10 1703.

I'm IE11.0.9600.18792/Win 7 Home Prem/Svc Pack 3 and current on updates (except telemetry add-ons)

Edited by TomFace

Share this post


Link to post
Share on other sites

I just got the "suppression" screen now. Might be a problem with their web site or if you access it once and then try again, it will throw the message.

Delete temp files in IE and try again. If still a no go, exit IE and restart it and try.

 

Edited by itman

Share this post


Link to post
Share on other sites

OK...will try again in a bit. I'll also nose around in advanced firewall setting as well and see what's there (I think I ale\ready did that and nothing caught my eye). I don't change things that I don't understand.

Edited by TomFace

Share this post


Link to post
Share on other sites
4 minutes ago, itman said:

If still a no go, exit IE and restart it and try.

This did the trick for me.

Share this post


Link to post
Share on other sites

Here is a DSL Reports posting that pretty much sums up the UVerse port 443 issue:

Quote

Port 443 is used by the Uverse WAP to provide signal to wireless receivers.
So in essence if have wireless receivers for Uverse IPTV then port is not accessible to other devices.
If have internet only or all hardwired receivers then port 443 should be available to my knowledge.

http://www.dslreports.com/forum/r29870607-Port-443-block

Also I don't believe the above is 100% accurate. I had just plain AT&T DSL a few years back in another state I resided in at the time. No WAP was involved  and PC connected via Ethernet. As I recollect, port 443 was still allocated on the router which was a Netopia one. The answer, I believe I found at the time for why that was so, is AT&T used it for "connectivity" testing and verification purposes. 

Best way to test internal LAN status is open an admin command prompt window and type:

  • netstat -anob

This will display that status of all ports and what programs at using them.

Share this post


Link to post
Share on other sites

I appreciate all the information itman, but the basic question I have is should I be concerned about this? And if so, what can I do about it? Sorry if I seem dense, but I understand plain verbiage best.

59dd24cd7d8ee_Ports1.jpg.8a5634e30f43552fe556a63276e12382.jpg

I also sent GRC an e-mail about the Common Ports scan as I still cannot access that webpage from either IE11 or Firefox 56.0.1

 

Edited by TomFace

Share this post


Link to post
Share on other sites
51 minutes ago, TomFace said:

I appreciate all the information itman, but the basic question I have is should I be concerned about this?

Since you are concerned about it, I would contact AT&T tech support and ask them about port 443 usage on the router. If they say "Yes, it is used," then ask them to run a test to verify it is only connecting to your local AT&T IP address. If all checks out, I wouldn't be concerned about what the Eset test tool is stating.

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.