blocking incoming udp packets - Firewalls

This is a discussion on blocking incoming udp packets - Firewalls ; Hello Group: My system: Desktop and laptop networked through Linksys wired router. Question: My software firewall (Deerfield Visnetic) is constantly logging blocks of incoming udp packets, the source being 192.168.1.1 (which is presume is the router), destination being 255.255.255.255 or ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 21

Thread: blocking incoming udp packets

  1. blocking incoming udp packets

    Hello Group:

    My system: Desktop and laptop networked through Linksys wired router.

    Question: My software firewall (Deerfield Visnetic) is constantly
    logging blocks of incoming udp packets, the source being 192.168.1.1
    (which is presume is the router), destination being 255.255.255.255 or
    192.168.1.255.

    This doesn't seem to interfere with anything, but just watching the
    constant bombardment in the logging screen is annoying.

    Can anyone explain what is going on here? Or what, if anything, I can
    or should do about it?

    I can set the firewall to block and stop logging all udp packets which
    do not have a specific rule. This eliminates the constant screen
    filling. But I'm not sure if I should do this. I really don't
    understand what is happening, which is why I'm asking for help.

    I guess I'm just concerned that my system may not be tweaked properly
    and could be wasting resources. Perhaps I should change something in
    the router setup via the web based configuration program.

    Here are a couple of the log entries, copied:

    2008/07/08, 05:32:18.406, GMT -0400, 2010, Device 3,
    Blocked incoming UDP packet (no matching rule),
    src=192.168.1.1, dst=255.255.255.255, sport=520,
    dport=520

    2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3,
    Blocked incoming UDP packet (no matching rule),
    src=192.168.1.1, dst=192.168.1.255, sport=8385,
    dport=162

    Thanks for any explanations, links to sites to educate me, or
    suggestions.

    Jack



  2. Re: blocking incoming udp packets

    JClark wrote:
    > Here are a couple of the log entries, copied:
    >
    > 2008/07/08, 05:32:18.406, GMT -0400, 2010, Device 3,
    > Blocked incoming UDP packet (no matching rule),
    > src=192.168.1.1, dst=255.255.255.255, sport=520,
    > dport=520


    Seems to be a router broadcasting routing information.

    > 2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3,
    > Blocked incoming UDP packet (no matching rule),
    > src=192.168.1.1, dst=192.168.1.255, sport=8385,
    > dport=162


    Seems to be a network device broadcasting SNMP messages on the local
    network.

    For further information you need to inspect the packets' contents with a
    protocol analyzer (Wireshark, tcpdump, etc.).

    Does your Linksys router have the IP address 192.168.1.1? Unless you
    need RIP or SNMP on your LAN you should check your router's
    configuration.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: blocking incoming udp packets

    JClark wrote:

    > Hello Group:
    >
    > My system: Desktop and laptop networked through Linksys wired router.
    >
    > Question: My software firewall (Deerfield Visnetic) is constantly
    > logging blocks of incoming udp packets, the source being 192.168.1.1
    > (which is presume is the router), destination being 255.255.255.255 or
    > 192.168.1.255.
    >
    > This doesn't seem to interfere with anything, but just watching the
    > constant bombardment in the logging screen is annoying.
    >
    > Can anyone explain what is going on here? Or what, if anything, I can
    > or should do about it?
    >
    > I can set the firewall to block and stop logging all udp packets which
    > do not have a specific rule. This eliminates the constant screen
    > filling. But I'm not sure if I should do this. I really don't
    > understand what is happening, which is why I'm asking for help.
    >
    > I guess I'm just concerned that my system may not be tweaked properly
    > and could be wasting resources. Perhaps I should change something in
    > the router setup via the web based configuration program.
    >
    > Here are a couple of the log entries, copied:
    >
    > 2008/07/08, 05:32:18.406, GMT -0400, 2010, Device 3,
    > Blocked incoming UDP packet (no matching rule),
    > src=192.168.1.1, dst=255.255.255.255, sport=520,
    > dport=520
    >
    > 2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3,
    > Blocked incoming UDP packet (no matching rule),
    > src=192.168.1.1, dst=192.168.1.255, sport=8385,
    > dport=162
    >
    > Thanks for any explanations, links to sites to educate me, or
    > suggestions.


    Is UPnP enabled in the router? Try disabling it or check that it is
    disabled.

    http://en.wikipedia.org/wiki/Upnp

  4. Re: blocking incoming udp packets

    >Does your Linksys router have the IP address 192.168.1.1? Unless you
    >need RIP or SNMP on your LAN you should check your router's
    >configuration.On Tue, 8 Jul 2008 14:52:22 +0200 (CEST), Ansgar -59cobalt- Wiechers wrote:


    Yes, 192.168.1.1 is the router.
    UPnP and SNMP are disabled.

    I will try to investigate the packets as you suggest.

    Thanks.

    Jack


  5. Re: blocking incoming udp packets

    On Tue, 8 Jul 2008 08:32:58 -0500, VanguardLH wrote:

    >s UPnP enabled in the router? Try disabling it or check that it is
    >disabled.

    Yes, UPnP is disabled in the router.
    I appreciate your help.
    Still not getting a grasp of the overall situation.

    Jack

  6. Re: blocking incoming udp packets

    JClark wrote:

    > VanguardLH wrote:
    >
    >> Is UPnP enabled in the router? Try disabling it or check that it is
    >> disabled.

    >
    > Yes, UPnP is disabled in the router.


    I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3"
    as to what is "device 3". Might it be whatever is plugged into the port
    numbered 3 on the router? If so, is that your host or another one? If
    another one, try yanking the cable out of port #3 on the router to see
    if it all quiets down.

  7. Re: blocking incoming udp packets

    On Tue, 8 Jul 2008 16:00:45 -0500, VanguardLH wrote:

    >JClark wrote:
    >
    >> VanguardLH wrote:
    >>
    >>> Is UPnP enabled in the router? Try disabling it or check that it is
    >>> disabled.

    >>
    >> Yes, UPnP is disabled in the router.

    >
    >I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3"
    >as to what is "device 3". Might it be whatever is plugged into the port
    >numbered 3 on the router? If so, is that your host or another one? If
    >another one, try yanking the cable out of port #3 on the router to see
    >if it all quiets down.

    Hello VanguardLH,

    The firewall (Deerfield Visnetic) recognizes and lists four devices or
    "adapters".
    #1 is labeled \DEVICE\NDISWANBH (? a WAN miniport)
    # 2 is labeled Dialup Adapter
    #3 is labeled Local Area Connection
    #4 is labeled Local Area Connection

    (#3 and #4 correspond to two LAN connections on the motherboard, which
    correspond to two networking adapters seen in Device Manager. Only the
    one corresponding to Local Area Connection #3 on the firewall is being
    used.)

    I have configured the firewall to block everything on adapters #1
    and #2 and #4.

    The one I use is Device #3, LAN.

    Returning to the original question, a summary, as I see it (not
    necessarily correctly):

    It seems the router is sending udp packets to 255.255.255.255 (both
    source and destination ports = 520, or to 192.168.1.255 (source port
    ranging from 7000 to 7259, and destination port 162.

    I have no idea what this all means.

    Again, I appreciate your help.

    Jack




  8. Re: blocking incoming udp packets

    JClark wrote:
    ....
    > It seems the router is sending udp packets to 255.255.255.255 (both
    > source and destination ports = 520, or to 192.168.1.255 (source port
    > ranging from 7000 to 7259, and destination port 162.


    Ansgar already explained, but since you wrote

    > I have no idea what this all means.


    I will repaeat one more time, and I will provide some links to
    additional informations.

    That is broadcast[1]

    UDP 520 is a port used by Routing Information Protocol (RIP) [2] and [3].

    UDP 162 is a port used by Simple Network Management Protocol (SNMP) [4]
    and [5]

    IMO everything is OK. But to be sure follow Ansgar advice and inspect
    packet content, you can use, for example, Wireshark[6].

    [1] http://en.wikipedia.org/wiki/Broadcast_address
    [2] http://www.auditmypc.com/port/udp-port-520.asp
    [3] http://en.wikipedia.org/wiki/Routing...ation_Protocol
    [4] http://www.auditmypc.com/port/udp-port-162.asp
    [5] http://en.wikipedia.org/wiki/Simple_...ement_Protocol
    [6] http://www.wireshark.org/

  9. Re: blocking incoming udp packets

    On Wed, 09 Jul 2008 09:35:58 +0200, "@lf" wrote:

    >JClark wrote:
    >...
    >> It seems the router is sending udp packets to 255.255.255.255 (both
    >> source and destination ports = 520, or to 192.168.1.255 (source port
    >> ranging from 7000 to 7259, and destination port 162.

    >
    >Ansgar already explained, but since you wrote
    >
    >> I have no idea what this all means.

    >
    >I will repaeat one more time, and I will provide some links to
    >additional informations.
    >
    >That is broadcast[1]
    >
    >UDP 520 is a port used by Routing Information Protocol (RIP) [2] and [3].
    >
    >UDP 162 is a port used by Simple Network Management Protocol (SNMP) [4]
    >and [5]
    >
    >IMO everything is OK. But to be sure follow Ansgar advice and inspect
    >packet content, you can use, for example, Wireshark[6].
    >
    >[1] http://en.wikipedia.org/wiki/Broadcast_address
    >[2] http://www.auditmypc.com/port/udp-port-520.asp
    >[3] http://en.wikipedia.org/wiki/Routing...ation_Protocol
    >[4] http://www.auditmypc.com/port/udp-port-162.asp
    >[5] http://en.wikipedia.org/wiki/Simple_...ement_Protocol
    >[6] http://www.wireshark.org/

    Many thanks! I will spend some time on the links you have provided and
    perhaps become better informed.
    I may also post something in the Linksys forum (presuming there is
    one) to see if I have the router configured correctly.
    Again, thanks.

    Jack

  10. Re: blocking incoming udp packets

    JClark wrote:

    > On Tue, 8 Jul 2008 16:00:45 -0500, VanguardLH wrote:
    >
    >>JClark wrote:
    >>
    >>> VanguardLH wrote:
    >>>
    >>>> Is UPnP enabled in the router? Try disabling it or check that it is
    >>>> disabled.
    >>>
    >>> Yes, UPnP is disabled in the router.

    >>
    >>I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3"
    >>as to what is "device 3". Might it be whatever is plugged into the port
    >>numbered 3 on the router? If so, is that your host or another one? If
    >>another one, try yanking the cable out of port #3 on the router to see
    >>if it all quiets down.

    > Hello VanguardLH,
    >
    > The firewall (Deerfield Visnetic) recognizes and lists four devices or
    > "adapters".
    > #1 is labeled \DEVICE\NDISWANBH (? a WAN miniport)
    > # 2 is labeled Dialup Adapter
    > #3 is labeled Local Area Connection
    > #4 is labeled Local Area Connection
    >
    > (#3 and #4 correspond to two LAN connections on the motherboard, which
    > correspond to two networking adapters seen in Device Manager. Only the
    > one corresponding to Local Area Connection #3 on the firewall is being
    > used.)
    >
    > I have configured the firewall to block everything on adapters #1
    > and #2 and #4.
    >
    > The one I use is Device #3, LAN.
    >
    > Returning to the original question, a summary, as I see it (not
    > necessarily correctly):
    >
    > It seems the router is sending udp packets to 255.255.255.255 (both
    > source and destination ports = 520, or to 192.168.1.255 (source port
    > ranging from 7000 to 7259, and destination port 162.
    >
    > I have no idea what this all means.
    >
    > Again, I appreciate your help.
    >
    > Jack


    Oops, my bad. I thought the "log" was from the router's firewall, not
    from your software firewall on your intranet host. Have you checked
    your router's logs? Did you enable logging in the router? Sometimes
    the router's logs are not so easy to read plus it might be limited in
    the number of records retained. WallWatcher works with some routers to
    extract their logs so you can review them locally.

  11. Re: blocking incoming udp packets

    JClark writes:

    > Returning to the original question, a summary, as I see it (not
    > necessarily correctly):
    >
    > It seems the router is sending udp packets to 255.255.255.255 (both
    > source and destination ports = 520, or to 192.168.1.255 (source port
    > ranging from 7000 to 7259, and destination port 162.
    >
    > I have no idea what this all means.


    UDP 162 is the SNMP trap port. If you're not familiar with simple
    network management protocol, this traffic to 162 may simply be the
    network device attempting to send traps to be logged by an SNMP
    management station.

    UDP 520 is RIP routing. The router is advertising routes with this
    exceedingly simple, easy to spoof protocol.

    Both should be functionality that can be disabled in the source
    network device.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  12. Re: blocking incoming udp packets

    On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@toddh.net (Todd H.)
    wrote:

    >JClark writes:
    >
    >> Returning to the original question, a summary, as I see it (not
    >> necessarily correctly):
    >>
    >> It seems the router is sending udp packets to 255.255.255.255 (both
    >> source and destination ports = 520, or to 192.168.1.255 (source port
    >> ranging from 7000 to 7259, and destination port 162.
    >>
    >> I have no idea what this all means.

    >
    >UDP 162 is the SNMP trap port. If you're not familiar with simple
    >network management protocol, this traffic to 162 may simply be the
    >network device attempting to send traps to be logged by an SNMP
    >management station.
    >
    >UDP 520 is RIP routing. The router is advertising routes with this
    >exceedingly simple, easy to spoof protocol.
    >
    >Both should be functionality that can be disabled in the source
    >network device.
    >
    >Best Regards,
    >Both should be functionality that can be disabled in the source
    >network device.

    Sounds like good advice. I'll work on the Linksys setup with their
    web-based configuration program.
    I'm still not understanding it all in depth, but your comments and the
    earlier replies have given me a good base to work with.
    Thank you.

    Jack

  13. Re: blocking incoming udp packets

    On Wed, 9 Jul 2008 12:32:42 -0500, VanguardLH wrote:

    >JClark wrote:
    >
    >> On Tue, 8 Jul 2008 16:00:45 -0500, VanguardLH wrote:
    >>
    >>>JClark wrote:
    >>>
    >>>> VanguardLH wrote:
    >>>>
    >>>>> Is UPnP enabled in the router? Try disabling it or check that it is
    >>>>> disabled.
    >>>>
    >>>> Yes, UPnP is disabled in the router.
    >>>
    >>>I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3"
    >>>as to what is "device 3". Might it be whatever is plugged into the port
    >>>numbered 3 on the router? If so, is that your host or another one? If
    >>>another one, try yanking the cable out of port #3 on the router to see
    >>>if it all quiets down.

    >> Hello VanguardLH,
    >>
    >> The firewall (Deerfield Visnetic) recognizes and lists four devices or
    >> "adapters".
    >> #1 is labeled \DEVICE\NDISWANBH (? a WAN miniport)
    >> # 2 is labeled Dialup Adapter
    >> #3 is labeled Local Area Connection
    >> #4 is labeled Local Area Connection
    >>
    >> (#3 and #4 correspond to two LAN connections on the motherboard, which
    >> correspond to two networking adapters seen in Device Manager. Only the
    >> one corresponding to Local Area Connection #3 on the firewall is being
    >> used.)
    >>
    >> I have configured the firewall to block everything on adapters #1
    >> and #2 and #4.
    >>
    >> The one I use is Device #3, LAN.
    >>
    >> Returning to the original question, a summary, as I see it (not
    >> necessarily correctly):
    >>
    >> It seems the router is sending udp packets to 255.255.255.255 (both
    >> source and destination ports = 520, or to 192.168.1.255 (source port
    >> ranging from 7000 to 7259, and destination port 162.
    >>
    >> I have no idea what this all means.
    >>
    >> Again, I appreciate your help.
    >>
    >> Jack

    >
    >Oops, my bad. I thought the "log" was from the router's firewall, not
    >from your software firewall on your intranet host. Have you checked
    >your router's logs? Did you enable logging in the router? Sometimes
    >the router's logs are not so easy to read plus it might be limited in
    >the number of records retained. WallWatcher works with some routers to
    >extract their logs so you can review them locally.

    Nothing unusual in the router logs.
    Thanks for suggestion.

    Jack

  14. Re: blocking incoming udp packets

    On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@toddh.net (Todd H.)
    wrote:

    >JClark writes:
    >
    >> Returning to the original question, a summary, as I see it (not
    >> necessarily correctly):
    >>
    >> It seems the router is sending udp packets to 255.255.255.255 (both
    >> source and destination ports = 520, or to 192.168.1.255 (source port
    >> ranging from 7000 to 7259, and destination port 162.
    >>
    >> I have no idea what this all means.

    >
    >UDP 162 is the SNMP trap port. If you're not familiar with simple
    >network management protocol, this traffic to 162 may simply be the
    >network device attempting to send traps to be logged by an SNMP
    >management station.
    >
    >UDP 520 is RIP routing. The router is advertising routes with this
    >exceedingly simple, easy to spoof protocol.
    >
    >Both should be functionality that can be disabled in the source
    >network device.
    >
    >Best Regards,

    Todd,
    Some good news. I was able to disable RIP routing in the router, and
    now all the traffic over UDP 520 has stopped.
    Now I need to work on the SNMP 162. It isn't quite as clear.
    But it seems I'm on the right track.
    Many thanks again.

    Jack

  15. Re: blocking incoming udp packets

    JClark writes:

    > On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@toddh.net (Todd H.)
    > wrote:
    >
    >>JClark writes:
    >>
    >>> Returning to the original question, a summary, as I see it (not
    >>> necessarily correctly):
    >>>
    >>> It seems the router is sending udp packets to 255.255.255.255 (both
    >>> source and destination ports = 520, or to 192.168.1.255 (source port
    >>> ranging from 7000 to 7259, and destination port 162.
    >>>
    >>> I have no idea what this all means.

    >>
    >>UDP 162 is the SNMP trap port. If you're not familiar with simple
    >>network management protocol, this traffic to 162 may simply be the
    >>network device attempting to send traps to be logged by an SNMP
    >>management station.
    >>
    >>UDP 520 is RIP routing. The router is advertising routes with this
    >>exceedingly simple, easy to spoof protocol.
    >>
    >>Both should be functionality that can be disabled in the source
    >>network device.
    >>
    >>Best Regards,

    > Todd,
    > Some good news. I was able to disable RIP routing in the router, and
    > now all the traffic over UDP 520 has stopped.
    > Now I need to work on the SNMP 162. It isn't quite as clear.
    > But it seems I'm on the right track.
    > Many thanks again.


    Disabling SNMP in general on the device is a good idea if you're not
    using it. Did I miss in this thread where the make/model of the
    router was mentioned?


    --
    Todd H.
    http://www.toddh.net/

  16. Re: blocking incoming udp packets

    On Wed, 09 Jul 2008 22:14:13 -0500, comphelp@toddh.net (Todd H.)
    wrote:

    >JClark writes:
    >
    >> On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@toddh.net (Todd H.)
    >> wrote:
    >>
    >>>JClark writes:
    >>>
    >>>> Returning to the original question, a summary, as I see it (not
    >>>> necessarily correctly):
    >>>>
    >>>> It seems the router is sending udp packets to 255.255.255.255 (both
    >>>> source and destination ports = 520, or to 192.168.1.255 (source port
    >>>> ranging from 7000 to 7259, and destination port 162.
    >>>>
    >>>> I have no idea what this all means.
    >>>
    >>>UDP 162 is the SNMP trap port. If you're not familiar with simple
    >>>network management protocol, this traffic to 162 may simply be the
    >>>network device attempting to send traps to be logged by an SNMP
    >>>management station.
    >>>
    >>>UDP 520 is RIP routing. The router is advertising routes with this
    >>>exceedingly simple, easy to spoof protocol.
    >>>
    >>>Both should be functionality that can be disabled in the source
    >>>network device.
    >>>
    >>>Best Regards,

    >> Todd,
    >> Some good news. I was able to disable RIP routing in the router, and
    >> now all the traffic over UDP 520 has stopped.
    >> Now I need to work on the SNMP 162. It isn't quite as clear.
    >> But it seems I'm on the right track.
    >> Many thanks again.

    >
    >Disabling SNMP in general on the device is a good idea if you're not
    >using it. Did I miss in this thread where the make/model of the
    >router was mentioned?

    Hi Todd,

    It's a Linksys BEFSX41.
    The RIP disabling was easy to do, and that has stopped the traffic on
    port 520.
    Under "Administration" I have SNMP "disable" checked, so SNMP ought to
    be disabled. I also have UPnP disabled.

    But I'm still getting the port 162 traffic.

    Thanks again.

    Jack

  17. Re: blocking incoming udp packets

    JClark writes:

    > On Wed, 09 Jul 2008 22:14:13 -0500, comphelp@toddh.net (Todd H.)
    > wrote:
    >
    >>JClark writes:
    >>
    >>> On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@toddh.net (Todd H.)
    >>> wrote:
    >>>
    >>>>JClark writes:
    >>>>
    >>>>> Returning to the original question, a summary, as I see it (not
    >>>>> necessarily correctly):
    >>>>>
    >>>>> It seems the router is sending udp packets to 255.255.255.255 (both
    >>>>> source and destination ports = 520, or to 192.168.1.255 (source port
    >>>>> ranging from 7000 to 7259, and destination port 162.
    >>>>>
    >>>>> I have no idea what this all means.
    >>>>
    >>>>UDP 162 is the SNMP trap port. If you're not familiar with simple
    >>>>network management protocol, this traffic to 162 may simply be the
    >>>>network device attempting to send traps to be logged by an SNMP
    >>>>management station.
    >>>>
    >>>>UDP 520 is RIP routing. The router is advertising routes with this
    >>>>exceedingly simple, easy to spoof protocol.
    >>>>
    >>>>Both should be functionality that can be disabled in the source
    >>>>network device.
    >>>>
    >>>>Best Regards,
    >>> Todd,
    >>> Some good news. I was able to disable RIP routing in the router, and
    >>> now all the traffic over UDP 520 has stopped.
    >>> Now I need to work on the SNMP 162. It isn't quite as clear.
    >>> But it seems I'm on the right track.
    >>> Many thanks again.

    >>
    >>Disabling SNMP in general on the device is a good idea if you're not
    >>using it. Did I miss in this thread where the make/model of the
    >>router was mentioned?

    > Hi Todd,
    >
    > It's a Linksys BEFSX41.
    > The RIP disabling was easy to do, and that has stopped the traffic on
    > port 520.
    > Under "Administration" I have SNMP "disable" checked, so SNMP ought to
    > be disabled. I also have UPnP disabled.
    >
    > But I'm still getting the port 162 traffic.


    Barring an answer from an owner here, your next step is to a linksys
    support forum on this model and asking users there how to disable the
    sending of traps.

    You will also want to make sure you have the latest firmware for that
    device as it has quite a checkered history with respect to exploitable
    firmware vulnerabilities.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  18. Re: blocking incoming udp packets

    On Thu, 10 Jul 2008 09:06:00 -0500, comphelp@toddh.net (Todd H.)
    wrote:

    >JClark writes:
    >
    >> On Wed, 09 Jul 2008 22:14:13 -0500, comphelp@toddh.net (Todd H.)
    >> wrote:
    >>
    >>>JClark writes:
    >>>
    >>>> On Wed, 09 Jul 2008 13:06:15 -0500, comphelp@toddh.net (Todd H.)
    >>>> wrote:
    >>>>
    >>>>>JClark writes:
    >>>>>
    >>>>>> Returning to the original question, a summary, as I see it (not
    >>>>>> necessarily correctly):
    >>>>>>
    >>>>>> It seems the router is sending udp packets to 255.255.255.255 (both
    >>>>>> source and destination ports = 520, or to 192.168.1.255 (source port
    >>>>>> ranging from 7000 to 7259, and destination port 162.
    >>>>>>
    >>>>>> I have no idea what this all means.
    >>>>>
    >>>>>UDP 162 is the SNMP trap port. If you're not familiar with simple
    >>>>>network management protocol, this traffic to 162 may simply be the
    >>>>>network device attempting to send traps to be logged by an SNMP
    >>>>>management station.
    >>>>>
    >>>>>UDP 520 is RIP routing. The router is advertising routes with this
    >>>>>exceedingly simple, easy to spoof protocol.
    >>>>>
    >>>>>Both should be functionality that can be disabled in the source
    >>>>>network device.
    >>>>>
    >>>>>Best Regards,
    >>>> Todd,
    >>>> Some good news. I was able to disable RIP routing in the router, and
    >>>> now all the traffic over UDP 520 has stopped.
    >>>> Now I need to work on the SNMP 162. It isn't quite as clear.
    >>>> But it seems I'm on the right track.
    >>>> Many thanks again.
    >>>
    >>>Disabling SNMP in general on the device is a good idea if you're not
    >>>using it. Did I miss in this thread where the make/model of the
    >>>router was mentioned?

    >> Hi Todd,
    >>
    >> It's a Linksys BEFSX41.
    >> The RIP disabling was easy to do, and that has stopped the traffic on
    >> port 520.
    >> Under "Administration" I have SNMP "disable" checked, so SNMP ought to
    >> be disabled. I also have UPnP disabled.
    >>
    >> But I'm still getting the port 162 traffic.

    >
    >Barring an answer from an owner here, your next step is to a linksys
    >support forum on this model and asking users there how to disable the
    >sending of traps.
    >
    >You will also want to make sure you have the latest firmware for that
    >device as it has quite a checkered history with respect to exploitable
    >firmware vulnerabilities.
    >
    >Best Regards,

    Todd,

    You and the other reply posters have been very helpful. I'm getting a
    better understanding of the process. I'll try to follow through with
    suggestions, including posting in the Linksys forum and updating the
    firmware.

    One last question: Could you recommend a replacement for the Linksys
    router ("checkered history")? Or even a hardware firewall/router? I
    know there would be some new learning involved.

    Again, many thanks


    Jack

  19. Re: blocking incoming udp packets

    JClark writes:

    > Todd,
    >
    > You and the other reply posters have been very helpful. I'm getting a
    > better understanding of the process. I'll try to follow through with
    > suggestions, including posting in the Linksys forum and updating the
    > firmware.
    >
    > One last question: Could you recommend a replacement for the Linksys
    > router ("checkered history")? Or even a hardware firewall/router? I
    > know there would be some new learning involved.
    >
    > Again, many thanks


    I'm a fan of the third party firmware projects out there like dd-wrt
    and tomato.

    Check the hardware compatability matrix for these firmware
    projects--your Linksys could get a new lease on life perhaps just by
    blowing away the factory firmware and replacing it with one of these
    free open source projects.

    Otherwise, a Linksys WRT54GL from newegg.com lets you play nicely
    with these.
    http://www.dd-wrt.com/
    http://www.polarcloud.com/tomato

    Or, just update to the latest linksys firmware to fix the known flaws
    your current firmware may have.

    --
    Todd H.
    http://www.toddh.net/

  20. Re: blocking incoming udp packets

    On Thu, 10 Jul 2008 18:12:53 -0500, comphelp@toddh.net (Todd H.)
    wrote:

    >JClark writes:
    >
    >> Todd,
    >>
    >> You and the other reply posters have been very helpful. I'm getting a
    >> better understanding of the process. I'll try to follow through with
    >> suggestions, including posting in the Linksys forum and updating the
    >> firmware.
    >>
    >> One last question: Could you recommend a replacement for the Linksys
    >> router ("checkered history")? Or even a hardware firewall/router? I
    >> know there would be some new learning involved.
    >>
    >> Again, many thanks

    >
    >I'm a fan of the third party firmware projects out there like dd-wrt
    >and tomato.
    >
    >Check the hardware compatability matrix for these firmware
    >projects--your Linksys could get a new lease on life perhaps just by
    >blowing away the factory firmware and replacing it with one of these
    >free open source projects.
    >
    >Otherwise, a Linksys WRT54GL from newegg.com lets you play nicely
    >with these.
    >http://www.dd-wrt.com/
    >http://www.polarcloud.com/tomato
    >
    >Or, just update to the latest linksys firmware to fix the known flaws
    >your current firmware may have.

    Your post was copied and will work on it. Thanks for the umpteenth
    time!

    Jack

+ Reply to Thread
Page 1 of 2 1 2 LastLast