[cumbria_lug] Windows Network Noise on the Net.

[Steve]

Ian Linwood wrote:
> Hello Steve,
> 
> S> Of the 850 or so direct hits at my external IP address in the last 3 1/2
> S> days, 84% seems to be related to MS Windows Netbios and Message Service
> S> (Spam) (ports 135,137,139,445,1026,1027).  The other 16% was mostly
> S> viruses and general port scans for machines compromised by various 
> S> hacking tools.
> 
> Yep. This is throttling the Net.
> You'll probably find that the Netbios, and DS stuff (135-139 & 445) are
> originating from other users using the same ISP. Most providers allow this
> kind of crap across their internal routers, but block it on their
> border routers.  Some not so good ISPs let everything in/out :-( and
> don't give a damn.

I'd agree with that hypothesis.  Most of the 135/445 is coming from less 
than a dozen machines in the local area, although I am seeing some from 
further afield.

> S> Most of the the addresses for hacks and viruses seem to originate from
> S> China, with Russia a close second and noise from the US and Sweden!
> 
> How are you checking this. Do NOT rely on reverse DNS to resolve
> domain names. The only way to check is to track back the IP to the
> relevant ISP.

I was thinking of reverse DNS for an automated lookup, but I've been 
doing a manual lookup in the RIPE/IANA database for a general global 
position.  I'll have to remember that one.

> S> Most of the NetBios stuff seems to be from local machines in the same
> S> 'local' net as myself, although one machine was responsible for 50 hits
> S> (of 295 on port 135) - I was actually quite shocked after a fit of 
> S> madness I put the address in Windows Exploder (as if attaching to a file
> S> share) and up pops a login dialog for what would appear to be a 
> S> completely unprotected machine on broadband - the mind boggles.
> 
> As you have discovered, there are a lot of clueless people out there.
> I wonder how virus's spread ;-(

A universal human constant (or more likely exponent!).  Seems even more 
in fashion.  :-(

> S> I'd be very curious if anyone else has seen any similar patterns, or had
> S>   done/found anything similar.
> 
> Been a problem for years. Just don't add to it and make sure your
> outbound filtering is as robust as your inbound. It can be a PITA, but
> the less you let out, the less others can tell about your network. I
> don't want to throw stones, but are you sure your LAN isn't letting
> this kind of stuff out?

I'm fairly well configured. Anything which wants to get out has to get 
past my internal firewall box before it can get to my router, which 
would block it as well if any did manage to sneak past.

> S> Anyway, on to the big question...  has anyone come across any tools for
> S> analysing Syslog logs to get information and stats out of them. Most of
> S> the entries I'm interested are of the form:
> 
> S> Dec 19 04:48:01 z.z.z.z router1: src="x.x.x.x:port" dst="y.y.y.y:port"
> S> msg="Firewall default policy: UDP (L to W)" note="ACCESS BLOCK"
> 
> S> I've got syslog setup to collect all the information from the router in
> S> a separate file, so extracting from the main system logs isn't a problem.
> 
> Good. The amount of people who log straight to /etc/syslog or /etc/
> messages is stunning. A DDOS/crash waiting to happen.

Nice to know I'm doing something right. (No quips Trev)

> S> I'm wanting to extract all the port information, as well as source
> S> addresses for automated lookup, so I can see build up a picture of 
> S> what's happening outside.  Stats on ports, etc, as well as where all
> S> this stuff is coming from.
> 
> S> I'm open to thoughts and suggestions.
> 
> I'm afraid most ISPs are very poor at acting on abuse reports (there
> are some exceptions though). All I can suggest is to be aware of the
> threats and take necessary actions to protect your network.
> 
> Depending on the throughput of your network link, I would suggest a
> Linux (or openbsd) bridging firewall, between your router and your network, this
> would allow you to do finer filtering and logging. The other advantage
> is to allow you to use FOSS tools to log/analyse the data, both
> historically and in real time.

Haven't managed to find a suitable tool yet, so if you have any pointers 
in that direction it would be useful - save me inventing a new wheel - 
although it would force me to learn some more useful skills if I did  ;-)

> ie.  big BAD world<-->router<-->filtering bridge<-->your lovely safe LAN

What you describe is pretty much what I have...  ie.

Safe Lan <-->Linux/Firewall/Router<-->OuterLan<-->Router<-->BadWorld

I do have an additional lan hanging off the Linux box which I use for a 
DMZ if I'm cleaning someones machine and need to patch from MS/Etc 
without risking my own machines.

I've thought about building a bridge rather than a router, and may have 
a go at that next year when I've a bit more time.

> I don't know what kind of router you have, or link type, so it is
> difficult to advise.  Smaller routers are put under a tremendous load
> when asked to do firewall work. So an attack can lead to a DDOS, as
> the CPU on the router gets hammered. I let routers route, and employ a
> dedicated firewall. I would also set up a http proxy. This offers a little
> more protection to users on the LAN and has the benefit of caching
> frequently accessed pages. The proxy box could also do DNS caching.

My router is a Zyxel 652R-11. I'm also using NAT on both the Linux box 
as well as on the Zyxel router.

My connection is a virtually nailed up standard 1/2 meg ADSL with a 
static IP - hence my general paranoia.

I'm running squid for caching as well, but probably have a low hit rate 
with it most of the time unless I've people round, but the practice in 
config and maintenance is useful.


Cheers
Steve