Network Problems

puns

puns

Moderator
Herald
I am running Zone alarm pro. Suddenly today i get this message

The firewall has blocked internet access to your computer ( NETBIOS Session ) from 203.76.***.*** <---( my ip address ) ( TCP PORT 4849 , 4858) TCP FLAG S.

Because of this , i get erros with p2p like bearshare which cannot detect my ip. i can access the net fine , surfing the net is fine ...

Whats going on :huh:
 
Code: 
The firewall has blocked internet access to your computer ( NETBIOS Session ) from 203.76.***.*** <---( my ip address ) ( TCP PORT 4849 , 485 TCP FLAG S.

Are you sure that IP address is your system IP address indeed? Which ISP is this? Does it have a LAN within the ISP network?

I'll break it down to what that message should imply afaik.

Either a host inside a LAN you are in is trying to access NETBIOS shares through NETBIOS name resolution OR a outside intruder is spoofing attacks appearing to be from a legit user within the LAN.

IP address would seem to me the IP of the attacker.

TCP PORT is the Transmission Control Protocol Port it is trying to associate with or access.

TCP FLAG S < As you may know TCP is a connection oriented protocol,i.e a three way handshake takes place before the data or payload as it is technically called can be transfered.

S stands for Synchronize,the first step in making a connection between any two hosts which want to transfer data between them.

So as far as I can see its a classic case of NetBIOS hacking unless you provide us with any more information which would mean otherwise.

As regarding P2P application errors what errors do you get? Could you post the exact error messages here?
 
initially zone alarm was picking up my ip address ... then it picked up another ip of a person on my lan ( pacenet ) . i asked the person on the lan and he says he has nothing to do with it , so i think its more like as u said , some outside attacker spoofing ( how do i differentiate whether its him or some outsider ? )

i uninstalled zone alarm as i read on some sites that it has known to give such errors in some cases , now i have kerio personal firewall and things seemed fine as i firewalled netbios settings.

if it is a case of netbios attack , what can i do to see who this attacker is and what else can i do.

thanks digen for ur help.
 
puns said:
initially zone alarm was picking up my ip address ... then it picked up another ip of a person on my lan ( pacenet ) . i asked the person on the lan and he says he has nothing to do with it , so i think its more like as u said , some outside attacker spoofing ( how do i differentiate whether its him or some outsider ? )
Click to expand...
Naa i'm not couting on some intruder from outside is carrying a attack,it may be a possibility but its rare.I wont trust the guy you contacted if I were you.

Instead I would send the log file attached & email a small note to your ISP to take notice of it.I understand very few ISP's care about users interest & security so you may not get any help from their side majority of the times but it isnt costing you anything to bang on a dead man's body[i made this :rofl: ]

Secondly differentiating between inside & outside will have to be from your firewall end.Now that you have Kerio,look for something such as advanced firewall logging or something similar & report back the findings.paste or pm me the log if you want,I'll go over it.
if it is a case of netbios attack , what can i do to see who this attacker is and what else can i do.
Click to expand...
Send or paste the zone alarm log file if you have it with you now,I'll break it apart if you want me to.

Btw diggy don't you think this could be a false positive as well. ZA has an old habit of doing that
Click to expand...
Ofcourse,most software or application based firewalls can screw up !
But the bottom line is its better to be safe than sorry.And as far as this problem was concerned puns has not given us the complete log from the firewall.Till he does so I would call it a clear cut attack or mishap on ZA's end.:)
 
Back
Top