Prev: Error 80042109 on sending mails
Next: Setting up FTP Service
From: JClark on 10 Jul 2008 07:08
On Wed, 09 Jul 2008 22:14:13 -0500, comphelp(a)toddh.net (Todd H.)
wrote:

>JClark <jclark(a)nomail.invalid> writes:
>
>> On Wed, 09 Jul 2008 13:06:15 -0500, comphelp(a)toddh.net (Todd H.)
>> wrote:
>>
>>>JClark <jclark(a)nomail.invalid> writes:
>>>
>>>> Returning to the original question, a summary, as I see it (not
>>>> necessarily correctly):
>>>>
>>>> It seems the router is sending udp packets to 255.255.255.255 (both
>>>> source and destination ports = 520, or to 192.168.1.255 (source port
>>>> ranging from 7000 to 7259, and destination port 162.
>>>>
>>>> I have no idea what this all means.
>>>
>>>UDP 162 is the SNMP trap port. If you're not familiar with simple
>>>network management protocol, this traffic to 162 may simply be the
>>>network device attempting to send traps to be logged by an SNMP
>>>management station.
>>>
>>>UDP 520 is RIP routing. The router is advertising routes with this
>>>exceedingly simple, easy to spoof protocol.
>>>
>>>Both should be functionality that can be disabled in the source
>>>network device.
>>>
>>>Best Regards,
>> Todd,
>> Some good news. I was able to disable RIP routing in the router, and
>> now all the traffic over UDP 520 has stopped.
>> Now I need to work on the SNMP 162. It isn't quite as clear.
>> But it seems I'm on the right track.
>> Many thanks again.
>
>Disabling SNMP in general on the device is a good idea if you're not
>using it. Did I miss in this thread where the make/model of the
>router was mentioned?
Hi Todd,

It's a Linksys BEFSX41.
The RIP disabling was easy to do, and that has stopped the traffic on
port 520.
Under "Administration" I have SNMP "disable" checked, so SNMP ought to
be disabled. I also have UPnP disabled.

But I'm still getting the port 162 traffic.

Thanks again.

Jack
From: Todd H. on 10 Jul 2008 10:06
JClark <jclark(a)nomail.invalid> writes:

> On Wed, 09 Jul 2008 22:14:13 -0500, comphelp(a)toddh.net (Todd H.)
> wrote:
>
>>JClark <jclark(a)nomail.invalid> writes:
>>
>>> On Wed, 09 Jul 2008 13:06:15 -0500, comphelp(a)toddh.net (Todd H.)
>>> wrote:
>>>
>>>>JClark <jclark(a)nomail.invalid> writes:
>>>>
>>>>> Returning to the original question, a summary, as I see it (not
>>>>> necessarily correctly):
>>>>>
>>>>> It seems the router is sending udp packets to 255.255.255.255 (both
>>>>> source and destination ports = 520, or to 192.168.1.255 (source port
>>>>> ranging from 7000 to 7259, and destination port 162.
>>>>>
>>>>> I have no idea what this all means.
>>>>
>>>>UDP 162 is the SNMP trap port. If you're not familiar with simple
>>>>network management protocol, this traffic to 162 may simply be the
>>>>network device attempting to send traps to be logged by an SNMP
>>>>management station.
>>>>
>>>>UDP 520 is RIP routing. The router is advertising routes with this
>>>>exceedingly simple, easy to spoof protocol.
>>>>
>>>>Both should be functionality that can be disabled in the source
>>>>network device.
>>>>
>>>>Best Regards,
>>> Todd,
>>> Some good news. I was able to disable RIP routing in the router, and
>>> now all the traffic over UDP 520 has stopped.
>>> Now I need to work on the SNMP 162. It isn't quite as clear.
>>> But it seems I'm on the right track.
>>> Many thanks again.
>>
>>Disabling SNMP in general on the device is a good idea if you're not
>>using it. Did I miss in this thread where the make/model of the
>>router was mentioned?
> Hi Todd,
>
> It's a Linksys BEFSX41.
> The RIP disabling was easy to do, and that has stopped the traffic on
> port 520.
> Under "Administration" I have SNMP "disable" checked, so SNMP ought to
> be disabled. I also have UPnP disabled.
>
> But I'm still getting the port 162 traffic.

Barring an answer from an owner here, your next step is to a linksys
support forum on this model and asking users there how to disable the
sending of traps.

You will also want to make sure you have the latest firmware for that
device as it has quite a checkered history with respect to exploitable
firmware vulnerabilities.

Best Regards,
--
Todd H.
http://www.toddh.net/
From: JClark on 10 Jul 2008 17:23
On Thu, 10 Jul 2008 09:06:00 -0500, comphelp(a)toddh.net (Todd H.)
wrote:

>JClark <jclark(a)nomail.invalid> writes:
>
>> On Wed, 09 Jul 2008 22:14:13 -0500, comphelp(a)toddh.net (Todd H.)
>> wrote:
>>
>>>JClark <jclark(a)nomail.invalid> writes:
>>>
>>>> On Wed, 09 Jul 2008 13:06:15 -0500, comphelp(a)toddh.net (Todd H.)
>>>> wrote:
>>>>
>>>>>JClark <jclark(a)nomail.invalid> writes:
>>>>>
>>>>>> Returning to the original question, a summary, as I see it (not
>>>>>> necessarily correctly):
>>>>>>
>>>>>> It seems the router is sending udp packets to 255.255.255.255 (both
>>>>>> source and destination ports = 520, or to 192.168.1.255 (source port
>>>>>> ranging from 7000 to 7259, and destination port 162.
>>>>>>
>>>>>> I have no idea what this all means.
>>>>>
>>>>>UDP 162 is the SNMP trap port. If you're not familiar with simple
>>>>>network management protocol, this traffic to 162 may simply be the
>>>>>network device attempting to send traps to be logged by an SNMP
>>>>>management station.
>>>>>
>>>>>UDP 520 is RIP routing. The router is advertising routes with this
>>>>>exceedingly simple, easy to spoof protocol.
>>>>>
>>>>>Both should be functionality that can be disabled in the source
>>>>>network device.
>>>>>
>>>>>Best Regards,
>>>> Todd,
>>>> Some good news. I was able to disable RIP routing in the router, and
>>>> now all the traffic over UDP 520 has stopped.
>>>> Now I need to work on the SNMP 162. It isn't quite as clear.
>>>> But it seems I'm on the right track.
>>>> Many thanks again.
>>>
>>>Disabling SNMP in general on the device is a good idea if you're not
>>>using it. Did I miss in this thread where the make/model of the
>>>router was mentioned?
>> Hi Todd,
>>
>> It's a Linksys BEFSX41.
>> The RIP disabling was easy to do, and that has stopped the traffic on
>> port 520.
>> Under "Administration" I have SNMP "disable" checked, so SNMP ought to
>> be disabled. I also have UPnP disabled.
>>
>> But I'm still getting the port 162 traffic.
>
>Barring an answer from an owner here, your next step is to a linksys
>support forum on this model and asking users there how to disable the
>sending of traps.
>
>You will also want to make sure you have the latest firmware for that
>device as it has quite a checkered history with respect to exploitable
>firmware vulnerabilities.
>
>Best Regards,
Todd,

You and the other reply posters have been very helpful. I'm getting a
better understanding of the process. I'll try to follow through with
suggestions, including posting in the Linksys forum and updating the
firmware.

One last question: Could you recommend a replacement for the Linksys
router ("checkered history")? Or even a hardware firewall/router? I
know there would be some new learning involved.

Again, many thanks


Jack
From: Todd H. on 10 Jul 2008 19:12
JClark <jclark(a)nomail.invalid> writes:

> Todd,
>
> You and the other reply posters have been very helpful. I'm getting a
> better understanding of the process. I'll try to follow through with
> suggestions, including posting in the Linksys forum and updating the
> firmware.
>
> One last question: Could you recommend a replacement for the Linksys
> router ("checkered history")? Or even a hardware firewall/router? I
> know there would be some new learning involved.
>
> Again, many thanks

I'm a fan of the third party firmware projects out there like dd-wrt
and tomato.

Check the hardware compatability matrix for these firmware
projects--your Linksys could get a new lease on life perhaps just by
blowing away the factory firmware and replacing it with one of these
free open source projects.

Otherwise, a Linksys WRT54GL from newegg.com lets you play nicely
with these.
http://www.dd-wrt.com/
http://www.polarcloud.com/tomato

Or, just update to the latest linksys firmware to fix the known flaws
your current firmware may have.

--
Todd H.
http://www.toddh.net/
From: JClark on 10 Jul 2008 21:32
On Thu, 10 Jul 2008 18:12:53 -0500, comphelp(a)toddh.net (Todd H.)
wrote:

>JClark <jclark(a)nomail.invalid> writes:
>
>> Todd,
>>
>> You and the other reply posters have been very helpful. I'm getting a
>> better understanding of the process. I'll try to follow through with
>> suggestions, including posting in the Linksys forum and updating the
>> firmware.
>>
>> One last question: Could you recommend a replacement for the Linksys
>> router ("checkered history")? Or even a hardware firewall/router? I
>> know there would be some new learning involved.
>>
>> Again, many thanks
>
>I'm a fan of the third party firmware projects out there like dd-wrt
>and tomato.
>
>Check the hardware compatability matrix for these firmware
>projects--your Linksys could get a new lease on life perhaps just by
>blowing away the factory firmware and replacing it with one of these
>free open source projects.
>
>Otherwise, a Linksys WRT54GL from newegg.com lets you play nicely
>with these.
>http://www.dd-wrt.com/
>http://www.polarcloud.com/tomato
>
>Or, just update to the latest linksys firmware to fix the known flaws
>your current firmware may have.
Your post was copied and will work on it. Thanks for the umpteenth
time!

Jack
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5
Prev: Error 80042109 on sending mails
Next: Setting up FTP Service