|
UDP port probe |
|
|
|
| FAQ | |||
|
|
False Positives
This is not necessarily an attack.
This may be what is known as a "false-positive", which is when the product detects an anomaly that isn't actually an attack.
The most common source of this alert is when the user first dials up to the Internet. Busy ISPs will re-assign IP addresses quickly, which means that as soon as you dial-up with your modem, you will be assigned the IP address of another user that just hung up. Any server attempting to send data to that other user will then be sending data at you. (Just like when you get your new telephone number and you start receiving phone calls intended for the person who used to own it). The product triggers this alert every time it receives UDP data that your computer never asked for.
In networks using Microsoft Exchange servers, one may see UDP ports probes as well. Sometimes an Exchange Server will send a "new mail notification" UDP packet to an unpredictable UDP destination port. Because there is no process on the client system to receive the packet, the client sends an "ICMP port unreachable" to the Exchange server. This causes BlackICE, running on the client system, to report a "UDP port probe" event. BlackICE is accurately reporting what it is seeing; however, in this situation it is a false alarm. According to Microsoft, there is no way to configure a client or server to avoid this problem, although in Knowledge Base article Q159302, they do mention a registry entry change on the Exchange Server that would reduce the problem but not eliminate it. The details of this registry entry is in Knowledge Base article "TCP/IP Transport Entries, Part 1 (Q102973)" . The actual parameter name involved in this registry change is "TcpKeepCnt"; its default value is 120 minutes. Warning: Modifying the KeepAlive time is not recommended. It would be better to have BlackICE ignore UDP port probes triggered by Exchange server systems.
A common source of this attack is from RealNetworks audio/video servers. You can guess this for yourself by checking the port number (which is part of the URL above). RealAudio uses ports in the range between 6970-7080. RealNetworks triggers this alert because it is very popular, and therefore one of the more common protocols that people receive as soon as they dial-up. It also triggers this because servers will still stream data at your computer for a little while even when your RealNetworks client shuts down. Please see article q000121.
A port is a point of entry into a system. Each program running on a system is reached through its own ports. Most ports are "well-known", you can look them up in a table in order to get a good sense of what ports what applications may be utilizing. If a particular application is not deployed on your machine or on your network, it is quite possible an intruder is probing your network for open ports.
Summary
Somebody has tried to access your machine and failed.
Details
This is one of the most common intrusions detected on the Internet. This is so common because hackers do frequent wide-spread scans looking for one specific exploit they can use to break into systems. The typical hacker scans thousands or millions of machines in a typical scan. In other words, the hacker isn't targeting you personally. In particular, this event is generated upon failed attempts, so there is no reason to worry.
Probes like this result from "script-kiddies", hackers just above the skill level of trained monkeys. They download attack programs (called "scripts") from various sites on the net, then run them against millions of machines. There are thousands of script-kiddies out there, so if you have a always-on connection (cable-modem, DSL), then you can expect about one of these scans per day.
About 10% of these scans are from forged (spoofed) addresses. This means the indicated IP address in the attack is probably from the real attack, but a small percentage of the time the indicated person is completely innocent.
About 20% of these scans are from machines already compromised by a hacker. In other words, if you report this scan back to the originator, they may thank you, because you've discovered a hacked system on their network they didn't know about.
Information on reporting the hacker can be found in our support Knowledge Base article q000016.
| more information |
|
| ||||||||||
Version appeared: 2.5