Log: TCP connection denied from 64.4.19.253:80 to 192.168...

[steve]

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.security_admin (More info?)

Hello,

I'm seeing the following log in my router's packet filtering log:

TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723

This worries me... since 1723/tcp is a port allocated to MS VPN IP tunneling
(bi-directional).

I don't think it's a problem isolated to hotmail (64.4.19.253) ... but that
it could happen to any standard port 80
web site I access since the local port assignment (ie 1723 in this case) is
apparently unpredictatable. However, this is the only
report in my logs of an event like this... and I've been using the following
configuration for a while.

In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
capabilities, it appears to work most of the time without any degregation to
my incoming internet connection (i.e. routers 98Mbps throughput, ISP
12Mbps) - the hardware seems to take care of NAT handling pretty well in
all other connection situations - hence my concern at this particular
issue....

(incidentally, to avoid further discussion on software firewalls - I've
turned mine off... since I'm only referring to the way the OS works in
relation to the rest of the world - s/w firewalls are useful, but shouldn't
be the "be all & end all" since in real-life useage they let through a lot
of traffic... both ways...)

Is there any way that I can restrict IE to a set range of ports for incoming
traffic ? Or is it purely Open game hunting season across all ports above
1024 for IE ? (And other apps) ?


Steve

 

[steve]

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.security_admin (More info?)

Interestingly, I've also just received the following.... to the SOCKS
port...

2005/08/23 23:16:04 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
65.54.239.82.Total=4.
2005/08/23 23:15:48 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:41 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:38 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)


Is there any reason why hotmail would wish to connect it ?



"Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
news:%23rebYC$pFHA.904@TK2MSFTNGP10.phx.gbl...
> Hello,
>
> I'm seeing the following log in my router's packet filtering log:
>
> TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723
>
> This worries me... since 1723/tcp is a port allocated to MS VPN IP
> tunneling (bi-directional).
>
> I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
> that it could happen to any standard port 80
> web site I access since the local port assignment (ie 1723 in this case)
> is apparently unpredictatable. However, this is the only
> report in my logs of an event like this... and I've been using the
> following configuration for a while.
>
> In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
> capabilities, it appears to work most of the time without any degregation
> to my incoming internet connection (i.e. routers 98Mbps throughput, ISP
> 12Mbps) - the hardware seems to take care of NAT handling pretty well in
> all other connection situations - hence my concern at this particular
> issue....
>
> (incidentally, to avoid further discussion on software firewalls - I've
> turned mine off... since I'm only referring to the way the OS works in
> relation to the rest of the world - s/w firewalls are useful, but
> shouldn't be the "be all & end all" since in real-life useage they let
> through a lot of traffic... both ways...)
>
> Is there any way that I can restrict IE to a set range of ports for
> incoming traffic ? Or is it purely Open game hunting season across all
> ports above 1024 for IE ? (And other apps) ?
>
>
> Steve
>

 

[Fitz]

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.security_admin (More info?)

Belongs to Hotmail. Do you have a hotmail account?

WHOIS Record For
64.4.19.253
Record Type: IP Address


OrgName: MS Hotmail
OrgID: MSHOTM
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: HOTMAIL
NetHandle: NET-64-4-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.HOTMAIL.COM
NameServer: NS3.HOTMAIL.COM
NameServer: NS2.HOTMAIL.COM
NameServer: NS4.HOTMAIL.COM
Comment:
RegDate: 1999-11-24
Updated: 2003-06-27

TechHandle: MSFTP-ARIN
TechName: MSFT-POC
TechPhone: +1-425-882-8080
TechEmail: iprrms@microsoft.com

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com




"Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
news:%23fNVvG$pFHA.1272@TK2MSFTNGP11.phx.gbl...
> Interestingly, I've also just received the following.... to the SOCKS
> port...
>
> 2005/08/23 23:16:04 FILTER TCP connection denied from 65.54.239.82:80
> to 192.168.0.1:1080 (eth1)
> 2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
> 65.54.239.82.Total=4.
> 2005/08/23 23:15:48 FILTER TCP connection denied from 65.54.239.82:80
> to 192.168.0.1:1080 (eth1)
> 2005/08/23 23:15:41 FILTER TCP connection denied from 65.54.239.82:80
> to 192.168.0.1:1080 (eth1)
> 2005/08/23 23:15:38 FILTER TCP connection denied from 65.54.239.82:80
> to 192.168.0.1:1080 (eth1)
>
>
> Is there any reason why hotmail would wish to connect it ?
>
>
>
> "Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
> news:%23rebYC$pFHA.904@TK2MSFTNGP10.phx.gbl...
>> Hello,
>>
>> I'm seeing the following log in my router's packet filtering log:
>>
>> TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723
>>
>> This worries me... since 1723/tcp is a port allocated to MS VPN IP
>> tunneling (bi-directional).
>>
>> I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
>> that it could happen to any standard port 80
>> web site I access since the local port assignment (ie 1723 in this case)
>> is apparently unpredictatable. However, this is the only
>> report in my logs of an event like this... and I've been using the
>> following configuration for a while.
>>
>> In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
>> capabilities, it appears to work most of the time without any degregation
>> to my incoming internet connection (i.e. routers 98Mbps throughput, ISP
>> 12Mbps) - the hardware seems to take care of NAT handling pretty well in
>> all other connection situations - hence my concern at this particular
>> issue....
>>
>> (incidentally, to avoid further discussion on software firewalls - I've
>> turned mine off... since I'm only referring to the way the OS works in
>> relation to the rest of the world - s/w firewalls are useful, but
>> shouldn't be the "be all & end all" since in real-life useage they let
>> through a lot of traffic... both ways...)
>>
>> Is there any way that I can restrict IE to a set range of ports for
>> incoming traffic ? Or is it purely Open game hunting season across all
>> ports above 1024 for IE ? (And other apps) ?
>>
>>
>> Steve
>>
>
>

 

[steve]

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.security_admin (More info?)

I've figured out that it's simply IE listening on port 1080 for returning
traffic

Is there any way that I can restrict IE to a set range of ports for incoming
traffic ?
Or is it purely Open game hunting season across all ports above 1024 for IE
? (And other apps) ?


Steve

"Fitz" <SENDNOMAIL@hotmail.com> wrote in message
news:vSHOe.29513$1J2.356862@twister.southeast.rr.com...
> Belongs to Hotmail. Do you have a hotmail account?
>
> WHOIS Record For
> 64.4.19.253
> Record Type: IP Address
>
>
> OrgName: MS Hotmail
> OrgID: MSHOTM
> Address: One Microsoft Way
> City: Redmond
> StateProv: WA
> PostalCode: 98052
> Country: US
>
> NetRange: 64.4.0.0 - 64.4.63.255
> CIDR: 64.4.0.0/18
> NetName: HOTMAIL
> NetHandle: NET-64-4-0-0-1
> Parent: NET-64-0-0-0-0
> NetType: Direct Assignment
> NameServer: NS1.HOTMAIL.COM
> NameServer: NS3.HOTMAIL.COM
> NameServer: NS2.HOTMAIL.COM
> NameServer: NS4.HOTMAIL.COM
> Comment:
> RegDate: 1999-11-24
> Updated: 2003-06-27
>
> TechHandle: MSFTP-ARIN
> TechName: MSFT-POC
> TechPhone: +1-425-882-8080
> TechEmail: iprrms@microsoft.com
>
> OrgAbuseHandle: ABUSE231-ARIN
> OrgAbuseName: Abuse
> OrgAbusePhone: +1-425-882-8080
> OrgAbuseEmail: abuse@microsoft.com
>
> OrgTechHandle: MSFTP-ARIN
> OrgTechName: MSFT-POC
> OrgTechPhone: +1-425-882-8080
> OrgTechEmail: iprrms@microsoft.com
>
>
>
>
> "Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
> news:%23fNVvG$pFHA.1272@TK2MSFTNGP11.phx.gbl...
>> Interestingly, I've also just received the following.... to the SOCKS
>> port...
>>
>> 2005/08/23 23:16:04 FILTER TCP connection denied from
>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>> 2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
>> 65.54.239.82.Total=4.
>> 2005/08/23 23:15:48 FILTER TCP connection denied from
>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>> 2005/08/23 23:15:41 FILTER TCP connection denied from
>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>> 2005/08/23 23:15:38 FILTER TCP connection denied from
>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>>
>>
>> Is there any reason why hotmail would wish to connect it ?
>>
>>
>>
>> "Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
>> news:%23rebYC$pFHA.904@TK2MSFTNGP10.phx.gbl...
>>> Hello,
>>>
>>> I'm seeing the following log in my router's packet filtering log:
>>>
>>> TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723
>>>
>>> This worries me... since 1723/tcp is a port allocated to MS VPN IP
>>> tunneling (bi-directional).
>>>
>>> I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
>>> that it could happen to any standard port 80
>>> web site I access since the local port assignment (ie 1723 in this case)
>>> is apparently unpredictatable. However, this is the only
>>> report in my logs of an event like this... and I've been using the
>>> following configuration for a while.
>>>
>>> In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
>>> capabilities, it appears to work most of the time without any
>>> degregation to my incoming internet connection (i.e. routers 98Mbps
>>> throughput, ISP 12Mbps) - the hardware seems to take care of NAT
>>> handling pretty well in all other connection situations - hence my
>>> concern at this particular issue....
>>>
>>> (incidentally, to avoid further discussion on software firewalls - I've
>>> turned mine off... since I'm only referring to the way the OS works in
>>> relation to the rest of the world - s/w firewalls are useful, but
>>> shouldn't be the "be all & end all" since in real-life useage they let
>>> through a lot of traffic... both ways...)
>>>
>>> Is there any way that I can restrict IE to a set range of ports for
>>> incoming traffic ? Or is it purely Open game hunting season across all
>>> ports above 1024 for IE ? (And other apps) ?
>>>
>>>
>>> Steve
>>>
>>
>>
>
>

 

[Fitz]

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.security_admin (More info?)

I don't think you can restrict ports unless you're using a firewall or
router that lets you block wide ranges of ports. However, I'm not the
expert on this. I would think that might cause unexpected problems.


"Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
news:u3JX02DqFHA.1556@TK2MSFTNGP12.phx.gbl...
> I've figured out that it's simply IE listening on port 1080 for returning
> traffic
>
> Is there any way that I can restrict IE to a set range of ports for
> incoming traffic ?
> Or is it purely Open game hunting season across all ports above 1024 for
> IE ? (And other apps) ?
>
>
> Steve
>
> "Fitz" <SENDNOMAIL@hotmail.com> wrote in message
> news:vSHOe.29513$1J2.356862@twister.southeast.rr.com...
>> Belongs to Hotmail. Do you have a hotmail account?
>>
>> WHOIS Record For
>> 64.4.19.253
>> Record Type: IP Address
>>
>>
>> OrgName: MS Hotmail
>> OrgID: MSHOTM
>> Address: One Microsoft Way
>> City: Redmond
>> StateProv: WA
>> PostalCode: 98052
>> Country: US
>>
>> NetRange: 64.4.0.0 - 64.4.63.255
>> CIDR: 64.4.0.0/18
>> NetName: HOTMAIL
>> NetHandle: NET-64-4-0-0-1
>> Parent: NET-64-0-0-0-0
>> NetType: Direct Assignment
>> NameServer: NS1.HOTMAIL.COM
>> NameServer: NS3.HOTMAIL.COM
>> NameServer: NS2.HOTMAIL.COM
>> NameServer: NS4.HOTMAIL.COM
>> Comment:
>> RegDate: 1999-11-24
>> Updated: 2003-06-27
>>
>> TechHandle: MSFTP-ARIN
>> TechName: MSFT-POC
>> TechPhone: +1-425-882-8080
>> TechEmail: iprrms@microsoft.com
>>
>> OrgAbuseHandle: ABUSE231-ARIN
>> OrgAbuseName: Abuse
>> OrgAbusePhone: +1-425-882-8080
>> OrgAbuseEmail: abuse@microsoft.com
>>
>> OrgTechHandle: MSFTP-ARIN
>> OrgTechName: MSFT-POC
>> OrgTechPhone: +1-425-882-8080
>> OrgTechEmail: iprrms@microsoft.com
>>
>>
>>
>>
>> "Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
>> news:%23fNVvG$pFHA.1272@TK2MSFTNGP11.phx.gbl...
>>> Interestingly, I've also just received the following.... to the SOCKS
>>> port...
>>>
>>> 2005/08/23 23:16:04 FILTER TCP connection denied from
>>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>>> 2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
>>> 65.54.239.82.Total=4.
>>> 2005/08/23 23:15:48 FILTER TCP connection denied from
>>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>>> 2005/08/23 23:15:41 FILTER TCP connection denied from
>>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>>> 2005/08/23 23:15:38 FILTER TCP connection denied from
>>> 65.54.239.82:80 to 192.168.0.1:1080 (eth1)
>>>
>>>
>>> Is there any reason why hotmail would wish to connect it ?
>>>
>>>
>>>
>>> "Steve" <news_svaardt@hotmail_NOSPAM_.com> wrote in message
>>> news:%23rebYC$pFHA.904@TK2MSFTNGP10.phx.gbl...
>>>> Hello,
>>>>
>>>> I'm seeing the following log in my router's packet filtering log:
>>>>
>>>> TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723
>>>>
>>>> This worries me... since 1723/tcp is a port allocated to MS VPN IP
>>>> tunneling (bi-directional).
>>>>
>>>> I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
>>>> that it could happen to any standard port 80
>>>> web site I access since the local port assignment (ie 1723 in this
>>>> case) is apparently unpredictatable. However, this is the only
>>>> report in my logs of an event like this... and I've been using the
>>>> following configuration for a while.
>>>>
>>>> In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
>>>> capabilities, it appears to work most of the time without any
>>>> degregation to my incoming internet connection (i.e. routers 98Mbps
>>>> throughput, ISP 12Mbps) - the hardware seems to take care of NAT
>>>> handling pretty well in all other connection situations - hence my
>>>> concern at this particular issue....
>>>>
>>>> (incidentally, to avoid further discussion on software firewalls - I've
>>>> turned mine off... since I'm only referring to the way the OS works in
>>>> relation to the rest of the world - s/w firewalls are useful, but
>>>> shouldn't be the "be all & end all" since in real-life useage they let
>>>> through a lot of traffic... both ways...)
>>>>
>>>> Is there any way that I can restrict IE to a set range of ports for
>>>> incoming traffic ? Or is it purely Open game hunting season across all
>>>> ports above 1024 for IE ? (And other apps) ?
>>>>
>>>>
>>>> Steve
>>>>
>>>
>>>
>>
>>
>
>