Log: TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723

[Steve]

Hello,

I'm seeing the following log in my router's packet filtering log:

TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723

This worries me... since 1723/tcp is a port allocated to MS VPN IP tunneling
(bi-directional).

I don't think it's a problem isolated to hotmail (64.4.19.253) ... but that
it could happen to any standard port 80
web site I access since the local port assignment (ie 1723 in this case) is
apparently unpredictatable. However, this is the only
report in my logs of an event like this... and I've been using the following
configuration for a while.

In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
capabilities, it appears to work most of the time without any degregation to
my incoming internet connection (i.e. routers 98Mbps throughput, ISP
12Mbps) - the hardware seems to take care of NAT handling pretty well in
all other connection situations - hence my concern at this particular
issue....

(incidentally, to avoid further discussion on software firewalls - I've
turned mine off... since I'm only referring to the way the OS works in
relation to the rest of the world - s/w firewalls are useful, but shouldn't
be the "be all & end all" since in real-life useage they let through a lot
of traffic... both ways...)

Is there any way that I can restrict IE to a set range of ports for incoming
traffic ? Or is it purely Open game hunting season across all ports above
1024 for IE ? (And other apps) ?


Steve

 

[Steve]

Interestingly, I've also just received the following.... to the SOCKS
port...

2005/08/23 23:16:04 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
65.54.239.82.Total=4.
2005/08/23 23:15:48 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:41 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:38 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)


Is there any reason why hotmail would wish to connect it ?

 

[Fitz]

Belongs to Hotmail. Do you have a hotmail account?

WHOIS Record For
64.4.19.253
Record Type: IP Address


OrgName: MS Hotmail
OrgID: MSHOTM
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: HOTMAIL
NetHandle: NET-64-4-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.HOTMAIL.COM
NameServer: NS3.HOTMAIL.COM
NameServer: NS2.HOTMAIL.COM
NameServer: NS4.HOTMAIL.COM
Comment:
RegDate: 1999-11-24
Updated: 2003-06-27

TechHandle: MSFTP-ARIN
TechName: MSFT-POC
TechPhone: +1-425-882-8080
TechEmail: (e-mail address removed)

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: (e-mail address removed)

Interestingly, I've also just received the following.... to the SOCKS
port...

2005/08/23 23:16:04 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
65.54.239.82.Total=4.
2005/08/23 23:15:48 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:41 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:38 FILTER TCP connection denied from 65.54.239.82:80
to 192.168.0.1:1080 (eth1)


Is there any reason why hotmail would wish to connect it ?

Hello,

I'm seeing the following log in my router's packet filtering log:

TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723

This worries me... since 1723/tcp is a port allocated to MS VPN IP
tunneling (bi-directional).

I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
that it could happen to any standard port 80
web site I access since the local port assignment (ie 1723 in this case)
is apparently unpredictatable. However, this is the only
report in my logs of an event like this... and I've been using the
following configuration for a while.

In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
capabilities, it appears to work most of the time without any degregation
to my incoming internet connection (i.e. routers 98Mbps throughput, ISP
12Mbps) - the hardware seems to take care of NAT handling pretty well in
all other connection situations - hence my concern at this particular
issue....

(incidentally, to avoid further discussion on software firewalls - I've
turned mine off... since I'm only referring to the way the OS works in
relation to the rest of the world - s/w firewalls are useful, but
shouldn't be the "be all & end all" since in real-life useage they let
through a lot of traffic... both ways...)

Is there any way that I can restrict IE to a set range of ports for
incoming traffic ? Or is it purely Open game hunting season across all
ports above 1024 for IE ? (And other apps) ?


Steve

 

[Steve]

I've figured out that it's simply IE listening on port 1080 for returning
traffic

Is there any way that I can restrict IE to a set range of ports for incoming
traffic ?
Or is it purely Open game hunting season across all ports above 1024 for IE
? (And other apps) ?


Steve

Belongs to Hotmail. Do you have a hotmail account?

WHOIS Record For
64.4.19.253
Record Type: IP Address


OrgName: MS Hotmail
OrgID: MSHOTM
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: HOTMAIL
NetHandle: NET-64-4-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.HOTMAIL.COM
NameServer: NS3.HOTMAIL.COM
NameServer: NS2.HOTMAIL.COM
NameServer: NS4.HOTMAIL.COM
Comment:
RegDate: 1999-11-24
Updated: 2003-06-27

TechHandle: MSFTP-ARIN
TechName: MSFT-POC
TechPhone: +1-425-882-8080
TechEmail: (e-mail address removed)

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: (e-mail address removed)

Interestingly, I've also just received the following.... to the SOCKS
port...

2005/08/23 23:16:04 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)
2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
65.54.239.82.Total=4.
2005/08/23 23:15:48 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:41 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:38 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)


Is there any reason why hotmail would wish to connect it ?

Hello,

I'm seeing the following log in my router's packet filtering log:

TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723

This worries me... since 1723/tcp is a port allocated to MS VPN IP
tunneling (bi-directional).

I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
that it could happen to any standard port 80
web site I access since the local port assignment (ie 1723 in this case)
is apparently unpredictatable. However, this is the only
report in my logs of an event like this... and I've been using the
following configuration for a while.

In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
capabilities, it appears to work most of the time without any
degregation to my incoming internet connection (i.e. routers 98Mbps
throughput, ISP 12Mbps) - the hardware seems to take care of NAT
handling pretty well in all other connection situations - hence my
concern at this particular issue....

(incidentally, to avoid further discussion on software firewalls - I've
turned mine off... since I'm only referring to the way the OS works in
relation to the rest of the world - s/w firewalls are useful, but
shouldn't be the "be all & end all" since in real-life useage they let
through a lot of traffic... both ways...)

Is there any way that I can restrict IE to a set range of ports for
incoming traffic ? Or is it purely Open game hunting season across all
ports above 1024 for IE ? (And other apps) ?


Steve

 

[Fitz]

I don't think you can restrict ports unless you're using a firewall or
router that lets you block wide ranges of ports. However, I'm not the
expert on this. I would think that might cause unexpected problems.

I've figured out that it's simply IE listening on port 1080 for returning
traffic

Is there any way that I can restrict IE to a set range of ports for
incoming traffic ?
Or is it purely Open game hunting season across all ports above 1024 for
IE ? (And other apps) ?


Steve

Belongs to Hotmail. Do you have a hotmail account?

WHOIS Record For
64.4.19.253
Record Type: IP Address


OrgName: MS Hotmail
OrgID: MSHOTM
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: HOTMAIL
NetHandle: NET-64-4-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.HOTMAIL.COM
NameServer: NS3.HOTMAIL.COM
NameServer: NS2.HOTMAIL.COM
NameServer: NS4.HOTMAIL.COM
Comment:
RegDate: 1999-11-24
Updated: 2003-06-27

TechHandle: MSFTP-ARIN
TechName: MSFT-POC
TechPhone: +1-425-882-8080
TechEmail: (e-mail address removed)

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: (e-mail address removed)

Interestingly, I've also just received the following.... to the SOCKS
port...

2005/08/23 23:16:04 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)
2005/08/23 23:16:04 ATTACK ALERT [ DROP ]: 4 attempts from
65.54.239.82.Total=4.
2005/08/23 23:15:48 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:41 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)
2005/08/23 23:15:38 FILTER TCP connection denied from
65.54.239.82:80 to 192.168.0.1:1080 (eth1)


Is there any reason why hotmail would wish to connect it ?



Hello,

I'm seeing the following log in my router's packet filtering log:

TCP connection denied from 64.4.19.253:80 to 192.168.0.8:1723

This worries me... since 1723/tcp is a port allocated to MS VPN IP
tunneling (bi-directional).

I don't think it's a problem isolated to hotmail (64.4.19.253) ... but
that it could happen to any standard port 80
web site I access since the local port assignment (ie 1723 in this
case) is apparently unpredictatable. However, this is the only
report in my logs of an event like this... and I've been using the
following configuration for a while.

In my situation, I'm behind 3 routers each with NAT/Firewall/SPI
capabilities, it appears to work most of the time without any
degregation to my incoming internet connection (i.e. routers 98Mbps
throughput, ISP 12Mbps) - the hardware seems to take care of NAT
handling pretty well in all other connection situations - hence my
concern at this particular issue....

(incidentally, to avoid further discussion on software firewalls - I've
turned mine off... since I'm only referring to the way the OS works in
relation to the rest of the world - s/w firewalls are useful, but
shouldn't be the "be all & end all" since in real-life useage they let
through a lot of traffic... both ways...)

Is there any way that I can restrict IE to a set range of ports for
incoming traffic ? Or is it purely Open game hunting season across all
ports above 1024 for IE ? (And other apps) ?


Steve