[PLUG] Adaptive firewall considerations
max.reid at saikonetworks.com
max.reid at saikonetworks.com
Fri Apr 1 14:37:47 UTC 2005
> >
> > If there is some normal level of chatter then I assume it would be limited
> > to the immediate network on which the Windows box resides such that it
> > might be normal to see this trickle of hits from the neighbors on our
> > ISP's network, but hits to these ports from hosts in China would clearly
> > be malicious. Yes? No?
>
> Windows boxes do try to find each other and this is a polling operation
> that occurs even when no connections are made.
It must be noted that the polling operation is typically broadcast traffic that
will not cross routed boundaries, unless you are using WINS or DNS in some sort
of MS Domain setup.
If you see random Unicast traffic using Netbios (135) or CIFs (445), it's most
likely the clap or someone running portscans, and it doesn't matter if it's from
China or your ISP's network.
Regards,
Max
More information about the PLUG
mailing list