ZoneAlarm Update, RoadRunner Email, Network Monitoring, Mailbag

Published: 2004-06-18
Last Updated: 2004-06-20 16:04:55 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

ARIN whois problems (Update: Saturday June 19th)

Today, several sources reported problems with accessing the
ARIN whois server. No further details are known at this time.
As of late Saturday, the whois server responded fine.

ZoneAlarm Update Error

Steve Friedl notified us that the website
(BBR, aka. is receiving numerous connections from
ZoneAlarm firewalls, requesting the page 'checkupdate.asp'.
A URL like this is used by ZoneAlarm to check for an updated
version of ZoneAlarm. However, the request should only be sent
to ZoneLab's authorized update site.

ZoneLab and BBR are working on a fix. At this point, it is not
clear why Zonalarm installations attempt to use BBR to download
updates. Please notify us if you observe traffic from ZoneAlarm
to the URL 'checkupdate.asp'. ZoneAlarm may be requesting this
page from sites other then the authorized ZoneLabs update site
or BBR. The full request will include post data with details
like the software's exact version and serial number.,10497002~mode=flat
RoadRunner blocking E-mail Attachments

After several days (weeks?) of reported e-mail instability
at RoadRunner due to recent viruses, RoadRunner today sent
an e-mail to all customers stating that it will start to
remove .com, .exe and .pif attachments from all e-mail.

The recipient of such e-mail will be notified. However, the
sender will not be notified as most viruses use spoofed From

We covered both issues in the past. Several large ISPs reported
issues with increased mail volume due to viruses. Our own mail
system was hit hard several times by notifications sent to
us due to spoofed headers (most notable last August during

Identifying Unauthorized Network Connections

For larger networks, keeping track of assets connected to the
network can be a challenge. Brian Grainer, one of our handlers,
recently observed outbound NTP connections from his network,
which he traced back to unauthorized wireless access points.
Even many low end wireless access points and routers, which
can be used to hide systems from discovery, do use NTP. Watching
for outbound NTP traffic is a nice trick to be added to
discover these systems. Watching for new MAC addresses using
tools like arpwatch is usually used for this function. However,
many home-routers can be configured to use the MAC address of
an existing system, or in a large switched network, it can be
difficult to implement arpwatch. Monitoring for anomalies in
outbound traffic is very useful, even if it is done without
detailed packet content analysis. Simple tools like iptraf,
tcpdump, or more fancy tools like ntop ( )
will easily spot traffic anomalies.

Mailbag: How to tell your consultant is a fraud

Occasionally, we receive notes from "consultants" asking
for help. While there is nothing wrong with asking for help,
today's case did make it very evident that the term "consultant"
does not always include expertise or subject knowledge.
This person, evidently advising some small company in network
and security matters, was asking why IANA took over the network
of one of his clients and assigned it addresses.
Evidently, he found that the network of his client uses these
IPs, queried whois, and received in return the information about
this IP range being reserved by IANA.

Even after our handlers explained the fact that Windows systems
will use this IP range if they are not assigned an IP from a DHCP
server, he remained skeptical.

We recommend careful reference and certification check for all
consultants you may hire. Putting your network security in the
hands of untrained persons could put your business at risk.


Johannes Ullrich,

0 comment(s)


Diary Archives