Seven x64 & svchost [Resolved]

[Guest]

[burebista]

A couple of days ago I've installed Seven x64 RTM and until yesterday I have only his firewall active.
Yesterday since new CIS was out obvious that I've installed it (only FW and D+ both in Safe mode) and ditch Seven's firewall. Today I've take a look in log and I was shocked about svchost blocked events. A couple of thousand attempts on port 64527 in just a couple of hours.
I have utorrent but it's on port 55555 and when I close utorrent I receive some block attempts but by System and port 55555 and no way by svchost and port 64527.
I've scanned my system with MBAM, SAS and Sophos Anti Rootkit but I'm clean.
I've attached CIS main window with settings and intrusion attempts and another screenshot with svchost settings maybe someone have an idea because I have no idea why svchost is listening on that port.

Thanks.

[burebista]

OK, a new day with new data.
Last night was a nightmare, after 10 hours since my Power On I have more than 10,000 blocked "intrusions" on svchost and that port 64527. I've scanned (full) with Kaspersky on-line and I'm clean (of course).
Now in the morning I've opened my computer to see first screenshot and no alerts after one hour of browsing (utorrent closed). I was curious why and I want to see what's with 213.199.162.214 and for my relief it's teredo.ipv6.microsoft.com and and a  stroke my head, it seems that all that blocked traffic has something to do with utorrent Teredo/IPv6.

I know that CIS is not a IPv6 FW so now my question is should I allow svchost outbound traffic (I guess the answer is yes) but more important is should I allow svchost inbound ONLY for that 64527 port?

Thanks in advance.

[bulgroz]

Quote from http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Dynamic and/or private ports: 49152–65535

By definition, no ports can be registered in the dynamic range.[1]

I would be tempted to block traffic on that port and see if all is well. Being a private port, it makes it hard to research.

Cheers

[burebista]

Everything is well with that port blocked but I have "only" 10,000 alerts.
Now I've opened it for testing and everything looks well again but without any intrusion alerts.
So keep it open on close it, that's the question?  

Thanks for you reply.  

[Toggie]

Hi burebista

If you're using a router with NAT, what you're seeing is dynamic Teredo NAT port mapping. Basically, when a request is sent to a Teredo server through a NAT the last 32 bits of the IPv6 address are mapped to the dynamic IPv4 NAT port, in your case 64527.

What I'm not sure about is why you have so many log entries...

[burebista]

Hi Quill

I'm not under a router but direct cable modem access.
About those log entries I believe that it's similar with IPv4 when I close utorent because then I see a lot of entries blocked by System and utorent port (55555 in my case) and none if I don't launch utorent all day. Now with utorrent closed (after opening it for a while) I have those additional entries with svchost and port 64527.

So my basic question is if I can leave port 64527 open for incoming connections for svchost? I know that CIS don't do Stateful Inspection for IPv6 and I'm not sure if I'm safe with that port open.  
As you see I can have some IPv6 connections in utorrent. Rare but they exist. 

BTW on my previous Vista64 SP2 install and same utorrent version and port (55555) I didn't have those svchost entries (IPv6 enabled too in Vista) so that's why I was surprised by those new blocked entries for svchost.

Thanks again for your response.  

[Toggie]

It is slightly curious. Certainly, you are sending requests is teredo.ipv6.microsoft.com (213.199.162.214) which is outbound from you on port 64527, so that is likely the return endpoint.

When I use uTorrent with Ipv6 the connections are made on my designated uTorrent port, but then I don't use teredo, so there may be some difference there.

You could try a quick experiment, just disable teredo for a short time and note any differences, then re-enable. To disable, open a command prompt:

netsh interface teredo set state disabled

to re-enable:

netsh interface teredo set state client

[burebista]

You could try a quick experiment, just disable teredo for a short time and note any differences

OK, did that but what differences should I look for?  
All I can see is that svchost don't listen anymore on 64527 and all IN/OUT requests for thet port are gone.
No blocked events recorded for svchost and 64527 too.

So for my peace of mind it's better to leave Teredo interface disabled?

[Toggie]

Unless you feel you really need Teredo, I'd say go without. As it stands, it's difficult to implement any real control over what IPv6 does via the firewall.

If you feel you need IPv6 support, first check the status of your ISP to see if they offer native support. Failing that register a free account with a tunnel broker such as Hurricane Electric. They will give you a free 6in4 (not 6to4) tunnel that will allow control of the endpoints.

Personally, I feel giving processes such as svchost and system full outbound access is way to liberal. What you have seen is just one small example of that.

[burebista]

Thanks a lot for your advices. 
 From my point of view case closed, I'll live without Teredo and I'll try to tighten svchost rule.

You can close thread since is resolved.

[Toggie]

You're welcome. Just PM a mod if you wish to re-open the thread

[Tags:]