99 percent of blocked intrusion attempts from one source

[Guest]

[viper]

When i look in the firewall events log I noticed that 99 percent of the blocked intrusion attempts are from the following:

Application: windows Operating system
Protocal:  UDP
Source IP:  10.118.220.1
Source Port:  67


I noticed the same thing on my friends computer who also has comodo. 

[Quill]

Are you on a cable network?

The IP address space 10.0.0.0 - 10.255.255.255 is reserved and is not valid on the Internet. UDP port 67 is bootps . Basically this is part of the DHCP process, generally a response from a DHCP server to a request for a DHCP lease. I imagine the destination port is 68.

Dependent upon your configuration you could create a rule to block and not log these events.

[viper]

Yes the destination port is 68.  So this is bad and should be blocked?  Is this a hacker attempt to get into my system?  Its been blocked 700 times in a couple of hours. 

[Quill]

No, it's not a hacker attempt, it's relatively normal network activity, but for some reason there always seems to be a great many of these packets on cable networks.

You could ask your ISP the reason for there being so many datagrams flooding the network, but I doubt you'll get much of an answer.

You can block and not log these, but you need to make sure you don't stop your system acquiring an IP address. Without one you won't be able to do anything.

[bluesjunior]

I am on a cable broadband service through virgin media here in the UK. My PC connects to the Internet through the Virgin supplied Fast Ethernet connector cable modem and there is no router on my system. The rule in regards to ports 67 and 68 I have for allowing my ISP to renew my address is as follows.

Go into Firewall>Advanced>Network Security Policy>Global Rules. In Global Rules highlight the top rule and click add and in the box that comes up enter the following.
              Action = Allow
           Protocol  = UDP
           Direction = In / Out
          Source    = Any
        Destination = Any
       Source Port = Choose Range and enter Start = 67, End = 68
  Destination Port = Choose Range and enter Start = 67, End = 68
You can also check the box saying " log if this rule is fired", then click apply /ok and it is very important that once back in Global Rules you must drag and drop the new rule to the top of the list.

[viper]

With 3.10 these don't get blocked.  I guess that's why the number of blocked intrusions drops so much between 3.9 and 3.10.  Most of the blocked intrusions was this network traffic that really is nothing.  I am using 3.9 right now and in one hour comodo has blocked 320 intrusion attempts.  All of them are this network traffic we have discussed above. 

How many intrusion attempts does comodo block for you guys in an hour?

[bluesjunior]

I have been on the PC now about one hour and I have 47 intrusion attempts. I have just updated Mozilla Forefox to the latest version v3.5 and noticed that in the same hour I have 37 outbound connections even though I only have the tab to this site open at the moment. I tend to open each new site I visit in a new tab and delete the previous tab but it seems that Comodo is slow to recognize I am no longer at that address.
             Do you just install Comodo as default or what is your procedure. Since Comodo v3.5 as soon as the install is finished I tend to open all my regular used programs and set them either as custom, trusted, web browser, outgoing only etc etc. As soon as I have done that I come here and follow the instructions for the Firewall and Defence+ Kyle gives in the Guides section here. The only other thing I do after that is set the Global DHCP Rule for ports 67 and 68 as mentioned above. The traffic I see seems to be no more or no less than in previous versions as far as I can see.
                           

[viper]

So its better not to block this network traffic?


According to bluesjunior he sets his rules not to block this network traffic. 


Is there a link on advice on how to set firewall for best results?  My knowledge on firewalls is not that good. 

[Jim__]

Viper
What is the destinatiion IP? If it is broadcast traffic then CIS is hyperventilating about it being an "attack".

[bluesjunior]

Is there a link on advice on how to set firewall for best results?  My knowledge on firewalls is not that good.

http://forums.comodo.com/guides_cis-b130.0/

[Quill]

I have just updated Mozilla Forefox to the latest version v3.5 and noticed that in the same hour I have 37 outbound connections even though I only have the tab to this site open at the moment.

This is more than likely due to DNS prefetching, which is a new feature of fx 3.5 and above.\

According to bluesjunior he sets his rules not to block this network traffic.  

First, your system needs to be able to aquire an IP address, it then needs to be able to renew that address.

To facilitate this you need one or more rules. How many will depend upon your current configuration. At the very least you will need to let svchost.exe outbound connectivity in Applications rules.

If you have used stealth ports, you will also need to allow DHCP traffic IN via global rules.

Once you have implemented these rules and you have assured your system can maintain DHCP connectivity, you may safely  block and not log all other similar traffic. For some reason, on cable networks, there always seems to be quite high levels of this kind of DHCP renewal traffic.

[viper]

I set my firewall as follows:

- I add my network in my network zones
- Then i stealth my ports (Block all incoming connections - third option)

[Quill]

The answer to whether you will need more rules to accommodate DHCP will depend upon where you obtain your DHCP lease.

From what you said above, your current Global Rule configuration allows communication on your LAN but blocks all other inbound traffic.

For DHCP to function correctly, you will need, as I said before, an Application rule for svchost.exe and you will also need to allow, at the least, DHCP IN. In Global Rules.

To understand what this means, you have to understand how DHCP works. Typically, whcn you start your computer your DHCP client (controlled by svchost) sends a multicast request to locate a DHCP server:

Your client:

UDP 0.0.0.0:68 ---> 255.255.255.255:67

If a DHCP server is found and it responds correctly it will send:

The DHCP server:

UDP (some ip address appropriate for your computer):67 ---> 255.255.255.255:68

Here you can see the basic requirement, UDP on port 67 needs outbound access and UDP on port 68 needs inbound access.

On an occasional basis your computer will attempt to renew it's IP address (called a lease) this also needs to ba catered for but should work correctly, assuming you have created rules that allow the above.


Hope this helps

[Tags:]