Can a Mod shed some light on this please?

I had this a few minutes after I turned my PC on this evening:-

Date/Time :2007-03-21 17:47:25
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 195.7.224.57
Ports: 15109, 60164, 61956, 62212, 63492, 65284, 773, 64772, 1029, 2309, 63236, 3845, 3333, 4613, 6149, 6661, 7685, 8709, 9221, 10245, 10757, 12037, 12549, 13573, 14085, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

What caused this? I’ve googled the Attacker IP address and it seems to be a DNS server associated with my ISP. I’ve setup a Static IP on my PC by following this guide (Setting a Static IP Address in Windows XP) for better Torrent use.

But why would they scan my ports?

If you’re with NetDirect, and it’s their DNS server, I’d contact them and ask for their input on it. See what they say; you never know…

Port 0 doesn’t really exist, which is odd, although some others have seen that recently.

LM

Thanks for the quick reply.

No I’m with Namesco. Do you think I should ring my ISP and see whats what? Does it look dodgy?

195.7.224.57 United Kingdom NETDIRECT-CORE NetDirect, London 195.7.224.0 - 195.7.229.47 ISION Internet Plc Role Contact Namesco Limited, Acton House, Perdiswell Park, Worcester, WR3 7GD ripe-contact@names.co.uk abuse@names.co.uk +441905342342 +441905342343 RIPE NCC res01.ision.net.uk

So yes, that’s the same thing; NetDirect, Namesco…

I’d contact them, myself. That doesn’t look like it’s a DNS-related contact, so it would be good to see what they say.

LM

I gave them a ring. They were a little puzzled and they said the server could have flipped. I mentioned I use torrents from time to time and have a port open and they said it was probably something to do with that. They said it in greater detail just can’t recall exactly what they said. I gonna keep one eye on the log over the next few weeks and see if it pops up again.

Thanks Littlemac for your quick response :■■■■

no prob.

Server “flipped”? I hope it didn’t get hurt? Does it need counseling? Hmm… ;D

Yes, you can see some odd thing with torrents, simply by the nature of all the open connections and all. However, that would not be seen to be coming from your ISP’s DNS server. That would be from some unknown IP address, most likely, that you’d never seen before. I think they just took that as a way out…

Here’s something you should know regarding p2p apps and CFP. While if you have a router, yes you have to do port forwarding in the router. However, in CFP’s Network Monitor, the rules you have to allow TCP & UDP In on Destination Port xxxxx does not mean the port is open. The rule by itself does nothing, and CFP does not open ports nor hold them open. The port is closed unless in use. In order for the NetMon rule to mean anything, there has to be an application that is set up to receive on that port, and allowed to do so in the Application Monitor. Otherwise, you can allow it all you want in the AppMon, and it won’t connect. You can have a rule in the NetMon all you want, and it won’t work if there’s not an allowed application that is actively running and receiving connection on that port. So even if the application is allowed, the rule still does nothing. The app has to be actively running, in order to receive the connection.

Do keep an eye on it. Hopefully it’s just a blip and it won’t happen again. Good thing is, if it is something bad, you know it was blocked, so you’re secure. (:CLP)

Keep us posted on how it goes…

LM

Had a similar scan.
https://forums.comodo.com/index.php/topic,7154.0.html
At least you got a semi technical answer

server could have flipped
All I got from my isp techs was "we'll look into it and get back to you". Still waiting :THNK

That’s right! I forgot about that. “Flipped” is better than nothing, I guess. :wink:

LM

Apologies for barging in, but I would like to also include myself in the number of folks experiencing log entries where the blocked attacker is my DNS server (as per router config.), UDP Port Scan - many ports and many 0,0,0,0 entries. (I use Proxomitron).
I am not in the least worried as scans with NOD32, SAS, AVG AS, a2, RkUnhooker are clean. All ports are fully stealthed and no problems at all. :-*
There is no file and printer sharing and netbios over TCP/IP is disabled. Ports 135-139 are completely closed. The only other log entries I receive frequently are Outbound Policy Violations (Access Denied, ICMP = Port Unreachable) with source my router IP and destination my DNS server.
I would love an explanation as to why these UDP Port Scans are regularly logged from those with more savvy than I can muster. ;D

Sorry, ocky, I don’t have an easy answer for you. I’d direct that ? to the ISP… I realize they may not be much help, but they’d be the ones to know. If they can’t give an answer, I’d personally keep pressing the issue to get a higher-level tech until they could give me an answer that really is an answer, not just some brush-off explanation.

UK_DUDE, I moved the trojan-related posts over here: https://forums.comodo.com/index.php/topic,7432.msg54194.html#msg54194, where you’ll get better coverage about the removal thereof. The more I look at it, the less I think that the trojan would be why you’re seeing all those inbound connections. If I’m wrong, I’m wrong, but it doesn’t seem likely. Not inbound. More likely outbound, you know?

LM

As I have also posted at Wilders, please take a look at this thread:
ISP linked DNS server is port scanning. | Wilders Security Forums It seems reasonable to assume that the UDP Port scans by own ISP linked server are a Comodo issue affecting not only me.

To the moderators.

Are you 100% sure this is not a Comodo bug ? If not I give up. Even disabling DNS Client service in mmc does not solve the described logging. Please read my thread at Wilders, and bear in mind that I am not the only user to experience these log entries. No problems otherwise.

Anything’s possible, ocky. I don’t personally think it is, but as there are a few cases of it which seem otherwise unconnected, it could be. I don’t remember if you noted, but so far it seems to be connected with cable providers, where the user may be experiencing a “feedback” of sorts from other users on the cable connection. Whether or not they are helpful, I would still like to know what your ISP says.

In my experience, if CFP says it blocked something, then it did. CFP will not block any IP address to which you have initiated contact from responding to that contact in a way that does not violate the ruleset or security protocol. The ‘0’ entries may be a glitch due to the frequency of the connection attempt. There are some changes in the way that it logs slated to come out with version 3; that might help clarify, if something’s not being reported the best way possible. With CFP, in order for it to log a portscan/flood, the connection must exceed the given criteria (Security/Advanced/Advanced Attack Detection & Prevention), which you can increase as well. IF your computer were trying to connect to the DNS server and getting a slow response (which can happen), it shouldn’t be seen as UDP flood, especially if you increase the values/time.

You noted in the Wilder’s thread that your alert level was set to low; this has nothing to do with the log entries. The alert level is application-driven, not connection-driven. With it at low, you should only see a popup alert that an application is trying to connect based on incoming/outgoing connection attempt. As long as you Allow with “Remember” you shouldn’t see an alert on that app again, unless something triggers the Application Behavior Analysis module. Having a portscan entry in the logs wouldn’t make me think of malware either; that would be an Application Behavior Analysis entry, more likely, given the way CFP works.

Have you filed a ticket with Comodo support? If not, please do so: http://support.comodo.com/ And also please contact your ISP, to see if they have any thoughts or suggestions. If the IP address matches up to one of their DNS servers, IMO, CFP is blocking it for a reason; I don’t think the traffic is imaginary.

LM

Thanks for responding. I have filed a support ticket today and also referred to this thread. I was fully aware that the alert level applies to Apps. and don’t know why the hell I mentioned it - must have been a case of acute " 'puteritis" :stuck_out_tongue:
What I don’t understand is that all external port scans are blocked by my firewalled router. The Shields Up test, whilst only probing TCP ports, shows all ports stealthed and Comodo does not see these scans (as it should be). This would indicate that the router is effective and reliable. My older spare router produces the identical results, and also makes no difference to the UDP port scan logging conundrum. The ports are all high numbered plus all the 0,0,0, “ports”.
Anyway, hoping for an explanation from support. If I have at least 30 minutes idle time, I will try phoning the ISP - that’s how long it takes to get through.

Regards.

Are you on cable?

LM

No, we are quite backward here. Only Adsl and rather unreliable. Cable maybe in 10 years. ;D
BTW. I also have dial-up as standby.

Regards.

Well, that may ■■■■ my budding theory out of the water. Every case I’ve seen thus far, I think, has been with a cable provider, and almost all include some connection from a 10.x.x.x IP address, which is a nonroutable Network IP, typically used by businesses. My theory is/was that given the nature of the cable connection, that these “port scans” were the result of extraneous noise from other cable customers. As I understand it, cable kind of creates a “network” for all connected users, almost putting them within the ISP’s “system”. Thus, there could be a lot of feedback, noise, chatter, etc (pick your descriptor). So far the ISPs have only agreed that it is their IP/server address, that it might be p2p-related (I think they just jumped on that as a way out), and that they don’t know. And of course, that the server might’ve “flipped.”

IF the people posting on Wilders would actually post here, they might not only be able to get some help from the source, but also contribute to resolving the issue, if indeed it is a Comodo issue. Unlike some companies, Comodo doesn’t seem to spend time focusing on other forums; their focus is here.

Be sure to keep us posted as to Support’s response, and also your ISP’s.

Tnx,

LM

Some people at Wilders have tested Comodo and are also firewall experts - that’s why I thought no harm in ‘spreading the net’ as it were. Sorry if you feel I have tread on your toes, I certainly appreciate your expertise and welcome contributions in all things Comodo.
Will keep you posted.

Go well.

No problem, ocky; sorry if I wasn’t clear. I have no problem with anyone asking around, and it’s great that folks like Paranoid2000, Stem, etc are willing to take time to research things for users. Wilders, CastleCops (and others), these places can be good resources. My concern is the posts that Stem gave a link to… AFAIK, those users have not raised the issue here in the Comodo forums. When looking for help, it makes the most sense to go to the source first. Given that the Wilders guys don’t devote their full attention to any one software, they are not going to (by default) be as familiar with it as the Comodo crew.

Some companies use Wilders to host their forums, and as such have a presence there. Comodo has its own forums, and does not have a presence in Wilders (although a lot of users do frequent it). Since the Mods here are volunteers, we have other “real” jobs and don’t typically go “off the reservation” looking for folks to help. Thus if mvdu and aagfr would raise the question here, IMO, that would be better all the way around. Certainly, if there is a problem with CFP, that will make sure the Dev team is aware of it, and help iron it out.

That was my only point; trust me, I’m not complaining that anyone looks for help somewhere else… ;D

LM

Thanks, I certainly agree. 8)