Can a Mod shed some light on this please?

The Whois lookup provided some email addresses, I tried one of them linked to my service provider. This is all I got so far :

“To comment further I would need the actual packets transmitted. This could be someone imitating 196.25.1.11 or it could be as simple as replies from 196.25.1.11”

I replied:

“Thanks for taking the trouble. Unfortunately Comodo firewall does not log packets. A packet sniffer ‘SmartSniff’ also does not report on these scans.
Comparing the time reported for the port scan by the firewall with the packet sniffer shows the same time (say 14:08) but the UDP ports are very different.
Is there anything else I can try ?”

Of course, being new to this stuff, I am not sure whether any packet sniffer would even pick up these port scans as they were blocked by Comodo ?

Nothing yet from support.

PS. The stars, 5 for moderator etc. are misleading. I already have 3 but know nothing ! ;D

Tnx for the update, ocky. I would think the sniffer wouldn’t pick them up as they aren’t entering the system. You’d need some way of capturing them, and I’m not sure what that would be. If you turned off CFP, the sniffer would probably work, but then you’d potentially be in trouble… No way!

And you think I do? ;D

LM

Forgot to mention the ISP chap, (I was on hold for only 5 mins.), didn’t seem to understand and told me that: " when the Network is slow, they may switch to DNS servers - or they may be checking for a fault" ;D Go figure…

Y-e-e-es, yours are royal blue indicating some or other special ability. (:NRD) ;D

Funny this just happen to me.

Date/Time :2007-03-28 09:47:51
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: XXX.XXX.XXX.XXX
Ports: 11021, 63500, 13, 525, 1037, 1549, 3085, 2573, 4365, 3853, 5645, 3597, 5901, 6925, 6413, 7437, 8461, 7949, 8973, 9741, 57868, 55564, 10509, 2061, 64524, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

We run our own servers so we are the ISP. Comodo blocked access to the DNS server. Is there a way to see and remove or prevent the temporarily blocked for know IP addreses?

Thanks

(:NRD)

Weirder and weirder… Please be sure to file a ticket with Support on this - they definitely need to know! http://support.comodo.com/ And be sure to give a link to this topic, for reference.

As to removing the temporary block, you’ll probably need to reboot. You might have success simply by turning off the GUI (right-click systray icon, select Exit), waiting a few seconds, and restarting from Start/Programs, or desktop icon. But I think a reboot will probably be needed.

Were you running at p2p applications at the time? Any specific software?

LM

Thanks for your reply.

As for you question, I wasn’t running anything. I open up a browser and a popup came up then I got this error from comodo blocking the DNS server.

If you want to capture packets, use Wireshark formally “Ethereal”.

I’ve seen this “UDP port scan” before. Coming from a server on my internal corporate network. 88)
Could be your CFP is blocking the initial request, which makes the server try alternative ports. I haven’t really dug into it as I suspected it to be a badly configured server-service or similar. Actually it could be anything really. Looking over the history in this company and all the non-announced server gimmicks they install I’m not surprised.
Try finding the source and figure out what service it run. Then see if you can notify the “owner” of it and tell him to stop portscanning you :slight_smile:

Btw… interesting thread. I’ll be looking in from time to time to see if a result pops up.

I am posting this because it may be of interest, albeit not a 100% cure.
After I unticked “Register this connection’s addresses in DNS”
in Network Connections > TCP/IP configuration, I received only one
UDP Port Scan from my ISP linked DNS server (usually about
5-8 in the same time frame), furthermore all the ICMP Access Denied
‘chatter’ between my 192.xxx.x.x and the ISP DNS server is gone. **
In fact the only thing in my logs right now is the abovementioned Port Scan.
Oh well, will continue to monitor.

Possible causes:-

Win2K/XP machines will by default register themselves with WINS and DNS
servers (assuming WINS/DNS is configured in your network settings). To my
knowledge, there’s no preference. By default, they will try to resolve a
name through DNS before WINS. To prevent your Win2K/XP machines from
trying to register themselves with DNS servers, uncheck “Register this
connection’s addresses in DNS” in your TCP/IP configuration.

This is a very common false-positive event when people first
setup ACLs or firewalls. Another common reason why DNS servers might be
appearing to port-scan your network is due to misconfigured W2K boxes.
Since W2K would rather use DNS than NetBIOS to register themselves, if
you configure their primary DNS as your ISP’s DNS servers, your W2K boxes
will try to register themselves with the ISP’s server. Most will not take the
registration, rightly so, and will send back an NACK message. This message
ends up banging against the inbound filter.

Regards.

EDIT : Nope - Just got another UDP scan plus the usual **ICMP Access Denied stuff (which I had previously) - All this probably applies to ICS, not if one has a DHCP router. Sorry.

Using the ISP’s cache server there are no port scans ( for what it’s worth).

I presume you configured that manually?

LM

Well yes. Proxomitron has an option whereby Proxomitron can itself use a remote proxy. So I entered the ISP’s cache server 196.25.253.13:8080 in Proxomitron’s External Proxy Selector.
I did this because the normal DNS servers caused very slow loading of international sites here for the past week. This speeded things up, and so far there are no UDP port scans.
What do you think ?

Too soon for me to think… :wink:

Let’s see what happens over a couple days of activity…

LM

Just to confirm. There are no UDP port scans when using the ISP’s proxy cache server. As soon as I switch back to not using the proxy server, I am again saddled with those UDP port scans by the ISP’s primary and secondary DNS servers as mentioned previously ( about 2/3 average per hour). It’s a mystery to me.

Mystery to me, too. At least we something is going on in relation to the regular DNS servers.

Have you updated your ticket with Comodo Support to reflect this?

Have you contacted your ISP to ask about this, as it relates to your previous conversation with them?

and lastly, how did you determine the IP of the proxy cache server for your ISP (so others may try the same thing).

LM

OK. I have updated the support ticket (on hold) and again referred to this thread. Reply from ISP pending - if they respond.
I obtained the ISP’s proxy from a local forum. However, here one can also obtain it by phoning them and asking for it - I did this for my standby dial-up connection.
Telkom is a monopoly here and besides paying the highest broadband fees in the world, AFAIK, the service is ■■■■■■ with lots of disconnects, sometimes slower than dial-up surfing etc. (I pay the equivalent of US$ 125 monthly for an ‘up to’ 4MB ADSL service, that’s after a recent price reduction !).
Will try now using another proxy.

Regards.

Edit: Same results using other external proxy servers via Proxomitron. No UDP port scans.

UDP port scan from my DNS server same as described above.

Scans correspond to send and receive Outlook 2k3

Is there a resolution to this issue?

I have them as well from time to time and a lot of inbound activity from my ISP that classes as a violation