CFP v3 being pummeled by IANA, also heavy TCP outgoing activity?

I need a second pair of eyes on two issues. First, the essentials:

Running…
–XP Home SP2
–CFP v 3.0.18.309
–CMF 2.0.4.20
–Key Scrambler v 1.3.3
–AVG 7.5
–SB S&D + Resident
–BOClean v 4.25
–Firefox v 2.0.0.12
– .357 Magnum w/ rubber grip, safety off >:(

(Background: I was infected with Zlob and Nugache.a and my bank account appears to have been compromised (small international charges). Six different scanners are showing my system as clean now, but you’ll understand my internet paranoia!)

Issue # 1

In 1 hr since booting up, I’ve logged over 700 blocked attempts (Yesterday was over 2,400!). There’s been the typical smattering of Romania, China and Canada attempts, but the primary culprit (99%) is 10.232.128.1, which belongs to IANA. This just started yesterday, so something is going on. Here is a shot of my event log showing the attempts to connect with my submask IP, not incl the tries at my direct IP:

(Bear in mind, this is for only a 2 minute period)

http://img137.imageshack.us/img137/8394/fwloguv5.th.jpg

Here is how my Network Policy global rules are set up. Loopback only contains my IP and submask:


http://img232.imageshack.us/img232/5101/nwpolicycu6.th.jpg

Let me know if you need anything else to look at. I’d appreciate if someone knew what was going on here.

Issue # 2

Seems to be a lot of UDP/TCP traffic, initiated by me and on high level ports. Here is what I got just by starting up Firefox (one window only) and going to this website:


http://img229.imageshack.us/img229/7022/cnxlogjb2.th.jpg

Why so many connections with only one window open? And why all these obscure ports? Last night it sending out on ports in the 2000+ range. I checked several of them on ShieldsUp! and some of them didn’t even have descriptions listed. Is this at all normal?

I appreciate any input.

Thanks

Jason

Hi Jason,

Here is some useful information about this case (i guess).

Thanks!

Yes, I had a feeling this was related to renewing the IP, but it’s the volume of requests compared with volume prior to yesterday that is odd.

One thing I forgot about: I fired up Limewire yesterday for about 10 minutes. There were no downloads from my computer during that time and I fully shut it down afterwards. I read in another posting that Limewire and others can lead to an increase in traffic, but a full day after it’s shutdown? I’m not sure if that’s a cause or not. I’m thinking of abandoning services like that unless I can configure CFP to allow download, but prevent upload. I just don’t feel safe about that anymore, even with scanning any downloaded items.

Yeah, my blocked log just hit 2,148 in 3 hours! I’m going for a record.

Still hoping to find an explanation for the second issue and a resolution for both.

  1. The 10.xx is your router broadcasting a response to a DHCP request. Something is misconfigured in your network. These are private addresses and cannot be routed over the internet at all. The IANA reference you looked up is just that they are reserved and unavailable as internet IPs.
  2. An internet page of html you access with an http from your browser is actually a mosaic of tcp calls to content providers that all need separate connections for things like pictures, ads, tables, separate articles, … Some are at the same IP address, some are elsewhere and have different IP addresses. You can look at the html with firefox and see the separate http calls on the page, along with some cgi executions that do similar functions. The traffic you show is outbound to get the information required by your initial http.

So advice:

  1. find out what is misconfigured in your network and fix the dhcp calls. Then the extraneous responses should stop. Or if everything works fine, stop the logging by making a rule in Network policies/advanced to block and not log them. But you probably want to allow the response so you can go to the rest of the LAN IP discovery sequence. Make an application rule under Windows Operating System and in your global policies
    allow/udp/in/10.232.128.1/67/255.255.255.255/68.
  2. This is all normal-go to wikipedia and read about html/http .
    Comodo is protecting you normally! :slight_smile:

About IP 10.x.x.x, in some cases this belongs to small network found in a cluster of houses in some towns which don’t do it so ‘local’ LAN as we think.
There are some ISP’s which will do their ethernet in this way to save IP’s, which in turn means that they have a local router between 10.x.x.x and internet. It can be many comp’s to a such router and therefore much chatter.

This may explain all those attempts to 10.x.x.x.

Agree; we need to know a lot more about the network. And the NIC(s). But the picture shows 20 DHCP responses in 2 minutes which sure looks like something is misconfigured. Or being attacked with a DHCP flood? And the 10.132.0.5 shouldn’t normally even be on the same subnet, and shouldn’t be showing up in the responses. A community of routers interfaced with the internet? ??? But it is not IANAs fault. :slight_smile:

Maybe DHCP flood, but 10.x.x.x is sometimes used as a (big) subnet and who knows if there is a zombie connected.
Network is an big jungle :slight_smile:
But I agree with you.

Sded, I created that rule and that solved the problem, although I had to broaden it out to 10.0.0.0-10.255.255.255. The blocks have dropped considerably, although I’m now logging a lot of blocks from my own ISP (66.214.XXX.XXX and 66.215.XXX.XXX). I don’t whether those are legit or not.

Here’s the current policies…


http://img412.imageshack.us/img412/2997/nwpolicy2qp5.th.jpg

Here’s the current activity showing…


http://img412.imageshack.us/img412/6879/fwlog2rb2.th.jpg

You mentioned NIC, but I don’t know what that is. I went to Wikipedia for http and html, as you mentioned, but honestly, it was over my head to give me the answer needed. I know my way around a computer (to the point of being able to safely edit the registry if needed), but networking issues always seem to be written to either the top third or bottom third of the crowd (i.e, it’s either “memorize the transport protocol table” or it’s “now, plug the little cable into the black box. Good!”). I don’t know the difference between UDP, TCP, DHCP, etc and how to tell if it’s a valid request or not, I just know how to lookup IPs, what ports are suspect, etc.

Hmmm…that seems to prompt another topic for another part of the forum!

I appreciate the time you guys take to answer issues from all of us “middle and bottom third-ers”!

What is your network configuration? The data you now show looks like what you would see without a router, in terms of connection attempts by the zombies residing at your ISP. If you get rid of the “log” part of the “block and log” global rule you have, you should never see it again. But you previously showed a LAN address, which indicated you were behind a router. You don’t normally have both a LAN and WAN address for the same computer, unless you are connected to multiple networks. So how are you configured?-the data looks like it came from two different computers.

  1. What kind of internet connection do you have? (DSL, Cable). Are you using PPPOE?
  2. Do you have a router? Is it in bridge mode?
  3. A NIC is a Network Interface Card, AKA network adapter, which is the card on your computer that connects to the internet. It may be a wireless adapter or an ethernet adaper. It is what determines your computer’s IP address.
  4. You only need to read the html/http stuff if you are interested; the point is that you get lots of connections from a single http request and what you show looks fine.

So you can get rid of the data you show just by eliminating the logging, but need to explain your configuration if you need any further help. :slight_smile:

–Standalone home computer (the only one).
–Cable internet through an Ambit U10C018 Cable Modem
–Pro/100 VE Ethernet card.
–No hardware router (unless the modem has it’s own I don’t know of) and no wireless devices.
–PPPOE? I looked that one up and doesn’t sound like it, unless my ISP is running it that way. I don’t know how to tell if that’s a yes or no.

Appears to be TWO diff set-ups? The only change that I made (or at least authorized) between the time of the two screenshots you saw was the addition of the rule to allow the 10.XXX connections and another rule to block traffic on ports 1433/1434 (used for SQL servers).

My configuration is largely “out of the box” on my end. What my ISP (Charter Comm.) does might be another matter. If those other 66.21X entries are just infected computers on the same ISP as me (or a gothnerd down the street trying to recruit me), I can handle that. I just can’t tell the difference between a punk across town or a valid ISP “maintainence call” just by looking at the address and UDP vs ICMP vs TCP, etc.

OK; we just don’t understand how you can get both the 10.xx and the normal internet addresses at the same time. Must be something to do with how Charter sets up their system? In any case, if you block and don’t log incoming in your global rules the scans from infected computers using your same ISP should go away. Comodo will continue to block them, and not bother you with the logging. If you need to do something for Charter maintenance calls, you can put a global rule to allow it ahead of the block all in. :slight_smile:

I heard many users that got infections with AVG installed.Sometimes the malware distroys AVG.I advise you to try also AVAST and Avira Antivir, free also.
I recommend you to do free online scans with TrendMicro(housecall),KAV,BitDefender,McAfee and NOD 32 because this unusual outbound activity is for sure caused by some malwares in your computer.

We’re loosing it in this topic, IMHO.
It’s almost two years I’m ringing the bells on this forum, trying to explain that PPPOE is generating this kind of traffic if you’re directly connected – FW log is turning into a traffic sniffer.
I can fill my logs in no time with megs of traffic.
There should be some way to log traffic directed to your IP, if it’s dynamic, and your NIC is directly connected to the ISP, because I’ve tried the MAC address trick but it doesn’t seems to be effective.
Nothing to worry, jle4044 - just disable “log”. Run also some stealth-tests.

You’re on a cable connection, yes? It is very common that cable providers create “networks” of their users within the boundaries of the cable provider’s equipment, for reasons of limiting IP address usage, etc. Thus, it is very common that cable users will get high volumes of non-routable (ie, normally internal to a LAN) traffic against their firewalls. This commonly shows up as 10.x.x.x addresses, which is not normally associated with home networks.

Your ISP MIGHT be willing to explain this to you; a few users have had success with that (the majority have not had success).

Not saying you shouldn’t take steps to block and not log (the logging volume could slow down your system by consuming excess resources), and watch for any new unusual activity, just that I wouldn’t be surprised to see this kind of traffic in your scenario.

LM

Yes, I suspect LM I right THt this is DHCP traffic from the cable modem network this was discussed very heavily in another topic in order to verify 100% you would have to do a packet capture with wireshark or etherreal.
Which I did on my network here
https://forums.comodo.com/help_for_v2/svchostexe25525525525522mb_in_15_minutes-t14423.0.html;msg100441#msg100441

AS mentioned I would create a block and DO NOT LOG Rule

OD

Well, the 10.XXX incoming requests are taken care of by allowing that IP range for ports 67 source/68 dest.

As for the logs from my own ISP, I don’t think I’ll be able to create any kind of specific block/don’t log for that IP range, since it looks like it’s rotating.

My IP just went from 66.XXX to 24.XXX (freaked me out when I saw it but it still traces to my ISP; so be it, just never knew that happened.) I’d have to revise the rule whenever we changed IP’s and that’s just not worth it to me. The last rule on the list, Block IP in /From IP any/To IP any/Protocol any seems to do the trick so I’ll let that rule catch the bad traffic from my own provider.

Not familiar with “stealth-tests” unless you’re referring to stealthed ports (GRC shows all ports stealth). If you’re referring to something like wireshark, I’d have to run it and post the results. I can read a HJT report and spot the bad from the good, but not so with networking issues (that’s a black-box area to me!)

Again, thanks to everyone for your input.

I don´t see any reason to bother with wireshark unless you want to for curiousity sake
thats a big jump in IP ranges. Your cable provider probably has 22 or Max 3 ranges they assign from but I can not guarantee it, as, if they are in need of IP’s the could buy them from most anyone who was willing to sell them to them.

OD
P.S. With the exception of spoofing, there is no risk I am aware of on ports 67/68 these are pretty much limited to DHCPs,BOOTPs/DHCPc BOOTPc.

From a security standpoint (if you want to be kinda paranoid), any ports on which you Allow Inbound connection (such as for DHCP), can create a potential for exploitation. Not saying there’s a big risk, that’s why it’s a “paranoid” factor… :wink:

That said, if you want to mitigate any risk, specify the Source IP for the Inbound (if possible). Your ISP should be able/willing to provide you a list of their DHCP servers if you explain that you want to make sure that bypasses your firewall properly. Another possibility is to regularly open a command prompt (start/run, type “cmd”) and type in “ipconfig /all” (no quotes). Look for the DHCP server IP address(es). Your locale should have a relatively limited # of DHCP servers, in my experience, and easy to identify this way. Then you can create an IP set to use in your rule to allow Inbound for DHCP.

Hope that makes sense.

LM