Comodo block my DNS server for doing a port scan

Lars-Erik · February 7, 2007, 5:16pm

From time to time this is in my log list:

Date/Time :2007-02-07 17:57:57
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 62.179.100.29
Ports: 22533, 58884, 59140, 59652, 61444, 5893, 6405, 6661, 6917, 7173, 7429, 7685, 7941, 8453, 8965, 9221, 9477, 9733, 9989, 10245, 11013, 21253, 21509, 22021, 22277, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

This is my DNS server (at my ISP). It can’t be blocked. How do I avoid this happening?
Can I but it on a white list? Or should I compain to my ISP about the port-scan?

kail · February 7, 2007, 7:24pm

Hi Lars-Erik

Were you using SysInternal’s Process Explorer or something else that might resolve Domain Names?

agfra · February 7, 2007, 8:05pm

I get similar alerts, where the ‘attacker’ is the DNS server:

Date/Time :2007-02-07 09:48:26
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 68.87.76.178
Ports: 9477, 2053, 2309, 2565, 2821, 3077, 3333, 3589, 4101, 4357, 4613, 4869, 5125, 5381, 5893, 6149, 6405, 6661, 6917, 7173, 7429, 7685, 8197, 8453, 9221, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

WinXPSP2; Linksys WRT54GS router. Process Explorer is apparently not the reason; ie, I get the alerts without running ProcExp. Do WinPatrol, or Proxomitron resolve domain names? I also run System Safety Monitor, but that is not the cause either.

kail · February 7, 2007, 8:22pm

Hi agfra, welcome to the forums.

I only mentioned Process Explorer (PE), as I can provoke this response quite easily with PE. PE has a Properties option that you can select for a process & one of the tabs on PE’s Properties screen is TCP/IP with an option to resolve. If you select Properties PE will attempt (by default) to resolve all TCP/IP connections… and depending on what you’re doing this can be a lot of resolves… easily more than 50 a second (CFPs Intrusion Detection default Ports Probe Rate). CFP interprets all the incoming DNS requests replies as a port scan. You can easily test this by denying PE Internet access (which causes no harm) or by increasing the Port probe rate.

I’m not sure about SSM, WinPatrol or Proxomitron.

Lars-Erik · February 8, 2007, 10:12am

In fact I do use Process Explorer. So I tried to look at the TCP/IP properties for all programs that use the net. But I couldn’t recreate the log entry. At least not now. I’ll keep a look on that.

panic · February 8, 2007, 11:50am

I’m pretty sure that Proxomitron uses a local loopback connection in additon to 80 and 443, but doesn’t do name resolution.

Question out of left field, could these DNS sourced probes be caused by an inbound P2P request looking for a seed or host and testing multiple ports?

Ewen

agfra · February 8, 2007, 2:17pm

Just to add a bit of information, I use both utorrent and emule+.

(Question: Isn’t Why out in left field? - Abbott and Costello circa 1938. ;))

panic · February 8, 2007, 9:27pm

Third base!

Little_Mac · February 8, 2007, 9:28pm

All I know is, Who’s on first…

LM