Determining the Good from the Bad IP intrusions

Greetings Comodo,

Attached is a screenie of my firewall events log; I just set up my Dlink wireless router in conjunction with my cable modem and voIP router.

My feeling is that most if not all of these IPs listed as intrustion attempts are actually ok and should be allowed. My question is: how do I know for sure?

I ran ipconfigu /all and none of these IPs appeared. Is there any way to prove what I think is the case i.e. that these IPs should be part of my network?


[attachment deleted by admin]


Does your router have a built in (enabled) hardware firewall? And what is your stealth ports wizard set to?
(Firewall > Stealth Port Wizard.)

Thanks for responding and yes my wireless router does have an enabled firewall. In fact, just yesterday I had do a major reworking because the Dlink firewall was blocking my voIP router.

My stealth ports wizard is using “Define a new trusted network” where I have listed all my current networks but none of those networks contain any of the IPs appearing on my firewall events log. Does that shed any light on this problem? I have 154 blocked intrusion attempts and counting . . . :o

I guess your router is letting these UDP requests through and CFP is blocking them. Did you go over the settings for your hardware firewall?

I’m sorry to be so ignorant about this but, what exactly do you mean by “go over the settings” for the hardware firewall? I have access to an online admin site for the Dlink . . . is that were I need go?

The settings to your router. You can usually access it by typing or into your browser URL. You might need a password (you can look in the manual or look it up online).

Ok so that’s what I thought. Yes I do have access to that online. The question is: what must I do when I get there? I was just there a few minutes ago and I did not see any of the IPs listed on the Firewall events in those settings.

Fyi, I went to and looked up one of the IP address appearing on my firewall events log and it said: is not listed in the SBL is not listed in the PBL is not listed in the XBL

Is this possibly a way to determine if the IP address is ok to include my defined networks?

Look for firewall settings and see what you are blocking. It looks like your router is letting UDP requests through becuase CFP is blocking them.

None of those IPs look like they belong to your network.
You can use a “whois” to look up each Ip.
The IP belongs to microsoft.

Look for firewall settings and see what you are blocking.

For my Dlink router, under firewall settings/NAT endpoint filtering/UDP endpoint filtering it is set to address restricted. The other two selections in this area are a) Endpoint Indpendent and b) Port and Address restricted. Is the selected setting (address restricted) part of this problem?

It looks like your router is letting UDP requests through becuase CFP is blocking them.

I don’t quite understand the significance of this: Should my Dlink router be letting in UDP requests or is this a bad thing?

The IP belongs to microsoft. is Yahoo is my voIP provider is someone/company in Bulgaria is someone/company in China is a telecom company in China

Why is microsoft trying to get into my network? Could this be an attempt to update XP? Why is Yahoo trying to get into my network? Should I allow my voIP provider access to my network? I assume I should do this since they are providing my phone service. Is it likely that the IP intrusions from Bulgaria and China are examples of malicious intrusion attempts?

My main concern in all of this that CFP is blocking connections that aren’t malicious and should be allowed resulting in poor internet and/or voIP service.

320 intrusion attempts and counting . . . ???

It depends if you are have your router set to block UDP or not. For example, my router is set to block all incoming requests, so I don’t get any UDPs, TCPs, etc. Can i see a screenshot of what you’re describing above with your router settings?

Sorry, but I don’t why MS, Yahoo and voIP are sending those requests.
As for the China and Bulgaria requests, I wouldn’t let those in. Probably port scans and such.