FireWall picks up a ton of connection attempts (blocked).

Hello, I just tried out Comodo (I heard it was the best) but when I open the FW log I get a zillion requests from a single destination source.

172.31. next two decimal points alternate to 131.60 /130.60 etc. etc. they are all by the SYSTEM app and they are ALL by PORT 2869,137 or 445 (JUST those three ports).

The REAL strange part is when I go into active connections. All my source IPs are etc. etc. (same as above). This is from svchost, AvastSvc.exe, ieexplorer, game clients EVERYTHING uses the 172.31.X.X as the source IP.

So I guess I want to know whats up with this, anything malicious or is this what IP things do. I’m just starting to grasp all this nonesense, any help would be great. :slight_smile:

The ip addresses you’re seeing fall within a range of private non-routable addresses defined by RFC 1918. These are: - - -

Essentially, this means any device with an address in this range is a local (private) address and not an Internet address. I’d guess this is the address space used by your ISP. A simple ipconfig /all from a command prompt will likely show your address to be within this range.

The port identifiers you’re seeing relate to specific services that you may wish to disable, as I’m guessing you don’t have a router?

UDP - 2869 - SSDP (Simple Service Discover Protocol) this is used in conjunction with UPnP for discovery and notification/subscription by devices that support UPnP
TCP/UDP - 137 - 139 - NetBIOS over TCP/IP These services are used by devices on a LAN that participate in Microsoft File and printer sharing
TCP/UDP - 445 - SMB over TCP/IP. This is a similar service to NetBIOS but is used in slightly different circumstances.

If you have no need for these services you may either disable them or create firewall rules to block the connections.

For information on how to create rules for NetBIOS and SMB, please see this thread.

Before performing the following, please ensure you do not require these services.

To disable NetBIOS, you need to change the properties on the network adapter card (see image)

To disable UPnP/SSDP you can disable the services (see image): Open the start menu and in the run command type services.msc. Stop and disable SSDP and UPnP.

[attachment deleted by admin]

I would add that the APIPA address range of - is not normal for a individual using a home PC. Windows by default will use DHCP to assign an address in the 192.168.x.1 - 192.168.x.255 range. The DHCP server that assigns this address is usually resident on your router if connected, or on your ISP server. There are some ISPs, the cable providers I believe, that do indeed assign private IP addresses in the APIPA range.

Assignment of the APIPA address range usually indicates that DHCP assignment failed and Windows assigned a default internal address. Check you OS event logs and see if there are events related to DHCP failure and post your findings.

What type of connection are you on Bombadillo? Cable, ADSL, satellite, etc? Is there a router present?

I remember from another topic where traffic in the 172 range was caused by a set top box. Do you have a set top box for a service from your cable company?

The address spaces defined by RFC 1918 are not APIPA (Automatic Private IP Addressing) addresses. These address blocks are reserved for private Internets and may be allocated manually or via DHCP/Bootp.

APIPA addresses are defined in RFC 3927 and are identified by the 169.254/16 prefix. Addresses from this range are typically allocated automatically, in the absence of a manually defined address or DHCP/Bootp failure.

Whilst it’s fairly typical for a ‘home user’ with a domestic router or ICS, to assign addresses from the 192.168/16 block, there is nothing to stop them from using either of the other reserved spaces. Typically, however, these are used by entities that require more addresses than that offered by the 192.168/16 block.

As you rightly point out, a number of cable providers and others, do provide their users with an address from a reserved block. My ISP provides addresses from the 172.16/12 block, to provide access to local facilities such as IPTV, online gaming and others. I also receive a valid Internet address. Other providers use addresses from the 10/8 block.