I am quite new to the Comodo system, but having been prompted by a friend to try it, installed and ran under normal setup.
System I use is AMD3500+ running windows XP, updated.
NOD32 AV etc running behind this.
Cable, 4MB connection.
Online scans show my ports 1 - 1000 + as being stealthed.
My problem is that when online Comodo shows a medium alert every 2-10 seconds from a specific IP address trying for dhcp port 68. IP 10.4.96.1 ( American based I believe)
Other alerts are being generated showing consistent scans from other IP’s, but not to the degree of this one IP.
From what I have been told and the little I have managed to read on this subject and port, has got me a little worried.
I have had p2p running approximately 6 months ago but no longer use any, machine is predomineatly used for online gaming and over last month or so have been seeing all sorts of problems with this. Could the matters be related?
Can anyone give me some advice on what action to take on this matter.
I am currently at work so this if based on memory, any further information required I can try and get but that will be when I finish.
I had looked the Ip address up using ARIN, which is why I assumed an American location, but also noted that…
NetRange: 10.0.0.0 - 10.255.255.255
NetType: IANA Special Use
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
RFC 1918 referring to Private Address Space which seemed to confuse me further.
My real point is, should I be concerned with these constant alerts to this port and can I stop then.
That’s a network (LAN) address; it is internal to a group of computers and is not coming from the internet. It’s intranet, non-routable.
If you’re seeing this, it’s because it’s coming from the network you’re joined to. Either your modem functions as a router with NAT (network address translation) so that you have a different external IP address (assigned by your ISP) than the internal networked IP (10.x.x.x), or (and I’ve seen this a number of times with cable connections) the cable ISP creates a “network” of users based on the ISP’s equipment. Thus, the users see apparent “network” traffic even though they’re not aware of being on a network.
Look on the Summary page of CFP (main page) and see what IP address it uses to identify your machine. Does it match up in the 10.x.x.x range, or something else?
Comodo seing my IP address as 82...*** so not 10.***, using a NVIDIA nforce networking controller.
Sorry to be such a pain, but a little more info came my way relating to another problem I have been seeing.
I play Guild wars online. I have recently been experiencing all types of problems with this and following advice from there forums did a complete re-install, waited an eternity for files to download etc. Comodo pops the GW.exe up which I allowed and continued as normal.
All worked fine, could select a character and play the game.
After shutting down and coming back to it later, it allows me to the login screen and password, but after entering these refuses to connect.
There is an inbuilt diagnostic utility with this, that last night I ran.
Lo and behold, 10.***… was the second jump after my IP address. I therefor think Little Mac was onto something regarding this.
I notice from the pingtrace log that it ‘lost’ 4/4 of the packets thro this jump.
The connection, post this address shows some deteriation but not on that scale.
I can only assume that these two are connected? Should I therefore be allowing the connection attemp from the said address.
Apologies for my lack of Knowledge on this subject but really I havn’t got a clue and I appear to be wallowing in a sea of mud here.
As before any help appreciated, especially if it is to do with a rule build.
All other online games I am running appear to be running fine, browsing email etc seem to be unaffected.
Just to make sure we cover our bases, will you go to Start/Run and type “cmd” (no quotes). At the DOS prompt that opens, type “ipconfig /all” (again, no quotes). See what your IP address is there, your Default Gateway, DHCP & DNS Servers. Are there any matches to the 10.x.x.x IP?
If there are no matches there, I would suggest providing that 10.x.x.x IP address (or addresses, if more than one) to your ISP and asking what they know about it. Most likely a low-level tech won’t have an answer for you. If they can give you specific info (exact IP’s you should be seeing, etc) that would be good.
If there are matches, let us know, and we’ll address rules-creation.
Thanks for the help so far, much appreciated.
There is no reference to the 10.x.x.x
Primary Dns suffix…:
IP Routing Enabled…:No
WINS Proxy Enabled.:No
netbios over Tcpip.Disabled
lease obtained …4th September
lease expires…8th September
Will try and get hold of Virgin Media over this, but, if previous attempt are anything to go by, that doesn’t bode well.
Again, much appreciated.
I’m almost 100% positive that it relates to the cable connection, as I’ve seen evidence of it too many times before.
What I don’t know is exactly why, or if it’s safe (or necessary) to Allow. I absolutely do not want to just say that it is safe to allow, and that you need to do so to correct the problem. I understand that ISP tech support may not be of much benefit; unfortunately, I think they’re the only ones to answer the question. Hopefully they will.
IMO, the low-level techs won’t have a clue; you’ll have to escalate to a higher-level one to get any real information.
PS: Please keep us posted of their response…
Will do, so far I have tried to speak with a support operative but a slight language barrier in the way.
I have emailed Virgin on there support listing my problem and asking for assistance.
I have also emailed the PlayNC support which is part of the Guild Wars game enclosing the diagnostic report.
Hopefully one of the two will be able to shed some light on this.
Taken a little time but here is the official view from Virgin, my cable SP.
The IP address that is contacting your PC is from the dhcp checking that the modem is active and it is ok to allow it access. It is a routine ping to make sure that the modem is active and online
and reports back to the dhcp that it is active and ok.
This is done for our benefit as to see how many modems are connecting to the dhcp, as to diagnose any problems that may occur with the dhcp as an advanced warning of problems that may be occurring in your area. It then alerts us if we find that we get a lot of non-responsive replies to deploy engineers to diagnose faults. I hope this explanation puts your mind at ease and is ok to allow that
connection request to your firewall.
This then go forward to a rule.
As to my second problem with Guild Wars, which is where I noticed this IP address being thrown up, there was a conflict with my AV, which I thought I had actually tried the work-around for, but obviously not correctly. This is now sorted.
Hey, I’m glad they gave such a concise response! Far better than expected, yes?
Do you know how to create the necessary Network rule(s) to allow that connection, or do you need/want some help with that (even just to check for accuracy)?
Glad you got the GW problem sorted.
I relly need to sit down and study the tutorials at some point, but with the family and work that is sometimes difficult.
I someone would be kind enough to post a rule i can use and maybe a very concise explanation to it, I would be most grateful.
No problem. Open Network Monitor, right-click any rule and select Add/Add Before (this makes sure it will come before the bottom Block & Log All rule, which we need it to be). Build the rule like this:
Source IP: 10.4.96.1
Destination IP: Any
Source Port: 67
Destination Port: 68
You might reboot following the creation of this rule.
There are two things I’m guessing at, from the information you provided…
Source Port: 67
This is based on it being related to DHCP. However, they mention a “ping” which is more commonly ICMP or TCP (for Protocol). If the Protocol is not UDP, the Source Port may not be 67. You should be able to confirm this from your log entries.