Fragmented IP Packet, Fake or malformed UDP packet

Recently I’ve been getting “High” alerts for both Fragmented IP Packet, and Fake or Malformed UDP packet (Usually both from the same IP, over and over, rotating between one error and the other). I block the IP’s in question, but that only seems to block the fake or malformed UDP packets, and not the Fragmented IP packet. A friend of mine told me this is probably some sort of attempted DOS attack, but I’ve come here seeking further explanation/help.

I’m running XP Pro, and version of Comodo Firewall Pro. I assume the “attack” is being launched via Bittorrent, as the destination listed on the logs is the port I use for torrents (Mostly Linux ISO’s. It’s sad that you’ve got to defend a type of traffic anymore.) Whois’ing the IP’s reported in the logs, I’ve gotten locations from the Netherlands to a University in Michigan (which leads me to believe that maybe the firewall is a little over zealous? I can’t imagine that someone is launching a specific attack from both a University connection in Michigan, and a server in the Netherlands, among other places.)

Could it be that Fake/Malformed UDP packets, and fragmented IP packets are just a reality of how torrents work? Either way, if there is some method for blocking this type of traffic, or a way for it to notice someone is sending bad data (and then to auto-block their IP, if that is possible) I’d be appreciative. Logs could be provided if needed, but it’s basically one and then the other, over and over again, from the same IP in most cases. Not sure how much more info could be gleaned from logs, over what I’ve already stated. Thank you.

This user had similar problems to what I’m experiencing, which leads me to believe that truly it is just an inherent problem with the Bittorrent protocol. If there has been any new insight in the past months since this user was having the problem, I’d like to know about it. Thanks.;msg45639

Yep, that’s exactly how it is …
most likely you have DHT enabled (DHT is what causes UDP-traffic in bit-torrent) .
Solution : either disable DHT ( can have negative impact on speeds) or disable
“Block fragmented IP-datagrams” in “Advanced attack detection and prevention”
In fact, for best bit-torrent performance you need to disable most of all the advanced
detection stuff .

That’s what Egemen states as well, but I’ve tried disabling both block fragmented and protocol analysis without noticing any speed change. I wonder if the application has to be restarted.

Yeah, DHT is enabled. The only things blocked I ever see are the Malformed UDP and the IP errors. Other than that, I get the occasional blocked IGMP packet. Would I really get a speed boost from disabling the firewall while I’m torrenting? Is there a way to set it so that traffic to and from Azureus doesn’t get checked/filtered? I’d hate to turn all my protection off just to get a couple extra kb/s from a torrent =/

Any torrent experts out there?

Other than the essential allow App & Net rules that must be created for the P2P program to function properly, the only real tweak that I’ve noticed for a slight speed increase is to create a Net rule(s) to allow ICMP in & out on the destination unreachables.

How would I go about making it stop telling me that there is a fake/malformed UDP packet, or fragmented IP packet? If we’re all in agreement that it’s not some sort of an attack, or otherwise a security risk, I’d like to keep it from appearing in my logs (and pushing out any real attacks that might occur).

Also, would allowing IGMP (I don’t even know what IGMP is, heh ^^;.) be a security risk? It seems to get requested from time to time by Azureus. I guess what I’m trying to do, is make my client as accessible to other clients as possible, without hurting my security overall (by allowing too much) or killing my speed (by not allowing enough)

Do NOT disable the firewall entirely while torrenting.
It doesn’t solve the problem, only “hides” it, and leaves you unprotected .

You could try and change the rule in “Application monitor” for your torrent-client
to “allow all activity for this application” .
sometimes just checking the “Skip advanced security checks”-box in “miscellaneous”
does the trick .
In order to stop the constant asking you need a rule in network-monitor allowing the traffic
that triggers the alerts. make sure the “create alert if this rule is triggered”-box is un-checked .
I believe that you need to restart Comodo after making the changes …

I use uTorrent almost constantly and for these fragmented IP, fake, malformed UDP , etc., I just ignore. (:WAV) There’s no need to worry other than the possible annoyance of your CFP log being filled up.