How and Why did my ISP do a UDP scan of ports BEHIND a H/W FW?

Got a bit of a shock yesterday. Here is what happened and I would like some ideas / facts as to what went wrong here if anything.

I had forgotten that many moons (before CFW) ago my own isp’s ip was in the trusted zone of IE6.
I have now removed it, but I always use FF anyway UNLESS S/W uses IE by default.

Then I got this log: I have never knowingly been scanned before!

COMODO Firewall Pro Logs
Date Created: 15:30:46 08-06-2007
Log Scope:: Today Date/Time :2007-06-08 15:04:44
Severity :High
Reporter :Network Monitor
Description: UDP Port ScanAttacker: xx.yy.zzz.198
Ports: 43783, 34055, 38151, 29703, 40455, 37895, 38407, 40711, 37639, 40967, 33799, 41223, 37127, 30215, 41479, 41991, 41735, 35079, 39431, 42503, 43015, 35335, 39175, 43271, 43527, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked
End of The Report

Hi Escalader,
Can you tell if the address is your ISP nameserver?
Happened to me a lot (2-3 times per week). Then, I’ve realized I was accessing web pages having lots of external links and pictures from those links. Also, I had svchost net access completely blocked.
So, on a high speed connection, CPW 2.4 can interpret this as a scan.
Please try to remember what pages you’ve accessed and try to reproduce the event.
Have you svchost bloked?
Unfortunately, I cannot test my theory because I’ve replaced 2.4 with the V3 Alpha, and on the latter this doesn’t report as a UTP scan.

Hope this helps,

Question, is xx.yy.zzz.198 your DNS?

I saw something like this and started a thread,,9401.0.html,
and ocky there pointed out an earlier thread. I don’t think it’s been explained.

These cases come from various servers, but in all but one, there are 24 or 25 port numbers followed by 25 or 26 nulls. Isn’t that curious? What is the common denominator?

Escalader, what kind of router or h/w firewall are you behind?

Yes, it is my DNS server allright: Here is the WhoIs for those (like me) who want the evidence! :THNK

My H/W FW is an AlphaShield and it is between the router and the DSL line so both my PC and the Gaming PC are shielded ( or so I thought) Set up is hardwired Ethernet, no wireless.

OrgName: Rogers Cable Communications Inc.
OrgID: RCC-104
Address: One Mount Pleasant
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA

NetRange: -
NetName: ROGERS-CAB-104
NetHandle: NET-64-71-240-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
RegDate: 2004-03-08
Updated: 2006-12-05

OrgTechHandle: IPMAN-ARIN
OrgTechName: IP MANAGE
OrgTechPhone: +1-416-935-4729

ARIN WHOIS database, last updated 2007-05-21 19:10

Enter ? for additional hints on searching ARIN’s WHOIS database.

What I got from the earlier threads was that the hardware f/w and router would pass the messages from the DNS server if they were in response to DNS requests originating in the PC. And CFP would block them if the process making the requests had shut down before it could accept them.

A suggestion was that Windows was trying to register itself with the DNS server for reasons that don’t apply in our situations. And that I might try unchecking the box “Register This Connection’s Address in DNS” in the Control Panel Network applet, IP Properties > Advanced > DNS tab on my Win2K Pro system. I haven’t seen any such alerts since, but then, I saw only two altogether, so I don’t know if that was the definitive answer.

That some of these entries include low-numbered ports like 773, and all those 0s, seems odd.

OK… these DNS floods… for want of better description… are usually caused by a user run application that does (without the user being specifically aware of it) lots of DNS resolutions (resolving IP numbers into names) in the background. Apps like… Process Explorer & P2P clients. Any one of these apps is capable of generating 100s of DNS requests to the Domain Name Server. CFP sees all these inbound connections at a rate that exceeds the specified level, walking through the Windows ports number (erm… that’s how Windows allocates the ports… duh)… pow… port scan! Wrong. Increase the amount/rate/time/whatever to get CFP passed whatever app it is. It’s (sorry to be vague using CFP3 at the mo) on the Security tab - Advance - one of the config buttons there. ;D

Hi Kail:

The problem has not reoccurred on my PC. I don’t have a P2P application or a process explorer ( I think?) So cause of the flood is uncertain as I see it.

Attached is the config screen you remembered. What settings would you suggest it was a UDP “flood” but are you saying wrong because it was a fake scan not a real one behind all my H/W Fw’s?

[attachment deleted by admin]

OK, thanks… for the Pic… yes thats the one! :slight_smile:

What applications are you running then?

Scans whould be seen as unsolicited.
DNS lookups would be logged by the firewall and the inbound allowed,… unless of course the UDP table is limited and possibly overflows and drops logged outbound?
But from the post/info made, I do not see this,… I think more of a possible bug?

Not quite sure why you say this… if you look at the initial Log entry that Escalader posted…

COMODO Firewall Pro Logs Date Created: 15:30:46 08-06-2007 Log Scope:: Today Date/Time :2007-06-08 15:04:44 Severity :High Reporter :Network Monitor Description: [b]UDP Port Scan [/b] Attacker: xx.yy.zzz.198 Ports: [b]43783, 34055, 38151, 29703, 40455, 37895, 38407, 40711, 37639, 40967, 33799, 41223, 37127, 30215, 41479, 41991, 41735, 35079, 39431, 42503, 43015, 35335, 39175, 43271, 43527, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0[/b] [i]the amount of ports involved[/i] The attacker has been temporarily blocked
..and the image he posted of his Intrusion Detection settings.. the Probing Rate of 50 ports a second. Each port listed, up to where CFP stopped it.. where they went to 0s.. was probably an individual returning DNS request & they probably all arrived in less than a 1/2 a second. It could have easily hit the limit specified. But, without knowing the applications involved it is mere speculation at the moment.


Thanks, right as I said it hasn’t repeated. I don’t have the application BUT Kail if you want give me an application or set of them that I could force on my PC and run to see if I can force a flood! I feel like the ancient mariner but I would be glad to do it. Would Dnsstuff ip lookups work? I have been using that applications and it translates site names right? But 50+ at a crack no I do them 1 by 1?

What if we drop the limit to say 1 rather than 50, that should cause a flood every time?

Sorry, “applications” is just a generic term for software/programs that a user runs (forget the programs I mentioned). I meant what software were running when you first hit problem & what are you running now? I don’t think looking up IPs at DNS Stuff would cause this.

Drop Probing Rate from 50 to 1 per second? Nooo… you’ll get even more alerts if you lower the rate. More like increasing it from 50 to 75 ports per second.

I have yet to see DNS lookups made from such high ports in WinXPsp2. DNS replies are made to the port the DNS lookup was made from, and are normally made from local ports 1024-5000 unless all these ports are currently in use, and then the next available port would be used, I cannot see that “Escalader” would have over 40,000 ports in use,… and no DNS lookup would be made from local port 0.

Hi Mets

Not sure what the OS or Service Pack have to do with this… also Escalader has not posted his OS or SP & I didn’t ask since I didn’t think it was relevant. But, perhaps I missed something… why do you feel it is relevant?

Also, I explained why there appears to be inbound requests on port 0 above. Port allocation/usage… normally? Doesn’t this really depend on the application in question… which is currently unknown.

In any event, if you believe you have discovered a bug, then I’d be very grateful if you could report it to Comodo Support. You’ll need to register on their system, but once done you can then raise a support Ticket on this issue. If you do this, please post any feedback/resolution that Support give you here, thanks.

Using Windows XP SP2.

I am moving on now from this thread since it seems to have reached it’s conclusion.

If it is bug, someone with the background can do the reporting. Heck I’m still running in learning mode!

Thanks to both of you for feedback and help on this “flood” behind at AlphShield/Router. :Beer
If it ever happens again I will pay more heed to what I was running just prior. :THNK