Network intrusion

Hi, I have “Enable anti-ARP spoofing” and “Block fragmented IP traffic” both turned on in CFW (ver 6.3). Just wondering what produces fairly constant network intrusion logs for Windows OS blocking inbound ARP with source and destination IP both These logs are always followed by the OS blocking inbound ARP from and to my ISP-assigned WAN IP.

How/why does such traffic reach my pc anyway?

I’m also curious about because I have a NAT router on IP which DHCP assigns my single pc That’s it.

I’ve searched the forum and found advice: “When the logs show the source and destination address of the ARP request to be the same then there is nothing to worry about” so I’m fairly relaxed this is just yet more stuff I shouldn’t expect to understand. :embarassed:

I stuck ‘’ into google and came up with lots of stuff about ‘virtual servers’ that went over my head, e.g.: “not a dedicated server – the entire computer is not dedicated to running the server software.”

I’m running Windows 7 Pro and not aware of any server, virtual or otherwise. :-\

Grateful for advice.


I got the same, but on mine it says my Router Address

Look on my post on APR >

Yeah, it’s just a case of liking to understand what’s happening. :smiley:

I’ve set up static IP with MAC filtering and turned off the router’s DHCP so there’s (presumably) no reason for Windows to be generating a temporary LAN IP? I don’t have any LAN printers etc. I leave router off not on line and as soon as I turn it on I always get the two ARP blocks shown in OP. (Only two intrusions showing in CFW since boot today). I thought my WAN IP was on the public side, so just curious how ARP about that even reaches CFW? And must be something? :-\

I understand what you are saying Qibbler, However I have no idea, where to go next on this.

It is a little here.

Windows OS blocking inbound ARP with source and destination IP both
By the way I noticed it only on new versions 6 and 7. On 5 versions I don't observe it. It is probably connected with ARP work. That was mentioned in this forum - difference of functionality of ARP in old and new versions. If I am not mistaken. But it was long ago. But I can't find.

Same here, I do not notice ARP request on systems with CIS version 5, only systems with version 6 installed do I get ARP requests being blocked, and the ip’s being blocked are systems on the network’s LAN side. Instead, on version 5 I see blocked port 137 about the same times and succession as the other systems with 6 installed blocking these ARP request. I am thinking it is windows machines trying to communicate with each other for file sharing purposes… see article → GRC | Port Authority, for Internet Port 137  

Well I have all ports for NetBIOS and RPC are blocked in CFW for System.

I have not specifically blocked these ports (maybe I should), but upon testing from a source outside of my WAN, these ports do not respond, I take it using CIS stealth ports mode is to thank for this :smiley:

If a mode a stealth that globally isn’t necessary.
Here it is simple for interest. :wink:

And why I’m fascinated because I have one machine and statically assigning its IP and have all sharing malarky disabled in depth :smiley: This is what, I think, I know about ARP…

ARP is used by nodes on local networks. Host nodes can’t forward unrelated traffic. Only routers can. The router keeps NAT table to return solicitated stuff coming back from the WAN so presumably doesn’t involve ARP? So this is locally generating stuff? The transmitting node (indirect via router or direct from same subnet host) wants to map next-hop IPv4 address to MAC address of local network interface. If no match found in arp cache, node issues ARP request on local network. All nodes on subnet receive request but only the one assigned next-hop address replies. Unrelated nodes discard.

If this is correct understanding… CFW’s blocking two ARPs every time the router fires up to one pc. So the router’s generating the ARPs, right? Or is it replying? Either way, why? One ARP is my router’s public IP assigned by my ISP. The other’s the IP heading this thread – which presumably corresponds to a logical interface?

I added filters to router to block all local IPs other than one I’ve statically set. But the two ARPs still keep logging. So presumably is a logical interface on my system? Driving me nuts trying to learn. I suppose i could stop the logging… :-[

I feel your pain, I’m trying to figure out my ARP conundrum also. As for your ( ARP request, I wonder if your router itself has a function to allow you to connect to your home network from anywhere, and has not been set up yet?

I’ve trawled through the router and its pretty basic. Haven’t found such settings. Obvious worry is whether its being fooled to accept external stuff as local. But that’s what CFW is there to kill, so hey ho.

As this thread proves I’m an amateur and a little knowledge is always dangerous. :o Just dug into old binary stuff on subnet masking and, given my router’s mask is, 192.168.100.x isn’t on the same subnet — so can’t be a logical adapter on this pc. Proud I’ve even got that far. That’s me beaten…

This is what I was trying to get around to by mentioning to check if your router has any outside sharing capabilities, example, I have a family member that bought a router and installed the set up disk that came with it on one of their pc’s while setting up the network. Unbeknownst to them, it installed a vpn service on their system as well as remote management service for them to “easily” connect to their network from outside the wan. They never really new much about it, but one occasion I was doing system maintenance on that particular machine and noticed numerous blocked ip attempts (on another subnet mind you) in their CIS logs that corresponded with their router.

Moving on tho,

Maybe check the following in your router settings if available,
1)turn off Nat
2)uncheck UPnP
3)disable remote management - (new flaw announced for some lynksys routers w/factory firmware)
4)enable filter anonymous internet request - (related to lynksis router flaw)
5)if you have any ports forwarded, for example a game console or voip application, uncheck the active mode for these momentarily.
6)check if your routers firewall is enabled
7)also, If your router has wireless capability and is enabled, for testing purposes, I would disable it.

Once all that is checked (and settings saved) I would restart the router, go back to the pc, and monitor comodo’s firewall active connections list to see if and when that unknown ip tries to announce itself again.

Thanks for suggestions.

No NAT off or filter anon. request options. Can only turn on “firewall features” and allow Port Scan detection, IP flood detection and a few other random web features. Am wired to router, have uPnP off, no port forwarding, no port triggering or dmz.

Have IP filtering blocking all unneeded LAN IPs other than statically assigned. DHCP’s off. Remote management’s disabled.

Wireshark captures my router arping the subnet for its WAN IP which seems complete waste of time but that’s where CFW gets one of the two ‘intrusions’. Wireshark never captures arps to and, far as I understand Wireshark, there’s no hidden adapters, and promiscous mode would capture all broadcast traffic such as arp?

Gonna get a new router. :slight_smile:

Ok, was just trying process of elimination. Let us know how it works out. Again, whatever router you end up with, (especially a lynksis), if it has a remote management function, be sure to check that is disabled, as there is currently a nasty worm going around now (moonworm) that could access your network and gain access to all sorts of things on your systems.

Curious. Just set up a new router from ISP. So far the mystery ARPs have not reappeared. As above, two always got logged when i fired up the old router (never noticed them until this year but might have always been there) : router always arped LANside “who has” the WANside public IP (made no sense to me) along with an arp from /to the private IP heading this thread, which as said above has no business in my subnet anyway. >:(

New router set up without wifi for now as old one, so seems the two mystery arps were a snafu in the old 'un. :-\ No matter how much I’ve read up, can’t understand. But gone now. ;D