I’m not really good when it comes to cyber security but I think some of my firewall activity is suspicious, I installed Comodo firewall about 2 weeks ago “I’ve been loving it so far :)” and since then I have been having issues with thousands of blocked addresses a day in the network intrusions tab (currently: 8517 today).
I put a few of the events from the firewall down the bottom as there are to many to show here and was just wondering if there is something going on or if everything is fine and I just haven’t got the firewall configured correctly/something is interfering?
I noticed there are lot of different IP’s but some are being logged throught the same ports within minutes of each other. One thing I found troubling is that my network seems to have addresses 10.0.0.1 - 10.0.0.63 assigned, I don’t have that many devices attached to my home network, maybe about 12 devices at most. The only other security based software I use besides Comodo firewall is AVG but I don’t think it’s AVG causing this.
I’ve also noticed that my active download connections range between 70-200 even when I’m not doing anything, I normally only have the bare minimum running unless I need to use an application. I hope I posted in the right section. If not can someone please point me in the right direction?
2014-06-04 12:03:35 Windows Operating System Blocked In UDP 220.127.116.11 60844 10.0.0.14 18107
2014-06-04 12:03:27 Windows Operating System Blocked In UDP 18.104.22.168 37044 10.0.0.14 18107
2014-06-04 12:03:23 Windows Operating System Blocked In UDP 22.214.171.124 37044 10.0.0.14 18107
2014-06-04 12:03:21 Windows Operating System Blocked In UDP 126.96.36.199 37044 10.0.0.14 18107
2014-06-04 12:03:18 Windows Operating System Blocked In UDP 188.8.131.52 27114 10.0.0.14 18107
2014-06-04 12:03:14 Windows Operating System Blocked In UDP 184.108.40.206 27114 10.0.0.14 18107
2014-06-04 12:03:12 Windows Operating System Blocked In UDP 220.127.116.11 27114 10.0.0.14 18107
There seems to be a trend with the split seconds before multiple IPs make the same attempts.
2014-05-20 20:59:03 Windows Operating System Blocked In ARP 10.0.0.34 10.0.0.34
2014-05-20 11:56:19 Windows Operating System Blocked In ARP 10.0.0.33 10.0.0.33
2014-05-20 11:56:15 Windows Operating System Blocked In ARP 169.254.92.136 169.254.92.136
I’m not sure what the ARP protocol is, pretty much all of the events seem to have 18107 as the destination port.
Thanks for any advice or help that may be received.
Apparently it sounds like attempts to send spam or networks that may be compromised and / or attempts to port scan.
Comodo Firewall by default blocks certain types of attacks, you may want to do some adjustments in the default settings, see if this can help you:
ARP is normal on a home network as it is a request for devices to update their network status, however due to the possibility of ARP being used maliciously, it is better to be safe than sorry and simply block arp. Devices on your home network have other ways of communicating to find out which devices are online (UDP for one). 169.254.0.0 - 169.254.255.255 should have a network zone created and name Link-Local as link-local is vital to a network. Other address ranges that should be added to their own network zone are 18.104.22.168 - 22.214.171.124, which is multicast reserved, and is also vital to network communication.
In reference to your home network IP range of 10.0.0.1 - 10.0.0.63 is assigned by the router and most routers usually assign a 255 IP range block (192.168.1.1 - 192.168.1.255 for instance). You’ll need to customize this setting on your router’s settings page. I prefer static addresses assigned to specific MACs, but each has their own preference.
All users should have a global rule of blocking and logging Inbound IP from any to any on any, and inbound connections should only be opened or allowed through when you know exactly what service/file/application is requesting inbound access and for what purpose. If you can’t determine both, block the request and investigate once blocked. All users should create a network zone of all MACs in their network, the IP of their DHCP server (10.0.0.1 in your case), the DHCP’s IP but with .255 at the end (10.0.0.255), 255.255.255.255, and your computer’s host name. Then, a network rule should be created allowing IP In/Out from on any to on any. This prevents you from being bothered by communication between your devices on your home network.