Numerous Medium Network Monitor Logs - Inbound & Outbound Policy Violations

Help for v2
1

Good Evening all. So I’ve spent the entire weekend searching through numerous FAQs, forum posts, and general info on the web. I’ve managed to solve some problems but not all. I thank you in advance for your help.

My problem is this - I originally noticed that my internet seemed a little slower than usual (perhaps unrelated) and I was getting anywhere from 20 to 40 medium severity log entries per minute - most were OUTBOUND POLICY VIOLATION (Access Denied, ICMP = PORT UNREACHABLE).

After some research, I found out that these entries were coming as a result of my torrent program “advertising my PC to the world”.

From the original post asked by a different forum member:

https://forums.comodo.com/help/outbound_policy_violations_gone_haywire_please_help-t14030.0.html

[i]When you shut off the Torrent program your pc knows that the program is shut off but the rest of the world doesn't so those pc's keep trying to connect to you.

You might try allowing the ICMP Port Unreachable packets out so that it will maybe tell the other pc’s that you aren’t available and they will stop trying to connect to you. When I have used those types of programs it can take from a couple of days to months for the traffic to stop.[/i]

As per the advice to the original poster, I added a rule that allows ICMP out where ICMP message is Port Unreachable. This eliminated a great deal of the block logs. Following this fix, I am now getting a number of other recurring logs and am wondering whether anyone can help explain these log reports to me and whether I should be concerned?

Here are my log files:

Date/Time :2007-11-04 21:17:06 (this one repeats again and again, from the same IP address but different ports)
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 99.250.218.199, Port = 5900)
Protocol: TCP
IncomingSource: 99.250.218.199:27364
Destination: 99.250.XX.XX:5900
TCP Flags: SYN
Reason: Network Control Rule ID = 7
In the attackers’ world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

[i](This is recurring from the same IP address but different ports - not in a specific pattern, sometimes once every minute, sometimes once every 5 minutes - and is my biggest concern. I run an updated AVG antivirus + online PANDA virus scans, as well as Spyware Terminator and Spybot Search & Destroy. No viruses have been found and my computer is not acting weirdly.

It is coming from the same domain as my own IP address - ROGERS???)[/i]

Date/Time :2007-11-04 21:08:21
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP
IncomingSource: 99.250.219.240
Destination: 99.250.XX.XX
Message: ECHO REQUEST
Reason: Network Control Rule ID = 7

(As above, same IP address as my own IP provider ROGERS)

These ones run as soon as I start the computer

Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.22
Reason: Network Control Rule ID = 7

(my own research shows that it seems to have something to do with ALL-ROUTERS.MCAST.NET, but I’m not sure what is happening here…)

Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = ROUTER SOLICITATION)
Protocol:ICMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.2
Message: ROUTER SOLICITATION
Reason: Network Control Rule ID = 7

Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.249.64.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.249.64.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 7

If someone could please kindly explain these violations, it would be very much appreciated.

These are my current network control rules:

  1. Allow TCP/UDP OUT from IP [ANY] to IP [ANY] where source port is [ANY] and destination port is [ANY]
  2. Allow ICMP OUT from IP [ANY] to IP [ANY] where ICMP message is ECHO REQUEST
  3. Allow ICMP OUT from IP [ANY] to IP [ANY] where ICMP message is PORT UNREACHABLE
  4. Allow ICMP IN from IP [ANY] to IP [ANY] where ICMP message is FRAGMENTATION NEEDED
  5. Allow ICMP IN from IP [ANY] to IP [ANY] where ICMP message is TIME EXCEEDED
  6. Allow IP OUT from IP [ANY] to IP [ANY] where IPPROTO is GRE
  7. Allow TCP/UDP IN from IP [ANY] to IP [ANY] where source port is [ANY] and destination port is 58483 (this is for uTorrent)
  8. Block and Log IP IN/OUT from IP [ANY] to IP [ANY] where IPPROTO is ANY

The only other activity that I am unsure of is that svchost.exe continually shows up in the CONNECTIONS window: Protocol - UDP In/Out, Source - 0.0.0.0 : 68, Destination - 255.255.255.255 :67

If I can offer any additional information, please let me know.

Regards,

Dale Russell

2

It looks like you have an inquistive neighbor customer. Port 5900, in your logs above, is a VPN connection port. If this other customer was only trying to connect to this port, I’d presume they simply had a misconfigured machine. But, you’re saying that this other customer has also tried to connect to other ports on your machine. That would indicate that this other ISP customer has an infected machine. Your best approach would then be to take the matter to your ISP support folks.

A “ping” by yet some other ISP customer. A harmless operation. I’m presuming that you are configured to ignore Internet “pings”.

This is typical router traffic. Although, seeing it with an Internet source address, rather than a private LAN address is unusual. The 224.0.0.x addresses are LAN-local destination-only addresses, and is the way a router notifies any interested machine of any changes in how to get from “here to there”.

Normal DHCP boot operations. I’m presuming your router, with the private LAN address of 10.249.64.1, is functioning as a DHCP server. When a LAN machine boots, it requests an IP address from the server. In this case, it was blocked by rule 7. The DHCP handshake to provide a machine that is booting up, uses the special case addresses of 0.0.0.0 and 255.255.255.255.

Edited: removed instructions for DHCP rules…

Are you using an Arris Touchstone cable modem? There is another forum topic also with DHCP traffic from 10.249.64.1, and your log is showing similar stuff.

3

There is another forum topic https://forums.comodo.com/help/svchostexe25525525525522mb_in_15_minutes-t14423.0.html
that is discussing the DHCP booting sequence from host 10.249.64.1. You may want to follow along.

4

You mentioned that the IP address mentioned in your logs is the same ISP as your own and that your connection seems a bit slow at times. So your ISP would be Rogers Cable Communications Inc., based in Toronto I believe.

One of the problems with cable is that you have to share your bandwidth with all the other users on your grid block. It depends to some extent on the ISP’s sales policy as to how many users they allocate to each grid block which ultimately determines performance. Some unscrupulous ISPs oversubscribe the number, known as the “Contention Ratio”, which often leads to a reduction in performance when all the other users are all online at the same time, especially if they’re downloading large files. There’s a Wikipedia article on the subject here