I have similar issues with another computer on the network sending me a steady stream of ARP requests. I changed the stealth ports from Block Incoming Connections to Alert Incoming Connections, and the application changed from Windows Operating System to just System. The protocol changed from ARP to UDP, and the destination IP changed from the source computer to my IP. It’s repeating exactly every 12 minutes, each time trying 2-3 times on port 137 2 seconds apart between tries and then 10 seconds later, an attempt on port 138. Exactly 12 minutes after the attempt on port 138, it repeats. It happens whenever that other specific computer is on, retrying like clockwork.
Combined with the phrase “Network Intrusions” is a little discomforting, but if all that is is that computer constantly checking to see what other IPs are in use on the network, then it’s a little less troubling.
Edit:
I unchecked “Do NOT Show Popup Alerts”, waited until 4:13:29, when the next attempt was scheduled, and Blocked/Terminated/Added a rule. No second or third attempt, no attempt on port 138. Would it need a new rule when that computer changes it’s IP? What rule would I create to prevent all traffic from all other devices on the network like this?
Hi Eric,
I’m confused here, ARP and udp port 137/138 are not the same, they are different protocols.
I think there are more than one issue in your blocked logging.
Don’t worry to much about the UDP 137/138 traffic as that is default windows ‘noise’ on a local network.
It can be disabled tough.
What kind or rules do you have with the ARP entries in there? the source equal destination one’s I assume?
If so there is nothing to worry about them, at the moment there are only 2 solutions to this issue
- disable Anti-ARP spoofing protection on FW advanced settings.
- live with these rules in the logging + counter on the GUI.
For disabling the NetBios noise please follow this guide on all your systems on the LAN
First, thanks for a prompt reply!
Second, I’m not sure what rules this relates to. I just got the ARP entries in my firewall log, and I changed to “Alert Incoming Connections”, and the ARP entries stopped and the UDP ones began. And since I added that rule in the bottom of my first post, I haven’t had any subsequent attempts.
For disabling the NetBios noise please follow this guide on all your systems on the LAN
http://marjanrepic.wordpress.com/2011/07/05/disable-netbios-over-tcpip-in-windows-7-ent/
I’ll get on that.
These ARP entries only show up during an other systems startup on your local network.
Setting the Stealth rule made the other blocks show up. If you wish to remove the ARP entries you have to go to Advanced Firewall rules and untick the box ‘Enable Anti-ARP Spoofing’.
Which is not on by default b.t.w.
Okay, that makes more sense. I’m just going to leave it checked and deal with the extra firewall logs.