Rules to protect the system from UDP attacks?

Comodo Internet Security - CIS Firewall Help - CIS
#1

Hello guys,
I’m looking for rules to protect the system from UDP attacks.
Could anyone recommend any material or specific rule in this case?

Thanks

#2

Jhkmaster, I’m not sure if this is the answer, but I have set up (ask tcp/udp In) rule under the system tab in the firewall application rules section to alert me whenever OS applications throughout the network attempt to connect to systems I am using. The only thing I wonder about, is, the router/routers I work thru will also create alerts to the systems I am using as they too want to connect to the systems being used at the time, and if you allow the routers to connect, I’m not sure how that affects protection from outside the WAN.

#3

It may be useful to question the origin, to analyze if it is not blocking any legitimate request from the network or router.
Thanks, I’m doing some tests here. :-TU

#4

Keep me posted jhkmaster. The whole reason I created that rule in the first place was, I used to simply use an ask IP in rule that would alert me when another system on the network was attempting to connect to the ones I had on at the time, which worked like a charm for me.

Then later on, I happened to stumble across an issue when I was tooling around with a popular file explorer application on a droid tablet. I did a LAN scan using the application, and it would get right through my firewall rule on the system and show all folders shared and accessible.

I then later found that when using another application on the droid tablet named Fing, I was astonished to see it too bypassed my ask IP In rule, and was able to tell me every bit of information about the systems… mac address, card type, name of PC, even workgroup name, amongst other information.

After much tinkering around and watching closely, I found those 2 above mentioned applications where accessing my systems via tcp / udp ports. I then applied those ask tcp/udp In rules to my systems and am now alerted when I perform a scan using those applications, keeping most of the system information private unless I allow them to connect during the alert.

#5

In some cases I think it is useful to ask about certain requests and critical areas that can be explored. Gives a better control.

I found it interesting, I’m testing some possibilities within the rules.

Thanks for the considerations :slight_smile:

#6

Due to UDP being the least secure of all internet communication, a proactive demeanor is best. A global rule should be enforced blocking and logging all inbound IP requests from any to any on any. Once this is done, a user will need to watch the firewall logs for legitimate files and programs requesting UDP access. there’s not many and most are system processes.

For example:

  • Windows Operating System will require UDP In/Out from Link-Local ON 137-138 to Link-Local on 137-138
  • Windows Operating System will require UDP out on 137 to Multicast Reserved on 137
  • System will require UDP out on 137 to Multicast Reserved on 137
  • SvcHost will Require UDP out on any to any
  • Most printers and printing services will require UDP on a number of ports that are specific to those devices and services
  • Some applications, such as dllhost will require UDP access to the Loopback Zone, as will other applications. Technically a global rule can be created allowing IP In/Out to the Loopback Zone, however I prefer to not give access to more ports than an application need and unless an application needs access to random ports (such as SvcHost), I never open up more ports than are needed.
  • DasHost will require UDP out to Multicast Reserved on 3702
  • Seagate Dashboard Uploader will require UDP out to the DHCP/DNS Server, which is your router’s IP (most are 192.168.1.1)
  • Seagate Dashboard [Dashboard.exe) will require UDP out to Multicast Reserved on 1900
  • mDNSResponder (Bonjour/iTunes) will require UDP out to Multicast Reserved on 5353
  • Pidgin will require UDP out to Multicast Reserved on 1900, as well as UDP out to Loopback Zone
  • Acronis Syncagentsrv will require UDP out to Multicast Reserved on 1900
  • cmdagent may require UDP out to Comodo’s servers on 4447
  • Web Browsers will require UDP dns requests on 53 as well as UDP out to Multicast Reserved, and UDP out to 80 and 443
  • Netgear Genie will require UDP out to Link-Local, UDP out to Multicast Reserved on 1900, and UDP out to Multicast Reserved on 5353

I have more programs installed on my computer than anyone I know and that’s all the UDP rules I have. Rule of thumb… block first, research later.