Settings to stop sync packets sent to an intruder ip

Hello to everyone at comodo forums, and thank you very much for your help in advance.

I noticed an strange ip connection being active every time i started the iexplorer application, after i used the netstat -b command, the socket looked like this:

TCP mypc:4146 ipand-strange-host-name.somedomain.com:http ESTABLISHED 4000

[iexplore.exe]

The connection was always there as long as i used the iexplorer, so being afraid about being a trojan, i low level formatted my hd, i reinstalled the OS, and even that the evil ip was connecting the same way so afterwards i noticed it, i installed the comodo firewall, and applied some network security policies to avoid the unwanted connection.

The rules are:

For protocols TCP-UDP/ICMP-IP

Action:Block

Direction: In/Out

Source address: The strange host name possible ip-addresses, entered as a range of ips, since i noticed the last octect varied, as i was killing each connection, i mapped the ports for that ip as well and looked like a linux server.

Destination address: Any.

Source port: Any.

Destination port: Any.

When the protocol is ICMP in the message field i choose the All option and when the protocol is IP i set the IP protocol on the IP details tags to Any.

Another policy set on the same way but just changing the source and destination addresses like this.

Source address: Any.

Destination address: The strange host name possible ip-addresses, entered as a range of ips, since i noticed the last octect varied, as i was killing each connection, i mapped the ports for that ip as well and looked like a linux server.

All this rules are applied as application rules, for the iexplorer.exe file.

I also applied global rules as mentioned above for all the protocols available, setting the possible ranges for that evil ip.

I also entered that evil ip ranges on the blocked networks settings on the same way.
Eg: 240.141.151.1-240.141.151.255

Finally on Attack Detection Settings i increased the blocking time to 120 minutes and the emergency mode to 120 seconds, the tcp/udp/icmp flood settings are the default ones and on miscellaneous i just block the fragmented ip datagrams the rest are unblocked.

The protected arp cache is enabled.

This worked because the intruder can’t set a established connection each time i use the iexplorer as far as i noticed, but what i have noticed is when i use hotmail or some other pages, my sniffer detects that my computer sends once and once again sync packets to the intruders active pool ip while apparently its still scanning my ports in a sequential order, this doesnt let me to load normally those sites.

I would like to receive some help to know if i can improve my setting to avoid the last behaviour, and also if my configuration is ok to avoid further attacks or intrusions by this host/hosts.

I am also planning to set my router firewall on, but i would like to do the best with the software firewall first so i dont affect my browsing experience too much.

Thank you very much for your time reading this and the will to share your expertise on this forum with the rest of the world.

Best Regards.

It sounds like you are doing a lot of the proper things to secure you machine.

The traffic that you’re describing is likely coming from some application on your machine that is trying to connect to the unknown remote machine. It does that by first sending out the TCP SYN packet. That’s the first step of the TCP connection handshake protocol. Windows will use sequentially increasing port numbers for each attempt, so it may look like a port scan, but it is not a scan. That is just how Windows allocates ports for connection attempts.

If you could post your firewall log, there may be more information there that would give insight as to how to improve the firewall configuration. Click Firewall → Common Tasks, View Firewall Events. You can save the results to a file by exporting to html for posting the log here.

Thank you grue for your great help.

I will post part of the log that is concerned to this intruder, note the number of the destination ip.

Comodo’s log
my ip s prt d ip d prt
26/06/2008 05:47:48 p.m. Windows Operating System Blocked 2xx.230.6.5 3143 239.255.255.250 1900
26/06/2008 05:57:48 p.m. Windows Operating System Blocked 2xx.230.6.5 3143 239.255.255.250 1900

Sniffer’s live active connections table view on my PC.

Hostname: client-2xx.60.136.25.sxxx.net.xx
IP: 2xx.60.136.25
Local port: 2080
Remote port: 80
Protocol: TCP
Status: Syn sent
Time: 05:57:56 p.m.
Age: 00:00:00
Process: IEXPLORE.EXE

Seems the comodo report takes a fake destination ip address as 239.255.255.250, the sniffer reports it as the same address i can see while ussing the netstat -b command, 2xx.60.136.x which looks not spoofed.

Apparently the application used for this purpose is iexplore.exe and the sync packets sending triggers after i visit some specific sites, like yahoo, hotmail, msdn, and a few others.

The comodo helps file refers about this type of the attack on the Attack Detection Settings-TCP Flood / UDP Flood / ICMP Flood topic for what i have read.

I cleaned my computer up formatting my hd on a low level after i first noticed this, thinking that it was a trojan acting like a server, right after i reinstalled the OS being clean of new programs, i tried to connect again, and the intruding connection was still attempting to establish a link with my computer ussing iexplore.exe as my sniffer and the netstat -b command reported, maybe the malicious code was hidden on the mbr, but since i destroyed the mbr, and low level formatted the hd, i highly doubt it, what leds me to think that now they are scanning ports to crash my browsing performance ussing my mac address or router wan gateway number to identify my comp, i have a dynamically asigned IP DSL internet connection so they cant identify me ussing my ip remotely i think.

Even when the intruder is not connected anymore, maybe you guys can help me to figure out how they are identifying my computer making it send sync packets still and also with the reports i posted what i could do to stop this strange behaviour completely, i dont think my iexplore.exe is infected,as i said this is the application used to send the sync packets to the 80 port of the intruder as the sniffer reports.

Thank you grue and all guys at comodo forums.

I’m a little confused, as there is some mismatched information in your post.

Comodo's log my ip s prt d ip d prt 26/06/2008 05:47:48 p.m. Windows Operating System Blocked 2xx.230.6.5 3143 239.255.255.250 1900 26/06/2008 05:57:48 p.m. Windows Operating System Blocked 2xx.230.6.5 3143 239.255.255.250 1900

The 239.255.255.250 IP address is part of the Windows UPnP service, by which your PC is looking for a router (what is called in Windows as an “Internet Gateway Device”). Windows will broadcast on this address asking “are there any routers here?” If there is a UPnP router present, it will answer, and then your Windows machine will use that router to connect to the Internet. It’s how Microsoft designed Windows to work.

The other IP address

Hostname: client-2xx.60.136.25.sxxx.net.xx IP: 2xx.60.136.25 Local port: 2080 Remote port: 80 Protocol: TCP Status: Syn sent Time: 05:57:56 p.m. Age: 00:00:00 Process: IEXPLORE.EXE

If your address 2xx.230.6.5 is the same 2xx as the 2xx.60.136.25, then this could be some part of your ISP if your ISP provided you with some software to run. Some ISP’s do provide software for their users, to make email and web browsing easier or somehow safer.

To check for such software, in Internet Explorer 7, click Tools → Manage Add-ons, Enable or Disable Add-ons. I think that also works in IE 6, but I don’t remember the details of IE 6. For each add-on displayed, disable it, and see if the traffic stops. Then re-enable to restore the add-on setting, and see if traffic starts back if it had stopped.

Try using “netstat -anob” to see the application that is running. This can take a couple of minutes to run.

Just to be sure that I understand your Internet connection, is your setup like this?

Internet--------- modem/router ---------- your PC

What kind of modem/router are you using? There may be some settings that are confusing matters by doing address translation. If I know what kind of router (manufacturer and model number) then I can locate the documentation to understand how it works.

Sorry for the confussion i thought it was a spoofed address, i have reviewed the log and i cant find the intruder address on it, also when the iexplore is sending sync packets it doesnt appear on the active connections list in the comodo window, but i can see it on the sniffer active connections list.

Sorry for the confussion, 2xx.230.6.5 is my address in the comodo’s report, the 2xx.60.136.25 is the address of the intruder that i could see on the sniffer’s activite connections table, the sniffer doesnt post my ip address just the details of the outside ip’s, they are different adresses.

A friend just told me about that possibility, i dont have any ISP provider software installed and in fact the connection appeared right after i finished my clean WindowsXp installation and tested out the internet connection, i mapped the ports of the remote machine using a scanner, and seems it had ssh ports opened so i am assuming the remote computer is a linux, in adition the last octect of the destination ip changed after multiple sync sending attempts were performed so i am assuming it manages a pool of ips and therefore is possibly a server.

Just to be sure tho, i will follow your instructions and i will give you the details of it as you suggested.

Exactly gru is the type of connection i have.

The model of the router i have is XAvI-x8821r

I will test the addons connection activity and i will let you know how it goes…

Thank you for your help again gru, i am learning a lot with this.

The model of the router i have is XAvI-x8821r

That is a very good router, with good capabilities.

Another forum poster had a question about CFP logging, and also uses this same model router. You may find some of the postings to be useful in tightening up the router security. That topic is https://forums.comodo.com/help_for_v3/comodo_firewall_log_not_showing_some_blocked_events-t24304.0.html

The details about changing the router admin password, and disabling WAN access to the router, are things that you should do if you have not made such changes already.

Hi gru, i know how to do all that, but as for my bad luck the router is kinda messed and is not saving some of the configuration settings i tell it to, :), so i was trying to get rid of the intruder just through the comodo, to be sure i will order a new router if i dont have another choice and then i will perform the changes, so i hope it works well if i cant figure out a solution with the software.

I am attaching now a screenshot of the sniffer’s activity so you can see how the thing is acting, and maybe give me further suggestions.

I tested disabling the addons of the IE, but none of them seems to be causing the strange sync packets sending.

If you can please check out the attachment so you can understand the problem better, cause my english is not that good lol.

Thank you very much for your help gru, have a good weekend.

[attachment deleted by admin]

Something that might help with your router, is to reset it to use the factory defaults, and then configure it to your needs. To reset the router, you press the “reset” button on the back of the router. You’ll loose all your ISP settings, so make note of these before doing anything. If you still have problems with the router, then the router hardware is most likely starting to fail. In that case, you would need to replace your router.

In looking at your sniffer screenshot, I notice the incoming packets being blocked are coming to ports sequentially on your machine. That leads me to think these are replies to packets from your machine. Otherwise, there would be nothing on those ports to receive the reply.

In many respects, this traffic flow is beginning to resemble that from a load-balanced Akamai server. Akamai is a company that provides distributed advertising and download services in a network efficient manner. Other sites, like hotmail, with their many graphics and advertising, provide some (a little, sometime a lot) of their content thru distributed servers provided by Akamai. Many ISPs have an Akamai server to reduce their network congestion. So your query would go, for example, to hotmail and the answer would come back from Akamai. There is a related description at Akamai Technologies - Wikipedia

Have you tried to search of the IP address using google.com? That might tell you if this is an Akamai server, or something similar. It also might tell you if this IP address is a known “bad guy”.

What sniffer are you using? I’m familiar with Wireshark, and the tcpdump/windump packages. These can be very selective about what traffic they monitor by using filters. By using a filer on your sniffer, it should be possible to isolate the traffic, and see what is in the packets going out, and trying to come back.

Hi gru, i already reseted my router in a attempt to being able to fix it and save some settings of the router(submitting and commiting the changes) but didnt work, is weird because some settings are stored others as the ip filtering rules enable or disable options aren’t, i have tried a lot and is not working, but comodo at least is doing a good work blocking the connection, i will order a new router if i dont have other choice.

It looks like an akamai resources load, thanks for the observation, but no the address is not of a resources provider, i called my isp twice and they said that it had nothing to do with them, the host name is a client that belongs to that company, i am sending you the details i found googling on a private message.

My sniffer is X-Netstat, which adds some extra level of security for the fact that you can add some rules to kill connections automatically, the sniffing process sucks tho taking some resources of my machine and even when the thing cant connect i would like to get rid of it completely without the sniffer’s help.

On the sniffers table i noticed after i browse an specific page, the “evil guy” starts sending an incoming packet, then my OS send sync packets in response that are blocked by the firewall once and once again till my connection table collapses lol, it has happened me twice and ussing the networks connections assistant i could clean the table up, mainly looks like all starts from outside after they hook up a certain browsed page, as is described on the Attack Detection Settings-TCP Flood / UDP Flood / ICMP Flood chapter of the comodo’s help file.

I will test if my sniffer has a feature like you describe, let me try and i will let you know, what you say is that i would get to know what kind of info is going back and forth towards the bad host right?, i will try to download the sniffers you are ussing.

I am sending you a private message with the aditional details of the problem.

Thank you very much for your help gru and to everyone at comodo forums.

If a factory reset didn’t make the corrections properly, then it may be necessary to reinstall the router firmware. I found the manufacturer web page at http://www.xavi.com.tw/Product.aspx?PLT=ADSL&PCT=ADSL2%2B+++Entry-level+CPE&PCV=33&M=X8821%2F+X8824

If this is your router, then a firmware upgrade may fix the problem. If not, then you will need to get a replacement router. You will need to register with the manufacturer website to get access to their support web page to get the updated firmware. I think, as I have not confirmed that.

X-Netstat looks to be an interesting product. But it does not seem to be a full blown packet sniffer, like Wireshark (available at wireshark.org). To see what is going on, it may be necessary to capture the packets and look inside those packets to find out what is going on. Wireshark can do that.

From your PM message, it could be that the address range is some kind of scan or address spoof. It’s definitely not an Akamai server. Akamai servers tend to be well identified, and don’t have that much of an address variation (usually only one or two, sometimes more, but not as many as you are seeing).

So, the next step is going to be to capture the packets themselves. Download Wireshark, or some other packet capturing sniffer, and we go from there.

Hi grue, i hope your week started well, i downloaded wireshark as you nicely suggested and started capturing some data, browsing on purpose on certain pages to push some incoming intruding packets in, i have found that the thing is retrieving my mac address, as well as scanning on possible address to determine my real ip local(private) ip address which i changed on purpose asking things like “who is 192.16*.13” being the response something like “192.16*.13 is at 00:04:0c:05:02”, i can send you the file if you like so you could give me your opinion about the readings, for this purpose the intruder is ussing the arp protocol so i need to block arp packets ussing the firewall but i dont know how to do that to prevent future attempts with other request instructions that could get even more dangerous to poison my arp cache or some other treats that are beyond my understanding.
Is obvious that they are identifying me ussing the mac of my NIC, or maybe ussing the MAC of the router itself.

I also talked to a couple of friends that work in networking and they say that the thing can be controlled adding ipf(ip filtering) rules set on the router flash memory as i thought, i have looked for my routers firmware but i cant even find it on the manufacturer’s page, they say that you should register to gain access to the support pages and therefore the firmware software but the page is quite weird, it doesnt have a product registration link or something like that visibly, i got to download other xavi drivers somewhere else and they turned out to be of a model beyond mine, i will keep looking because is better than to change the whole device, and cheaper :).

The comodo is working well and while working on my pc i am ussing a sniffer to kill the connection attempts, so i am double killing it actually lol, i monitor the activity every once in a while, what i am afraid is to be victim of arp protocol attacks that arent actually visible for either of the programs i am ussing as i said, the config i have for comodo is the one mentioned before on previous posts.

I will keep looking for the firmware, and if anything change the router, but do you think this could really solve it?, and also do you think i can improve my comodo settings even better to avoid other type of attacks?.

Thank you again gru for your help and will to share your knowledge.

Wireshark will show you a great many things, including the underlying mechanics that make LANs work. Hardware networking uses arp and MAC addressing to move packets from one part of your LAN to another. All hardware has a unique MAC address. The Internet protocols cannot make such a guarantee. Private address space, like 192.168.x.x, are never unique, as anybody behind a NAT router likely has that address space in use. So the hardware uses the “Address Resolution Protocol” (ARP) to translate IP addresses into MAC addresses. Then your router can talk to your PC using IP addresses. Normal stuff, but sometimes surprising to see the mechanics of how it all works.

Due to the way that hardware addressing happens, the MAC addresses are LAN segment specific. That means the MAC address never moves thru a router. Otherwise, the routers would be horribly confused about where to send packets. Which would make the LAN stop working.

The Xavi support web page should have the firmware. When I click on the Support icon on the Xavi web page, I get a login page http://www.xavi.com.tw/support.aspx. I presume to register, you give them an email address, to which they will send a message with registration instructions. Their web page is not at all clear on how to proceed. I will do some investigating to see what I can find.

I did find this, regarding your router. It seems to go by another name, being a TrendNet TDM-C400 (trendnet.com). Trendnet does not show any firmware upgrades being available, so there likely are not any. If it does turn out that you need a replacement router, I’ve found TrendNet products to be well supported and reliable. The router that you have is a very good router, with security capabilities not normally found in the typical consumer home models.

Hi grue, even when my router firmware is messed i found another router, but i am not quite sure how to apply the filtering settings to it, compared to the other is not quite friendly, but at least saves the settings in the flash rom perfectly, :).
Could you please give me some suggestions about how to perform the filtering on it?. I hope this really works.
Best Regards grue.

It’s good that you could get a working router. Is it the same manufacturer and model as your old router? If it is different, then what manufacturer and model is it? Then I can locate the documentation on the web, and likely make some suggestions.

I am sending you the info on a private message…
Thanks a lot grue.

While we’re getting your router sorted out, it would be an opportunity for Wireshark to capture some traffic.

Wireshark, by default, will capture all traffic. That’s probably not what you want to do. So, there needs to be a filter that will capture only selected traffic. To set up a capture filter in Wireshark, click Capture → Capture Filters. That will present an editing window for defining the filter. Click “New”, then fill in a name for the filter. The filter string will be “ip.addr == 123.123.123.123” (where that 123. stuff is the IP address that you have been seeing). Then Capture → Start should begin collecting traffic. You can save the collected traffic for later analysis, to see what is going on.