Several intrusion attempts on the same port

Hello.

I’ve been using comodo CIS (firewall and D+) for a couple of days now and I have to say THANK YOU for such a nice and also free product. However, I noticed some strange intrusion attempts a couple of days ago. I had my computer running for 12 hours or so and there was about 1200 connections blocked and 840 of these was directed to my port 55555. The protocol used was mainly UDP and also a few TCP. The attacks started from the minute I turned the computer on and was going on until I shut it off.

These attacks was coming from alot of different IP’s, some just tryed to connect one time while other come back and try again. I noticed some of the IP’s trying to connect several times connects with a fixed delay of about 20 minutes. For example: 2009-04-07 11:56:16 - 2009-04-07 12:16:05 - 2009-04-07 12:36:09 etc. It did not matter if I was browsing, gaming or just idling. The attacks kept coming no matter what. I checked the whois info on some of the adresses and I cant see any pattern in country wise etc.

After I turned off my computer I also unplugged the modem completly for the night. Since then there have been none intrusion attempts to that specific port. Also before that day i had none attacks on port 55555. According to the firewall the application to the attacks is “Windows Operating System”, what does that mean more specifily? The source port is all random from what I can see.

Does anyone have any clue what might was causing these attacks? I have not run any P2P app or any other program that blotters my ip(from what I know of atleast) the past weeks and the port I use for that program (utorrent) is not 55555. My IP adress is dynamic. OS: vista 32-bit. Not connected to a router, straightly to the ADSL modem.

My firewall is configured accordingly to this guide: https://forums.comodo.com/empty-t30535.0.html;msg219892#msg219892

Thanks in advance, any help on trying to figure out what was causing these attacks is very appreciated. Sorry for my bad English.

Welcome to the Forum, Roxarn.

Do you run any PP2P software such as eMule or BitTorrent?
These sound like requests to connect to those programs. They do die down in time.

This sounds very much like P2P traffic. Even when your signed off from P2P other peers are still pinging you to see if your online to check whether you have that file to upload to them.

This is a good tool that you can use to see where these requests are comming from…You can sometimes use it just for fun :smiley:

Comodo is doing it’s job… I wouldn’t worry about it :slight_smile:

Yes.

It’s Torrent traffics. Don’t worry about it.
It will be disappeared after other peers lose their download information for file downloading.
But nobody knows when. ;D

If it really bothers you,
You can take care of it with following ways.

1.Change your IP address.(If your IP is dynamic, you should wait until it’s changed…)
Or make a phone call to your ISP, ask them reset your MAC address on the server then
you can get a new IP address instead of old one.

2.If your ISP says they don’t do that.
Remap your MAC address(you can change your MAC address followed by right rule
on your windows control pannel) then you can get new IP address by yourself.
After IP address changed, delete the MAC address that you changed.
And then you will get the original MAC address and new IP address.

3.Change your NIC ;D(sorry…you don’t want it mayby…)

I recommend you 1,2

From Wikipedia:

"In computer networking, a Media Access Control address (MAC address), Ethernet Hardware Address (EHA), hardware address, adapter address or physical address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number.

"Three numbering spaces, managed by the Institute of Electrical and Electronics Engineers (IEEE), are in common use for formulating a MAC address: MAC-48, EUI-48, and EUI-64. The IEEE claims trademarks on the names “EUI-48” and “EUI-64”, where “EUI” stands for Extended Unique Identifier.

"Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most of today’s hardware, an action often referred to as MAC spoofing. Unlike IP address spoofing, where a sender spoofing their address in a request tricks the other party into sending the response elsewhere, in MAC address spoofing (which takes place only within a local area network), the response is received by the spoofing party.

"A host cannot determine from the MAC address of another host whether that host is on the same OSI Layer 2 network segment as the sending host, or on a network segment bridged to that network segment.

“In TCP/IP networks, the MAC address of a subnet interface can be queried with the IP address using the Address Resolution Protocol (ARP) for Internet Protocol Version 4 (IPv4) or the Neighbor Discovery Protocol (NDP) for IPv6. On broadcast networks, such as Ethernet, the MAC address uniquely identifies each node and allows frames to be marked for specific hosts. It thus forms the basis of most of the Link layer (OSI Layer 2) networking upon which upper layer protocols rely to produce complex, functioning networks.”