svchost breaks Stealth Mode. Why ? May I Block it ? Firewall 3.0.22.349, Windo

svchost sends a UDP message from port 138 to 255.255.255.255 port 138
I believe this is a general broadcast which tells every-one my IP Address, and possibly explains why some days the Firewall logs show a lot of other IP addresses that seem to know I am on-line, and all of which frantically hammer one of my port numbers - a zomby army conspiracy for the day, or perhaps my svchost broadcast specified the port number.

Nothing ever responds to this message sequence. I do not see how it can benefit me, and I fear it attracts hackers to my dynamic IP address of the day.

This message is repeated at exactly 718 to 722 Second Intervals, excepting that when the modem disconnects and then reconnects (without a system restart) it commenced 691 Seconds after the first connection of the day, and 765 Seconds after the subsequent disconnect and reconnect.

svchost sends a UDP message from port 138 to port 138 at 255.255.255.255
The differences are :-
It always causes an internet response (which the Firewall blocks) within 1 Second;
It is always repeated at exactly 1932 to 1933 Second intervals, even when the modem is disconnected and reconnected;
and it is fully UN-sysnchronised to the previous sequence that runs at 720 Second intervals.
The internet response to this message is generally a repetition of 3 or 4 sets :-
ICMP source 255.255.255.255 Type(3) destination 78.149.108.232 Code(3)
where 78.149.108.232 was the dynamic IP address I was allocated at that time.
This response is Destination Unreachable (port unreachable)

Windows Operating System sends an IGMP from 78.149.108.232 to 224.0.0.22.
It does this about 1 Second after the modem connects to my ISP, and then the internet at 2 second intervals gives 8 off responses of Destination unreachable (port unreachable).

My Questions :-

a) What are the purposes of these three types of message
b) Will I suffer any ill effects by starting my Network Global Rules with
“Block IP Out from IP Any to IP 255.255.255.255 Where protocol is any”
c) Similarly, should I block “224.0.0.22” which I understand is multicast not broadcast - I don’t know the difference but assume it is still likely to tell hackers where I am.

Note, I believe IGMP messages are relevant to Networks, and my computer has never been part of a corporate Network so I guess IGMP is not needed - or does it get involved :-
i) when my son uses “LogMeIn” to take over as administrator from 200 miles away ?
ii) when we use Windows Live Messenger with a Logitech Web Cam (with its bundle of software) ?

I used the Stealth Wizard, and changed the first rule to
“Allow And Log IP Out [from any any any]”
And the attached image (Fire_Events_StartUp.gif) shows the first internet transactions of the day.

Supplementary but less urgent questions are in a following post.

Regards
Alan

[attachment deleted by admin]

Usually better to block by application, not globally, and with the netBios like ports-I use 137-139, 389, 445, 593. 255.255.255.255 is a limited broadcast to your LAN only. If you don’t have a router, may go to all the computers on your IP block or just to your gateway? Doesn’t matter, since you are not really acting as a part of that WAN subnet anyway. My rules are attached for comparison. The separate rules are to block and not log things I know about, but still block and log the unusual. And work with or without a router. BTW, usually not good to specifically block all broadcasts to all ports globally-this is how DHCP gets you an IP address using ports 67 and 68, for example. Have no idea how your particular ISP does it, looks like a variant of PPPOE only dynamic.
If you go to the stealth port wizard and select the option to stealth all your ports (or use a router) and uncheck logging in the block all in global rule, the zombie army should go away.

[attachment deleted by admin]

LOL. Here come Alan with another lengthy thead. Didnt have time to read it all as usual but Alan there is a thread about this and has been. Like sded said. Make svchost,explorer.exe and system “outgoing only” from the predefinded policy’s. I also am behind a hardware firewall which stops all my inbounds.

https://forums.comodo.com/empty-t14948.0.html

Hi

Thank you both for your replies.

I now have a lot more information to digest, and then I will be back.

I am only 30% of the way through https://forums.comodo.com/empty-t14948.0.html
but will complete reading before I follow up with any further questions that remain.

Regards
Alan

What is the % now? Just kidding ya…

Josh

Hi

I have no router or any internet hardware, other than a Thomson ST330 modem
The ST330 diagnostics show the connection as PPPoA.
ipconfig reports that DHCP is not enabled,
The very first item in the Fire Event log is the IGMP message, which already knows its new dynamic IP address - I assume it is given that as part of the modem/ISP start-up transactions which validate the Password.

When I first installed 3.0.22.349 I ran the Stealth Wizard for maximum stealth. I think I have now made it 100 times better!!!

Last week I measured 82 “intrusion attempts” per hour. It is now 1 attempt per hour.

First of all I preceded the final “Block and Log IP In …” with some “Block TCP …” rules to prevent random NetBIOS attempts etc. from being logged - no effect on stealth, but only half the clutter in the Firewall Log, and I could then more clearly see that some IP addresses were repeated, which confirmed my feeling that some people knew I was on-line and were out to get me !!!

Second stage. I block and logged all IP Out from 224.0.0.0 through to 255.255.255.255 so I no longer broad/multi/cast my presence upon connecting to my ISP. Since then I have only suffered 1 “intrusion attempt” per hour, and that I think is because I am using a dynamic IP address that was previously used for file sharing etc.

Not only am I now blocking the IGMP message and the 255.255.255.255 broadcasts, BUT IN ADDITION, the event log now shows that 3 or 4 seconds after the blocked IGMP, I am also blocking two off “UDP to 239.255.255.250 Port 1900”. When I blocked only 224.0.0.22 the IGMP was blocked, but 239.255.255.250 NEVER appeared in the log, even though EVERYTHING should have been logged, so I suspect logging is still a “work in progress” that is not quite complete.

According to GRC | Port Authority, for Internet Port 1900   I have got M$ PlugnPlay telling the world to come and play with me. Shields Up considers this to be a vulnerability - who am I to disagree.

Final tweaks were :-
Precede the Block and Log multicast etc with Block (and no log) 255.255.255.255 because svchost made several dozen attempts per hour;
Extra Block and Log of ports 1900 and 5000 which are both involved in PlugnPlay, I am sure I have gone overboard on this, but I am suffering brain fade so I went for better safe than sorry - but advice would be appreciated.

My global rules are now as attached.

I strongly suggest that Comodo should add to the Stealth Wizard a block on “UDP to 239.255.255.250 Port 1900”. I think this is the vulnerability which was attracting so many “intrusion attempts”.

Regards
Alan

[attachment deleted by admin]

Your rules seem to be doing the job for you. The key is that you understand your rules.

As you have only the one machine, and no router, then blocking outbound multicast is not going to cause you any problems. If you had a router, then there might be a problem, with the IGMP and UPnP traffic.

And, since you’re not using DHCP, then blocking outbound 255.255.255.255 shouldn’t cause any problems. But, if you ever do need dynamic IP address assignment using DHCP, then blocking 255.255.255.255 will cause it to fail.

Note that if you ever do get a router, then all the multicast traffic that you’re seeing (224.0.0.0 thru 255.255.255.255) will not go beyond your router, not even to your ISP. Multicast traffic is LAN-local, without some special effort on your part and on your ISP’s part.

The only advice I have, is something that you’re likely doing already: watch your logs. The logs can be remarkably informative. It just takes looking at them.

And I see you noticed the ports 1024-1030, and 1433-1434, as often queried ports from elsewhere on the Internet. Good for you, for blocking those ports.