svchost.exe/255.255.255.255/22MB in 15 minutes

Help for v2
21

So I’ve been following along with this thread (after posting a similar problem just a few days ago here: https://forums.comodo.com/help/numerous_medium_network_monitor_logs_inbound_outbound_policy_violations-t14432.0.html).

Although I must admit I don’t quite fully understand all the more technical points of this discussion, here are my own personal observations up till now.

These are the 3 logs I get every time I log on:

Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.22
Reason: Network Control Rule ID = 7

Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = ROUTER SOLICITATION)
Protocol:ICMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.2
Message: ROUTER SOLICITATION
Reason: Network Control Rule ID = 7

Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.249.64.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.249.64.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 7

Network Control Rule #7. Block and Log IP IN/OUT from IP [ANY] to IP [ANY] where IPPROTO is ANY

I have no problem connecting to the internet, but these continual logs are concerning me. Additionally, in the connections section of the ACTIVITY screen in CPF, SVCHOST.exe is always connected as follows:

svchost.exe Protocol: UDP In/Out Source (IP : Port): 0.0.0.0 : 68 Destination (IP : Port): 255.255.255.255 : 67 Bytes In: ~200kb Bytes Out: ~1kb

The bytes in only gets as high as 200+ kb - nowhere near as big as 22mb described in this original post by housiemousie2. Is this normal for svchost.exe to be constantly connected and for the source IP to be 0.0.0.0 : 68 ?

After reading this post , I tried blocking 10.x.x.x as per the instructions earlier in this post. While it stopped the Inbound Policy Violation (Access Denied, IP = 10.249.64.1, Port = dhcp(68)) log, the two other logs remained. 8 minutes after bootup, I started getting numerous other Inbound Policy Violations (17 within a 2 second timeframe):

14 of these:

Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol: ICMP Incoming
Source: 125.129.53.xx (where the last two digits of this address changes for each log entry)
Destination: 99.250.xx.xx (my IP)
Message: PORT UNREACHABLE

followed by 3 of these:

Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE)
Protocol: ICMP Incoming
Source: 125.129.53.xx (where the last two digits of this address changes for each log entry)
Destination: 99.250.xx.xx (my IP)
Message: HOST UNREACHABLE

After getting these log entries, I deleted the new Network Rule so once again, I get the original three log entries whenever I log in.

Is this activity (especially the svchost.exe activity) normal? Should I be creating a new rule to allow the IP boot process to be completed?

Thanks everyone. Sorry for the length… :frowning:

22

224.0.0.2 – All Routers on this Subnet
This is probably an advetisement by your pc Set up. By your provider to anounce you presence on the network
224.0.0.22 – IGMP
This is probably limited to 1 hop from your computer
Its hard to tell exactly whats going on with out knowing more.
Who is your ISP?
What part of the world are you in?

The last could be as I was discussing a bootP from the CMTS. It´s impossible to tell with out a packet capture

I would not be concerned about any of this activity.
If you don´t want to see these in your logs I would Create specific rule blocking these and place them above
Rule 7 make sure logging is not enabled on the new rules

14 of these:
followed by 3 of these:
these are ping replies I cant tell anything without more info

Additionally, in the connections section of the ACTIVITY screen in CPF, SVCHOST.exe is always connected as follows:

svchost.exe Protocol: UDP In/Out Source (IP : Port): 0.0.0.0 : 68 Destination (IP : Port): 255.255.255.255 : 67 Bytes In: ~200kb Bytes Out: ~1kb

The bytes in only gets as high as 200+ kb - nowhere near as big as 22mb described in this original post by housiemousie2. Is this normal for svchost.exe to be constantly connected and for the source IP to be 0.0.0.0 : 68 ?
This Part I don´t have an infomed reply as to why. only that mine is also I don´t concern myself about it to much

I hve learned alot about the workings of a PC connecting to the INet and the interactions of applications in this forum

Hope this helps

OD

23

The inbound UDP from 10.249.64.1, you can block per the discussion earlier in this topic. It’s coming from your ISP, and is intended to be received only by your cable modem.

The other two entries show outbound traffic from your machine to your LAN, if you had a LAN. Since your machine is connected directly to the modem, I’m presuming then that you don’t have any other machines. So these two entries don’t show any connection to anything.

If you had a NAT/router, your machine would identify your router as a router. That’s what the 224.0.0.2, and the 224.0.0.22 addresses are for. That’s a query broadcast to “all routers on this LAN: hello? hello?”. You don’t have a router, so the query doesn’t get answered. The 224.0.0.x is what is known as a multicast address, and such addresses do not go out onto the Internet without some special routing.

This is the normal bootup sequence, for your machine to send a packet out. However, you should not allow such a packet into your machine unless you’re running a DHCP server, and as a single machine, that’s not something that you’re likely to be doing.

You should change your rule to be

allow out protocol UDP from host 0.0.0.0 port 68 to host 255.255.255.255 port 67
block in protocol IP from host 0.0.0.0 to any

The 0.0.0.0 address has a predefined meaning, and is used only by a machine when asking for an Internet address. If you’re getting CFP log entries for 0.0.0.0 inbound to your machine, you should block that traffic, but you don’t need to log it. I suspect that is what your 200+kb of logs is from.

This is interesting. The 125.129.53.x address space is in Korea. ICMP messages are like the telephone messages “the number you have dialed is not in service”. If you’re getting a flurry of these just after you connect to the Internet, and then disappear, I’d say it was likely that the Internet IP address you have right now was previously used by someone running a fileshare client that was talking to that address (125.129.53.x), and that address is no longer running any filesharing services. They send a “not in service” message to their last known users, and your machine just happens to be connected to that previous user address.

Having said all that, what it means is that you can ignore the messages. It’s residual traffic from the previous IP address user.