UDP DOS Attacks ? Processor Overload !


I am using Comodo Firewall Pro Database 3.0

Two nights ago I was quietly Googling and browsing, and suddenly the cooling fan burst into life.

Task Manager \ Performance showed me that the CPU Usage was cycling between 5% and 100 % at 5 Second intervals, and Process tab showed that CPF was fluctuating around 40%. The Firewall log showed that a dozen or so UDP violations were blocked in a single second, and this repeated at 5 second intervals. They were all aimed at my port number 11638. They all came from widely different IP Addresses, and I think from different Port numbers - shame on Comodo for not storing the log in a normal text file which I could read, and which I could sort into source IP addresses and flag any repetitions. Is there an application with which I can view the log file, or convert it into an Excel spread-sheet format ?

Does any one know why my port 11638 was being hit. Is there something special about this particular port ?

Is this something normal, or something malevolent ?
I assume I was the victim of a zombie army attack, and that a 150% increase in the quantity of violations would have taken over all processor cycles, and it would then ignore the keyboard, the mouse, and me.

This continued after I closed down Firefox and Thunderbird - there was then nothing else using the Internet, but UDPs continued to hammer this port number. I then disconnected and reconnected to the Internet, and my ISP automatically allocated to me another IP Address, so I was no longer hit by these UDPs - I guess that was a pleasure awaiting who-ever got my old IP address.

I attach a representative snapshot from the log. The “Details” at the bottom belong to the log item designated by the cursor arrow.

If it happens again should I panic and shut down, or can I safely ignore it.

I suggest the Firewall SHOULD pop up information balloons to warn when :-

  1. Under sustained attack - zombies have got my IP address, unknown variants may penetrate, discretion is the better part of valour so get out of the Internet whilst you can, this message will self-destruct in 10,9,… ;
  2. Under sustained attack - Now is NOT a good time to “Allow All”, even if a Comodo Forum moderator has suggested selecting this as a test whether rules are unintentionally blocking an Internet Time site !!!
  3. Processor Busy Logging Internet Violations - this may greatly delay keyboard commands.

nb Item 3 is because my last employer’s IT department insisted upon Panda Antivirus on every machine, and I have so many bitter memories of creating a new piece of software, and then deciding to cut and paste one line for a better sequence, and nothing happened, so I hit the keyboard a bit harder and still nothing, and after about half a minute Panda finished scanning all the files and then all my “Cut” attempts were unleashed out of a “held pending” buffer - and the morning’s work went down the drain. So against Company Policy, every morning started with me killing the Panda process. Please do NOT hog the processor to log all violations, but if you must do so then PLEASE post an IMMEDIATE warning - don’t let the user think he just needs to hit the keyboard a bit harder.


[attachment deleted by admin]