UDP Port scan from router?

Periodically (almost daily,) I receive a log entry in Comodo saying that a UDP port scan came from, which is my router. Some of the ports supposedly scanned are 0, 44,048, 23,568, 137, 63,265 - something like 45 numbers - all high except for a couple. The numbers differ each time. I get no scan notifications from any other firewall. Is this a false alarm?

It probably is a false alarm. If you run something like Process Explorer (from SysInternals), then it can make a DNS request for each & every process listed. This causes a large amount of UDP requests going out to your DNS & then being returned (answered). Sometimes, if the action is swift enough, then CPF can interpret the incoming DNS answers as some form of UDP scan. If it’s a false alarm or not, is down to what your were running when the alarm was registered. If you did nothing (no programs that ask for lots of DNS resolves, net-side port scans, etc…) to provoke the scan, then it could be real. But, without knowing your router, it could easily be a function of the router. It is odd, that the scan appeared to be from your own router. Do you run your own Domain Named Server (DNS)?

Hi, kail,

I don’t use anything like Process Explorer. I also don’t run my own DNS. I notice that I also get a lot of IMCP port unreachable messages - they originate from my computer and are sent to my router.

My router is a Linksys.

Hi mvdu

I’m a bit concerned that it seems quite a lot of things appear to come from or are going to your router… the blocked outbound ICMP Port Unreachable is to be expected… where a DNS is involved. But, your router? This must be some sort of setup issue with router. However, since I don’t have one, I can’t really help. So, I’ll need to leave you in the hands of those who do have router or experience of your router … at least they should be able to assist you, where I can only guess & speculate (which isn’t terribly helpful).

Thanks for your responses. I’ll see if anyone knows more. It could be a setup issue, because it seems KAV and Antivir give me connection problems.

Still getting scans. It blocks my router, which is a problem.

I would be interested to hear any further thoughts on this as a similar issue is occuring from my router a dlink dsl 504.

Again my connection goes down and I don’t get reconnected.

Have you defined a trusted network?
Changed any default settings in the router?

Hmmmm… You are sure this port scan is from your router AND not from the DNS server on the other side of your router (forwarded by the “virtual” DNS-server in the router). I have the same problem, but here the IP-adresses are from the DNS-server in my network configuration. A couple time a day I get these scaen (and blocking of the DNS-servers) in my log. The ports are 0 and 5-digit port numbers.

Some routers do scan their LAN. (one of the two routers I have does this).
You must define your secure zone and oyu will be ok :wink:

funny topic, I also have often these messages in cpf log telling me that some kind of traffic coming from my router was blocked, just as if my router was attempting to attack my computer. And my router is still from another make ( french).They can’t all be misconfigured! I suppose that port scans happen from time to time, and that the origin of it is either filtered by the router, or by cpf itself. I mean that the original ip address of the hacker is masked by my own router address. That’s a bit ridiculous. Sygate firewall could always tell precisely where a threat was coming from. And this could even be backtraced.

just wanted to add that I set my network adapter to a trusted zone (in cpf). I still get these medium alert lines when I undo that. I’m not sure that it’s related at all to the problem, cause cpf seems to have problems to deal with the router’s traffic, not with the network adapter’s traffic.

If you check the log, is it ICMP and/or IGMP that the router is sending?

I just checked my log and at the moment I only get Outbound Policy Violations on IGMP ( absolutely normal, related to Upnp and, no Inbound problems. They are not in the log anymore. I can’t remember whether it was IGMP or ICMP when it came from the router. I’ll have to check that again when it happens.

It’s normal that the router sends IGMP (multicast), so you can block or allow it if you use streaming audio/video on your network. Some routers allow you to turn IGMP on or off.
My router sends ICMP as well and i have allowed it, but you probably can block it to. There are some default rules for ICMP.

I might say something wrong cause I’m not a specialist at all, but according to what I’ve read, and to what I’ve noticed in the past in Sygate pf logs, IGMP also allows organisations like IANA ( Internet Assigned Numbers Authority) or ICANN (Internet Corporation for Assigned Names and Numbers) to know that your computer is present on the network. That’s why outbound policy violations logged in cpf are always related to ip (IGMP multicast). It’s also a IANA ip address.These guys try port scan sometimes too, and you get an inbound policy violation. I emailed to them once, and their reply was that I was not the first one to complain, but that they were innocent. Enabling Upnp on a pc seems to enable it to send automatic requests to those guys, and fortunately cpf blocks them.I still have to read more about IGMP multicast anyway…

I’m not an expert is this and i don’t know if it’s IANA or anything else…
Multicast is between
Your is a IGMP port.
It could be triggered by a topology change in the network upstream from you, or when the router closest to where you are connected updates it’s routing tables and sends out a request to see who all can see it after the change.
I don’t think it’s anything to worry about.

Do you have file and printer sharing enabled, on your computer?

just wanted to add that I set my network adapter to a trusted zone (in cpf). I still get these medium alert lines when I undo that. I'm not sure that it's related at all to the problem, cause cpf seems to have problems to deal with the router's traffic, not with the network adapter's traffic.

CPF have problems with traffic? I don’t understand what you mean? If CPF didn’t see the traffic, then it would have problems…

concerning what you were asking me earlier, what appears today in my log is neither ICMP nor IGMP but some UDP incoming traffic that for some reason cpf blocks from my router to my pc.The source is always the same port on my router and the destination is different ports (on different lines in the log) on the PC. And no, file and printer sharing is not enabled on my connection.

What I’m trying to understand is why firewalls, and not just Comodo, so often block incoming or outgoing traffic without giving a clear, really clear message concerning what is supposed or not supposed to be a threat. People think they’re attacked, and loose time, like I might do too, talking about something that might not even exist. And that most of the time because alert messages and logs from firewall , and once again ALL firewalls, not just Comodo, are often confusing, because they either say too much, or not enough.

If your router has its own private IP address (which I guess it does, since CPF blocks traffic from it), then I think you should have set-up a Trusted Zone that includes your PC & the router. That being the case, CPF would not block anything originating from your router.