Udp port scan

I have found UDP Port scan reports in log file :

Date/Time :2007-11-26 16:39:11
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 192.168.0.1
Ports: 48137, 40457, 40969, 41481, 41737, 42249, 42761, 43273, 43785, 44041, 44297, 44553, 44809, 45065, 45321, 45577, 45833, 46089, 46345, 46601, 46857, 47113, 47369, 47625, 47881, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

Date/Time :2007-11-25 19:06:19
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 192.168.0.1
Ports: 35594, 26378, 26634, 26890, 27146, 27402, 27658, 27914, 28426, 28682, 29194, 29962, 29706, 30986, 31498, 32010, 33034, 33546, 33802, 34058, 34314, 34570, 34826, 35082, 35338, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

Date/Time :2007-11-24 20:43:46
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 192.168.0.1
Ports: 54023, 47111, 47367, 47623, 47879, 48135, 48391, 48647, 48903, 49159, 49415, 50183, 50695, 50951, 51207, 51463, 51719, 51975, 52231, 52487, 52743, 52999, 53255, 53511, 53767, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

My configuration :

AdslModem ---- Router (192.168.0.1) ------ My PC (192.168.0.100)

Are these false reports those i should ignore???

Read over the last couple of pages of this topic: https://forums.comodo.com/help_for_v2/udp_port_scan_on_hp_allonone_printers_closed-t10605.0.html

It seems CFP 2.4 reacts to normal traffic coming in too fast, and reports that traffic as a port scan. And then what seems to be a bug causes the report to display incorrect port information.

So the question is, what kind of traffic would your router be sending out, and sending sufficiently fast so as to cause a problem. It’s likely either route data (which routers will sometimes broadcast to the LAN), or UPnP traffic.

The port numbers increment in lots of 256. Is this significant?

Ewen

The port numbers increment in lots of 256. Is this significant?

The bug is causing a walk of memory contents. The 256 is doing the byte count off of what looks like 16 bit integers. Got a disassembler, and you’ve got yourself some code to something.

Thanks for fast response, i didnt assume that because few weeks ago i posted same problem to
Leak Testing/Attacks/Vulnerability Research forum with none responses.

The bug is causing a walk of memory contents

Is there some bug in Comodo Firewall?

Got a disassembler, and you’ve got yourself some code to something.

Should i discover Comodo software???
Are you talking to me???

Problem is bad, because it blocks my router very often.
There is no printer connected to my pc during these problems.

It does appear that there is a bug buried down in the CFP v2.4 code. Based on the limited research available, it doesn’t look like the memory being displayed is CFP internals, but something else. Just no idea of what, and it’s only readable, and not writeable. That makes it an annoying bug, but not a dangerous bug.

The other part of the problem, is that CFP v2.4 isn’t matching the inbound traffic volume to waiting open ports. The several topics about HP printers getting port scans point out the problem in detail, but the problem is not limited to only printers. Anything that has “SNMP network management” seems to be a candidate for tripping over the CFP bug. Routers, printers, modems, etc etc are such devices. SNMP traffic isn’t the only way to trip the problem either. I’m suspecting your modem is doing something similar, and so is tripping over the same bug.

A workaround, is to raise the CFP threshold value. Click Security → Advanced, Advanced Attack Detection → Configure, then change the Port Scan threhold upward. I’ve heard that the max value is 2000. That should take care of your problem. If not, then there’s not an available CFP v2.4 fix for you.

Okay, i’ll raise the Port Scans treshold level, from 50 to 500 ports/sec.

It solved my problem!
My setting is now : Port Scan Probing rate : 200 ports/second
:BNC