UDP port scans from router ip

I get this alert about 5-6 times a day :

Description: UDP Port Scan
Attacker: (local ip of my router usr9108)
Ports: xxxxx, xxxxxx, xxxxx,…random ports, 0, 0, 0, 0, 0, 0, 0, 0, 0 (random ports, they change for every new alert, but all them have a list of 0 at the end)
The attacker has been temporary blocked

I’ve added my lan in the trusted zone (it seems everything work fine, file/printer sharing is ok), the suspicious thing seems linked to some kind of action of the router (upnp maybe?), the alert appears at random, it doesn’t depend on what application I use in that particular moment.

Or it is a real ATTACK!? from my router? ???

That IP address is the Gateway, not an attacker. Nothing to be concerned about. it’s the router ip acting as a gateway, I know, but why the router scans my pc with random ports???
I’m only just “a bit” worried, not too much really, because probabily (95%) it’s something “local” and not an external evil attack.
The point is:
my router is working fine blocking its scans? or should I allow someway the scans? is this a “normal” router behaviour?

Sounds like something you’ve configured to work that way. I’ve just checked my own logs and I don’t have any UDP in scans at all.

Something configured in the router? could it be the upnp service? I have also syncronized the clock of the router with the one on my pc but I know for sure it uses port 123 and it works…don’t think it needs to scan the ports.
The upnp service could be the rensposible, but at random…uhm…sounds strange; I can try to work without upnp for a few days to see if I get the same messages

I tend to follow most of the recommendations on this site as regards securing XP Pro.

If I run netstat -an from a command prompt, the only ports which are open are the ones shown in the pix.

[attachment deleted by admin]

You’re the third poster that I’ve seen to report something like this. All UDP port scans on seemingly random ports, ending with a bunch of port 0’s.

In one of the other topics “Port scan from an HP All-in-One”, some process of elimination is coming to the conclusion that it’s a networked HP printer that has gone insane. That’s not solidly confirmed yet.

Using the same process of elimination, and given only 5 or 6 scans a day, this make take a while, is to unplug the network cable from all the devices on your LAN one at a time to see if the scans stop.

You’ve got your PC and a router on your LAN network. Start with any other PC’s, unplug their network cable. Keeping them unplugged, then move on to network attached printers or whatever else, until only your router and your PC are connected.

If the scan stops, then plug back in that last thing you unplugged. If the scan resumes, that last thing will very very likely be the cause of the problem. It’s the classic search technique of finding out where a problem is, by finding out where it isn’t.

Then post back here to let the forums know your results.

my guess would be uPNP, as it will scan across a subnet and within each node on the subnet looking fro a responding port. Maxtor’s latest NAS does this for the standard upnp ports but then goes a little loopy for a while before settling back down. I don’t know if this is exactly what’s happening with you, but it sounds similar.

Ewen :slight_smile:

Disabled upnp in my router config yesterday and no more udp scans reported by comodo firewall…
let’s wait other 2-3 days, I’ll keep you informed, but actually disabling upnp seems to stop udp scans (not 100% sure because I’ve been testing only for 24 hours)

EDIT: 1 udp scan now -_-', without doubt I get less udp scans with upnp disabled but they don’t disappear completely. Suggestions? I have also a networked printer (I have the possiblity to attach it to the router and use the print server but I prefer to connect the printer directly via usb to the pc and then share it on the windows workgroup).
Usually the printer is off.