UDP port scans from router

Hi everyone and thanks to the Comodo team for creating one of the best firewalls!

I’ve been happily using the firewall and can interpret all log entries except one that has me puzzled. I did a search on here first and found others (not many!) with the same issue. Example:

It’s a UDP incoming “port scan” originating from my router 192.168.x.x.

In the logs it will flag this as a high rating and then presumably go into security lock down mode. The numbers are always random ports and usually very high.

It’s on my brothers wireless PC so I can’t say what he’s doing at the time of the alleged attacks, although I’m surprised he hasn’t complained about being cut off from the router by Comodo. I’ll try and get the info from him, as it seems to happen at least once a day, sometimes less.

Other computers connected to the router currently have zone alarm and that doesn’t log any incoming UDP scan. I want to move them over to Comodo once I work out this issue.

Any clues then? I find it hard to believe my router is doing UDP port scans automatically. DHCP is disabled and computers have static IP addresses. External scans should be dropped by the NAT firewall - all ports pass green in shields up.

Is this a false positive?

Check this out…it may be the answer…!


Thanks! I didn’t see that thread.

That does sound like a plausible explanation - it’s the private DNS (router) address resolving many internal ips within a split second and Comodo thinks it’s a port scan.

Since these should all be coming through port 53 then isn’t Comodo at fault thinking it’s getting scanned on multiple ports by my router?

It’s the latest version and uses the default (automatic) configuration.

Or should I have the router’s address in the trusted zone? Is it safe to do this?

Now the hard part - in order to confirm it’s a DNS issue I just have to find out how he’s causing them! He would never use process explorer and hasn’t got any peer-to-peer software, so it must be Firefox which as we know opens up many connections internally while in use.

I’m quite surprised this isn’t a more widespread issue if the above is true.

Your router IP would normally be in your trusted zone, and that is safe. But this does not avoid the issue - my router IP is in my trusted zone & I had the “problem”.

I think firefox could be the cause, with multiple windows open. I’ve increased my “probe rate” to 200 and haven’t had the problem since. That said I only changed it a couple of days ago.

Thanks again. I’m new to the network jargon but decided to learn so I can use Comodo to its fullest. :slight_smile: I’m on song with masks, private IP ranges, DNS, DHCP, netbios, WINS etc. but still one or two blanks remain. Hasn’t taken long though to get to grips.

In my newb status, I’ve just realised that DNS queries only go OUT to port 53, but replies to clients (like from my router to a computer) use random high port numbers from which the request originated, so Comodo is working normally and detecting these as a flood when many come in at once.

I’ll just change the flood rules as you have for now, but there probably is (or perhaps should) be another way of configuring this using network rules and zones.

You guys might look here as a place to get started in your dig to better understand CFP.

https://forums.comodo.com/index.php/topic,6167.0.html. This is a locked compilation of various tutorials and explanations about CFP and common applications that require specific rules. Being locked, there are no responses or questions, just info for easy reading. Each topic/section has a link in the first post; and each topic has an embedded link back to the original post/thread where you can ask any questions you may need.