Hello everyone, I’ve been getting a large number of alerts in my log from UDP packets originating from an IP in the IANA blackhole range 10.0.0.0-10.255.255.255 (port 67) to 255.255.255.255 (port 68). At first I thought it was IP spoofing, but after I did a bit of ferreting around I believe it has something to do with DHCP. Is there any chance that these alerts could be malicious, and if not, how would I go about creating rules to allow the packets, or is it even necessary to allow the packets in?
I have the feeling that this started when I selected the ‘stealth all ports’ option in COMODO, though I’m not sure.
utorrent’s incoming connections stopped working recently too - would I have to allow incoming connections on a per-case basis to let it work properly, or can I create per-application rules for it (I’ve tried allowing TCP/UDP in on my chosen port, and UDP out, but it doesn’t seem to work… I then tried allowing IP in/out for any protocol, still nada.)
I’d be really grateful for any help anyone could give.
(Random info: Windows Vista, cable internet, Comodo ver. 3.5.57173.439)
These are real. DHCP is how your PC gets an IP address assigned to it when the PC first tries to connect to the Internet. If you have a NAT/router, it will provide your PC with an IP address, typically in the 192.168.x.x range. If you don’t have a NAT/router, then your ISP will give your PC an Internet accessible IP address.
Since you are seeing this kind of traffic with a 10.x.x.x address range, I’m guessing that your have a cable modem, and are directly connected to the Internet. Cable ISPs very often have their DHCP services in the 10.x.x.x range. It lets them distribute their network load into something manageable.
UDP port 67 is used by the DHCP server, and UDP port 68 is used by the DHCP client that is trying to get an IP address. That client is your PC in this instance. Since your PC doesn’t have an IP address when it first boots up, it does a broadcast to 255.255.255.255 which is a special IP address used by DHCP. That broadcast does not go to the Internet, but stops at the ISP router, and goes only to the DHCP server.
To open up the firewall to allow DHCP to actually do its stuff, you will need this rule as the very first (reading from the top) rule in your Global Rules:
Action: Allow
Protocol: UDP (select from the pull-down list)
Direction: In/Out
Description: DHCP rule
Source Address: any
Destination Address: single IP: 255.255.255.255
Source Port: port range: 67-68
Destination Port: port range: 67-68
Why do I have to create a special rule to allow something as common as DHCP? And why has it worked for a long time and now suddenly started blocking DHCP? And why didn’t it alert me that it is blocking DHCP? “It” is CIS 3.8.64739.471.