I’ve noticed this off and on for some time and I now wonder what is happening.
I find many entries in the firewall log that Application: Windows Operating System has had an inward UDP attempt from port 6277 to some random port on my machine. The ip addresses appear to be somewhat random but some keep appearing again and again.
The thing is that my router doesn’t have port 6277 or the destination port open, and no forwarding from the router for such ports to my machine.
So, if the router isn’t forwarding the packets, how can CIS be reporting these IP addresses?
I decided to run Wireshark to see if I could find out anything more about this and was very surprised to find that the incoming data appears to be responses to outgoing packets from my machine. I cannot make any sense of the destination ip’s as they seem to be all over the place and nothing I can see to connect them. The odd thing is that I have seen quite a few packets going out with responses coming back and CIS hasn’t complained about any of them so far.
I did find a strange entry in the firewall though which was named Windows Itself and appeared to saying that UDP from anywhere was OK, which makes it even more strange that these blocked records were appearing.
It turns out that the messages are to Distributed Checksum Clearinghouses. The strange thing is that there are quite a few message pairs between my machine and these apparently random ip addresses and most of them are passing through the firewall without anything happening. So the question is why some of them are being blocked when there was an outward request from my machine.
I’ve spotted one where it seems there were two requests issued to the same port but the second was sent before a response had come back from the first. Wireshark shows both coming back and my guess is that the firewall didn’t like the second response because it didn’t recognise that there had been two requests.
UDP is a stateless protocol which means it doesn’t keep track of connections between two hosts, but statefull firewalls such as CFW, will allow UDP response packets from hosts that your system sends to within a certain time frame. For example if you are connected to a game server that uses UDP for game data, then you disconnect from the server, any delayed packets that were sent will be blocked by the firewall.
Thanks. That makes sense of why I am seeing the blocked replies. Now I just to work out why there are two requests going to the same port at the same time.