Hi,

I'm new here, and I don't really understand alot about firewall activity, so I was hoping someone might be able to help me with this. I keep getting bombarded with the following message:

McAfee Firewall automatically blocked incoming traffic from IP address 255.255.255.255. You have configured McAfee Firewall to always block traffic to or from this address. The IP protocol type was 17 [UDP]. The remote address associated with the traffic was 10.40.224.1. The network adapter for the traffic was "Intel(R) PRO/100 VE Network Connection".

I'm not sure how long my firewall has been blocking the attempts, but I just got cable two weeks ago, and I've been checking the activity logs alot more since then. I'm starting to get pretty worried, because today alone, there have been 422 entries like that in the last 8 1/2 hours. Also, I never configured my firewall to block traffic from that address, although the message says I did.

Could somebody tell me what's happening, and if there's anything I can do to stop it? I'd really appreciate any info you can provide!

Hi kja

First...welcome to Wilders :).

The 255.255.255.255 is a broadcast address.
The 10.40.224.1 is in a range usually reserved for private networks, in your case, likely your cable connection/network.

You indicate the protocol was UDP, do your logs show the source and destination ports?

Regards,

CrazyM

Thanks for the welcome and the info CrazyM. The logs don’t show either the source or destination ports. Also, I checked with my ISP, and they said this has nothing to with them or the cable service. Any other into you can provide? Thanks again!

Hi kja

Well hopefully you should have detailed logs somewhere. If the initial alert did not provide source and destination ports, it should be captured in the logs. Without detailed logs, it's hard to say what the firewall is actually blocking or what this traffic may be. Have another look, there is likely a log file kept by your firewall.

Is your IP in the same range as the source IP's of the blocked packets?

Regards,

CrazyM

Hi again CrazyM,

Thanks for replying so quickly. No, my IP isn’t in the same range as the source IP’s. Theirs starts with 10.xxx and mine starts with 24.xxx. I went back and checked my firewall logs and found that although the activity and warning logs have tons of entries for 255.255.255.255 today, the current activity log lists only one for that IP. It says:

Program: SVCHOST.EXE
Local Port: 1028 [ephemeral]
Remote Address: 255.255.255.255
Remote Port: 0
Start Time: 08/26/03 11:47:28 AM
Duration: 19884
Sent (bytes): 0
Received (bytes): 0

Also, the log messages like the one I referenced in my first post all say something like this at the bottom of each message (each one differs a little bit):

The binary data contained in the packet was "ff ff ff ff ff ff 00 08 e2 32 10 54 08 00 45 00 01 50 30 57 00 00 ff 11 a0 1c 0a 28 e0 01 ff ff ff ff 00 43 00 44 01 3c 68 7a 02 01 06 00 0d 9a ed 20 00 00 80 00 00 00 00 00 18 18 cd 04 00 00 ".

Is any of this helpful in figuring out what's going on, and whether or not I should be worried about it?

Thanks,
Karin

Hi Karin

-{ Quote: " quoting: kja link=board=23;threadid=12832;start=0#msg82975 date=1061946297]Is any of this helpful in figuring out what's going on, and whether or not I should be worried about it?" }-

No I don't think you have anything to worry about if your firewall is blocking these broadcasts.

Could you check the directory where you have your firewall installed for a log file. A complete log entry with: date, time, action (block/allow), protocol, source IP, source port, destination IP, destination port would help. (just xxx out your IP)

Regards,

CrazyM

-{ Quote: " quoting: kja link=board=23;threadid=12832;start=0#msg82975 date=1061946297]The binary data contained in the packet was "ff ff ff ff ff ff 00 08 e2 32 10 54 08 00 45 00 01 50 30 57 00 00 ff 11 a0 1c 0a 28 e0 01 ff ff ff ff 00 43 00 44 01 3c 68 7a 02 01 06 00 0d 9a ed 20 00 00 80 00 00 00 00 00 18 18 cd 04 00 00 ". " }-

Thanks to Dan Perez for the decode:

So it is IPv4
min IP Header length of 5 32-bit words
Type-of-Service field of value of 0x00

IPDatagram Length is 0x0150 bytes (and not all of it is shown so the packet data was truncated)

Datagram ID is 0x3057

The Fragment Info is 0x0000

TTL = 0xFF (I believe the default TTL for Win2K/XP is the same)
Protocol# = 0x11 (UDP)

IP Header Checksum = 0xa01c

Source IP = 10.40.224.01

Dest IP = 255.255.255.255

UDP Header info

Source Port = 67

Dest Port = 68

UDP Packet Length = 0x013c

UDP Checksum = 0x687a

BOOTP data

Opcode = Reply
Hardware Type = Ethernet

So the broadcasts being blocked by your firewall are DHCP/Bootp broadcasts which are nothing to worry about. The private address range 10.xx.xx.xx showing as the source address, is likely you ISP's cable network/servers.

Regards,

CrazyM

A little search on the source IP, came up with this info.

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5

Thanks again CrazyM, and thanks for your info Peaches4U!

I can’t find anything like the log you asked for, CrazyM. I can manually save the entries in the activity and warning logs whenever I want to, but they contain exactly the same information that I included in my first post. The only other log I saw was “08272003.log” in “McAfee\McAfee Firewall\Logs”, and when I opened it with WordPad and Notepad, the whole document consisted of characters like this “ @ é|}¤ â2 ¨ E <¼@ % ֳà ¤ «�z”, with this listed in between them “DEVICE\{2B4F3A5E-284D-4BAC-8608-127CA3F08F6A}___'_Intel(R) PRO/100 VE Network Connection”. I looked through all the McAfee folders and that’s all that I saw.

By the way, could you, or anyone else who’d like to, recommend a good antivirus and firewall? Something strong enough to do a good job, but easy enough for a non-technical person to use it. I don’t know if they all have this feature, but I’d like to find something where I can add IP addresses and/or ports to be blocked, if I wanted to.

Even though you said I probably didn’t have anything to worry about, I decided I’d contact McAfee Tech Support via online chat last night. Huge mistake!! I spent 2 hours in the queue, and ½ hour talking to the first tech, who had me change some settings that locked up IE and knocked me out of chat. After restoring the settings and rebooting, I tried to contact them again. This time I was in the queue from 2-5 a.m., and then I spent another 2 hours with the second tech, who had me change all kinds of settings that didn’t do anything to stop the “255.255.255.255” entries. At the end he finally said, “Oh well, that’s just normal firewall activity.” He also said that my software might be corrupted because I wasn’t getting any pop-up notifications, so I uninstalled and reinstalled everything. Now, I don’t know if it’s because of something he had me do, but when I run security scans, they show that port 1025 is open, when it was stealthed before. Can you tell me how I might be able to fix that? Needless to say, I’m now in the market for another brand of security software. Any advice or suggestions would be appreciated!

Thanks,
Karin

Hi Karin

-{ Quote: "The only other log I saw was “08272003.log” in “McAfee\McAfee Firewall\Logs”, and when I opened it with WordPad and Notepad, the whole document consisted of characters like this “ @ é|}¤ â2 ¨ E <¼@ % ֳà ¤ «�z”, with this listed in between them “DEVICE\{2B4F3A5E-284D-4BAC-8608-127CA3F08F6A}___'_Intel(R) PRO/100 VE Network Connection”. I looked through all the McAfee folders and that’s all that I saw." }-

Well that is the type of log file I was hoping you would find. Is there an option in your firewall to view that log file so it will display properly, or just the option you mentioned? I was hoping you would find something formatted along the lines of this: (using your entry above as an example)
2003/08/26, 11:47:28, GMT -0700, Device 2, Blocked incoming UDP packet (no matching rule), src=10.40.224.01, dst=255.255.255.255, sport=67, dport=68

-{ Quote: "Even though you said I probably didn’t have anything to worry about, I decided I’d contact McAfee Tech Support via online chat last night. Huge mistake!!" }-

Yes, tech support can be fun at times ::).

-{ Quote: "At the end he finally said, “Oh well, that’s just normal firewall activity.”" }-

Refering to the alert we have been discussing, it is normal to see these types of entries and they are nothing to worry about. With some cable connections, you will see alot this cr@p or what some refer to as internet noise by virtue of how some cable networks work. This in addition to the blocked connection attempts, scans, worms, etc., well that's why we have firewalls ;).

-{ Quote: "Now, I don’t know if it’s because of something he had me do, but when I run security scans, they show that port 1025 is open, when it was stealthed before. Can you tell me how I might be able to fix that?" }-

Has your rule set changed at all? Might want to check your rules for any allowing inbound connections. Without seeing your rules we could only speculate at this point. Is there a convenient way with McAfee to post your rule set? (screenshot, text output)

-{ Quote: "Needless to say, I’m now in the market for another brand of security software. Any advice or suggestions would be appreciated!" }-

Unless you are completely unsatisfied, no need to jump ship just yet. We might be able to sort things out. There are lots of good alternatives if it should get to that.

Regards,

CrazyM

Hi Karin

Further to your port 1025 issue, you might want to take a look at the following post in the McAfee forums. In particular the one near the bottom by "burog25c" and see if that rule modification would be applicable to you.

http://forums.mcafeehelp.com/viewtopic.php?t=13214

Regards,

CrazyM

-{ Quote: " quoting: Peaches4U link=board=23;threadid=12832;start=0#msg83199 date=1062040397]
A little search on the source IP, came up with this info.

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5
" }-

I get this all the time. What does this blackhole mean?

I hate all this configuring! Can't something just be easy for people who are not programmers?

Addresses like this are not used beyond local configurations, like running a Lan. Nobody can enter you network from the internet by targetting your 10x address as it will lead nowhere, aka a blackhole.

Terms like backhole are used since it also has another meaning else where like blackholes in space, and its usually only people who deal with networking that have to deal with things of this nature. Its also so they don't have to write a paragraph about everything on every page, and can list information in a simple mannor when you understand the terminology.

Hope the following will give some insight to some of the questions posed here:

Re Firewalls: Here is an URL for firewall reviews. It might help.

http://www.firewallguide.com/software.htm

Here is an URL for a personal firewall scoreboard:

http://grc.com/lt/scoreboard.htm

I have ZoneAlarm Pro and can configure to block certain ports, etc. Actually, it blocks ports very nicely with default configuration which is recommened for newbies to the software.

Visit the following site to see what nasties are trying to enter Port 1025 along with a whole list of other Ports.

http://www.simovits.com/nyheter9902.html

Happy reading ... ;D

-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=12832;start=0#msg84578 date=1062465073]
Addresses like this are not used beyond local configurations, like running a Lan. Nobody can enter you network from the internet by targetting your 10x address as it will lead nowhere, aka a blackhole.

Terms like backhole are used since it also has another meaning else where like blackholes in space, and its usually only people who deal with networking that have to deal with things of this nature. Its also so they don't have to write a paragraph about everything on every page, and can list information in a simple mannor when you understand the terminology.
" }-

Oh. ::)

Sorry I put you through that. But thanks. :)