Hi, On a fresh new Win 10 build, I am seeing a strange new 'ping' method. It seems to be spoofing DNS queries and generating return packets from TCP 469669 and up. I don't have anything listening at that address and up. The address the packet is returning to is a hacker address which I have blocked. and it is showing up in my logs. Anybody have any clue as to how this works?
I'm not sure what you're encountering, or how you've determined a remote IP to be a "hacker", but that isn't a valid port.
Can you confirm that's a typo? Because there's no such port. Ports go from 1 to 65535. You can simply block IMCP messages in Windows Firewall
The remote ip is from my ISP's DSL client ip network. The ISP is a residential isp business. Here is the firewall log. #Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2016-04-18 01:20:41 ALLOW 2 127.0.0.1 224.0.0.22 - - 0 - - - - - - - SEND 2016-04-18 03:25:39 ALLOW UDP 192.168.0.150 8.8.4.4 52731 53 0 - - - - - - - SEND 2016-04-18 03:25:39 DROP TCP 192.168.0.150 206.248.168.139 49669 80 0 - 0 0 0 - - - SEND 2016-04-18 03:25:39 DROP TCP 192.168.0.150 206.248.168.160 49670 80 0 - 0 0 0 - - - SEND 2016-04-18 03:25:42 DROP UDP 192.168.0.150 8.8.4.4 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:43 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:43 DROP UDP 192.168.0.150 8.8.4.4 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:44 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:44 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:45 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:45 DROP UDP 192.168.0.150 8.8.4.4 59655 53 0 - - - - - - - SEND 2016-04-18 03:25:46 DROP UDP 192.168.0.150 8.8.4.4 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:46 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:46 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND 2016-04-18 03:25:47 DROP UDP 192.168.0.150 8.8.4.4 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:47 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:47 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND 2016-04-18 03:25:49 DROP UDP 192.168.0.150 8.8.4.4 59655 53 0 - - - - - - - SEND 2016-04-18 03:25:49 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND 2016-04-18 03:25:50 DROP UDP 192.168.0.150 8.8.4.4 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:50 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND 2016-04-18 03:25:51 DROP UDP 192.168.0.150 8.8.4.4 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:51 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND 2016-04-18 03:25:53 DROP UDP 192.168.0.150 8.8.4.4 59655 53 0 - - - - - - - SEND 2016-04-18 03:25:53 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND 2016-04-18 03:26:51 ALLOW UDP 192.168.0.150 8.8.4.4 52611 53 0 - - - - - - - SEND 2016-04-18 03:26:51 DROP TCP 192.168.0.150 206.248.168.160 49671 80 0 - 0 0 0 - - - SEND 2016-04-18 03:26:51 DROP TCP 192.168.0.150 206.248.168.139 49672 80 0 - 0 0 0 - - - SEND 2016-04-18 03:26:56 DROP UDP 192.168.0.150 8.8.4.4 63881 53 0 - - - - - - - SEND 2016-04-18 03:26:57 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND 2016-04-18 03:26:58 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND 2016-04-18 03:27:00 DROP UDP 192.168.0.150 8.8.4.4 63881 53 0 - - - - - - - SEND 2016-04-18 03:27:00 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND 2016-04-18 03:27:04 DROP UDP 192.168.0.150 8.8.4.4 63881 53 0 - - - - - - - SEND 2016-04-18 03:27:04 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND 2016-04-18 03:27:23 DROP UDP 192.168.0.150 8.8.4.4 60991 53 0 - - - - - - - SEND 2016-04-18 03:27:24 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND 2016-04-18 03:27:25 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND 2016-04-18 03:27:27 DROP UDP 192.168.0.150 8.8.4.4 60991 53 0 - - - - - - - SEND 2016-04-18 03:27:27 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND 2016-04-18 03:27:31 DROP UDP 192.168.0.150 8.8.4.4 60991 53 0 - - - - - - - SEND 2016-04-18 03:27:31 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND 2016-04-18 03:28:08 DROP UDP 192.168.0.150 8.8.4.4 60959 53 0 - - - - - - - SEND 2016-04-18 03:28:09 DROP UDP 192.168.0.150 8.8.8.8 60959 53 0 - - - - - - - SEND 2016-04-18 03:28:10 DROP UDP 192.168.0.150 8.8.8.8 60959 53 0 - - - - - - - SEND 2016-04-18 03:28:12 DROP UDP 192.168.0.150 8.8.4.4 60959 53 0 - - - - - - - SEND
127.0.0.1 is doing some sort of lookup/broadcast on your LAN your box is doing all the time since has nothing better to do. 206.248.168.x seems to be something called tek savy solutions of your ISP maybe, or possibly akamai web server your computer wants to contact by http (port 80) - likely Microsoft looking for stuff to push to your computer. Your box also seems to be requesting something (likely that akamai server) and does DNS lookup via google server (8.8.x.x, port 53). I don't see any pings in that log, not one ICMP packet. And all I see are outbounds which are being blocked. There's no incoming anything.