Invalid address in IP packet

Discussion in 'ESET Smart Security' started by patch, Sep 23, 2008.

Thread Status:
Not open for further replies.
  1. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    This rule is incorrectly blocking my communication.
    Source 10.1.13.255 Target My_computer_IP Port TCP
    Does anyone know how to disable this without completely disabling the firewall?

    I suspect a rule to block IP addresses ending in .255 was added to ESET on 23/9/2008, as I had no problem in the past & that is what my log shows.

    My set up is slightly non-standard which I suspect maybe the problem.
    My ISP allows un-metered access within the local exchange over a second PVC connection. They refer to it as Community Net http://www.adam.com.au/communitynet/

    So I have configured my billion 7402vgp router to have a second PVC. As such I have 2 IP addresses and communicate over 2 sub-net address ranges.
    My main WAN connection has
    IP Address 219.90.x.x range with
    Subnet Mask 255.255.255.255

    In contrast my free local exchange connection is configured as
    Description: RFC 1483 routed mode
    VPI: 8
    VCI: 36
    ATM Class: UBR
    NAT: Enable
    Encapsulation Method: LLC Bridged

    Resulting in
    My IP Address 10.1.14.249
    Subnet Mask 255.255.240.0

    So the 10.1.13.255 is a valid Community Net address.
    Disabling the firewall ensures my second connection works again.
    Connections to other Community net addresses appear to work with the fire wall on.
     
    Last edited: Sep 23, 2008
  2. MysticG

    MysticG Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    19
    I've been getting a bunch of those logs today. I dunno if it was an update or the internetz is just blowing up for the time being.
     
  3. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Now getting a lots of different log entries.
    System seams rather flaky.
    Anyone else with similar problems?
    Code:
    24/09/2008 2:02:29 PM	Invalid address in IP packet	10.1.13.255	192.168.1.20	TCP			
    24/09/2008 2:02:23 PM	Invalid address in IP packet	10.1.13.255	192.168.1.20	TCP			
    24/09/2008 2:02:20 PM	Invalid address in IP packet	10.1.13.255	192.168.1.20	TCP			
    24/09/2008 1:58:31 PM	Packet blocked by active defense (IDS)	192.168.1.20:1312	203.47.49.21:80	TCP			
    24/09/2008 1:58:31 PM	Packet blocked by active defense (IDS)	192.168.1.20:1304	203.47.49.21:80	TCP			
    24/09/2008 1:35:16 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:35:15 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:33:56 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:33:56 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:33:27 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:33:27 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:32:53 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:32:53 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:29:58 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    24/09/2008 1:29:45 PM	Packet blocked by active defense (IDS)	74.125.19.166:80	192.168.1.20:1206	TCP			
    24/09/2008 1:29:40 PM	Packet blocked by active defense (IDS)	74.125.19.166:80	192.168.1.20:1206	TCP			
    24/09/2008 1:29:38 PM	Packet blocked by active defense (IDS)	74.125.19.166:80	192.168.1.20:1206	TCP			
    24/09/2008 1:29:37 PM	Packet blocked by active defense (IDS)	74.125.19.166:80	192.168.1.20:1206	TCP			
    24/09/2008 1:29:36 PM	Packet blocked by active defense (IDS)	74.125.19.166:80	192.168.1.20:1206	TCP			
    24/09/2008 1:12:17 PM	Packet blocked by active defense (IDS)	192.168.1.20:1168	74.125.15.80:80	TCP			
    24/09/2008 1:10:41 PM	Packet blocked by active defense (IDS)	192.168.1.20:1168	74.125.15.80:80	TCP			
    24/09/2008 1:03:59 PM	No application listening on the port	192.168.1.254:53	192.168.1.20:61123	UDP			
    24/09/2008 1:03:56 PM	No application listening on the port	192.168.1.254:53	192.168.1.20:63748	UDP			
    24/09/2008 1:03:44 PM	Packet blocked by active defense (IDS)	66.29.81.61:80	192.168.1.20:1054	TCP			
    24/09/2008 1:01:32 PM	Invalid address in IP packet	10.1.13.255	192.168.1.20	TCP			
    24/09/2008 1:01:26 PM	Invalid address in IP packet	10.1.13.255	192.168.1.20	TCP			
    24/09/2008 1:01:24 PM	Invalid address in IP packet	10.1.13.255	192.168.1.20	TCP			
    24/09/2008 1:00:12 PM	Communication denied by rule	127.0.0.1:1029	239.255.255.250:1900	UDP	Block outgoing SSDP (UPNP) requests	C:\WINDOWS\system32\svchost.exe	NT AUTHORITY\SYSTEM
    24/09/2008 1:00:12 PM	Communication denied by rule	127.0.0.1:1029	239.255.255.250:1900	UDP	Block outgoing SSDP (UPNP) requests	C:\WINDOWS\system32\svchost.exe	NT AUTHORITY\SYSTEM
    24/09/2008 1:00:12 PM	Communication denied by rule	192.168.1.20:1028	239.255.255.250:1900	UDP	Block outgoing SSDP (UPNP) requests	C:\WINDOWS\system32\svchost.exe	NT AUTHORITY\SYSTEM
    24/09/2008 1:00:12 PM	Communication denied by rule	192.168.1.20:1028	239.255.255.250:1900	UDP	Block outgoing SSDP (UPNP) requests	C:\WINDOWS\system32\svchost.exe	NT AUTHORITY\SYSTEM
     
  4. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Looks like I need to thank someone at ESET

    10.1.13.255 is now being treated as a valid address
    And the old event log "Invalid address in IP packet" are showing as "Unknown code 00010009"
    Also "No application listening on the port" has become "Unknown code 00020002"
    And "Packet blocked by active defense (IDS)" has become "Unknown code 00058800"

    But more importantly my system appears to be returning to normal function :D
    Which suggest ESET have be working on this today and fixed something.
     
  5. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Just to update.
    My ISP have modified there system so x.x.x.255 or x.x.x.0 do not occur.
    They were however clear that these were valid addresses. http://forums.whirlpool.net.au/forum-replies.cfm?t=1057636

    Also
    Since ESET update / reversion to old fire wall, ESS has worked correctly for me with no further false detection on my windows XP machine.
    Windows 2000 machines continue to falsely detect "DNS poison attack detection" if this option is enabled
    For further discussion see
    https://www.wilderssecurity.com/showthread.php?t=208072
    https://www.wilderssecurity.com/showthread.php?p=1239069
    https://www.wilderssecurity.com/showthread.php?t=208684
     
    Last edited: Sep 26, 2008
Thread Status:
Not open for further replies.