new 'ping' method

Discussion in 'other firewalls' started by lunarlander, Apr 18, 2016.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    On a fresh new Win 10 build, I am seeing a strange new 'ping' method. It seems to be spoofing DNS queries and generating return packets from TCP 469669 and up. I don't have anything listening at that address and up.

    The address the packet is returning to is a hacker address which I have blocked. and it is showing up in my logs.

    Anybody have any clue as to how this works?
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I'm not sure what you're encountering, or how you've determined a remote IP to be a "hacker", but that isn't a valid port.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Can you confirm that's a typo? Because there's no such port.
    Ports go from 1 to 65535.

    You can simply block IMCP messages in Windows Firewall :)
     
  4. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    sorry typo

    it is TCP 49669
     
  5. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    The remote ip is from my ISP's DSL client ip network. The ISP is a residential isp business.

    Here is the firewall log.

    #Version: 1.5
    #Software: Microsoft Windows Firewall
    #Time Format: Local
    #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

    2016-04-18 01:20:41 ALLOW 2 127.0.0.1 224.0.0.22 - - 0 - - - - - - - SEND
    2016-04-18 03:25:39 ALLOW UDP 192.168.0.150 8.8.4.4 52731 53 0 - - - - - - - SEND
    2016-04-18 03:25:39 DROP TCP 192.168.0.150 206.248.168.139 49669 80 0 - 0 0 0 - - - SEND
    2016-04-18 03:25:39 DROP TCP 192.168.0.150 206.248.168.160 49670 80 0 - 0 0 0 - - - SEND
    2016-04-18 03:25:42 DROP UDP 192.168.0.150 8.8.4.4 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:43 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:43 DROP UDP 192.168.0.150 8.8.4.4 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:44 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:44 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:45 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:45 DROP UDP 192.168.0.150 8.8.4.4 59655 53 0 - - - - - - - SEND
    2016-04-18 03:25:46 DROP UDP 192.168.0.150 8.8.4.4 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:46 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:46 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND
    2016-04-18 03:25:47 DROP UDP 192.168.0.150 8.8.4.4 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:47 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:47 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND
    2016-04-18 03:25:49 DROP UDP 192.168.0.150 8.8.4.4 59655 53 0 - - - - - - - SEND
    2016-04-18 03:25:49 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND
    2016-04-18 03:25:50 DROP UDP 192.168.0.150 8.8.4.4 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:50 DROP UDP 192.168.0.150 8.8.8.8 52674 53 0 - - - - - - - SEND
    2016-04-18 03:25:51 DROP UDP 192.168.0.150 8.8.4.4 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:51 DROP UDP 192.168.0.150 8.8.8.8 62571 53 0 - - - - - - - SEND
    2016-04-18 03:25:53 DROP UDP 192.168.0.150 8.8.4.4 59655 53 0 - - - - - - - SEND
    2016-04-18 03:25:53 DROP UDP 192.168.0.150 8.8.8.8 59655 53 0 - - - - - - - SEND
    2016-04-18 03:26:51 ALLOW UDP 192.168.0.150 8.8.4.4 52611 53 0 - - - - - - - SEND
    2016-04-18 03:26:51 DROP TCP 192.168.0.150 206.248.168.160 49671 80 0 - 0 0 0 - - - SEND
    2016-04-18 03:26:51 DROP TCP 192.168.0.150 206.248.168.139 49672 80 0 - 0 0 0 - - - SEND
    2016-04-18 03:26:56 DROP UDP 192.168.0.150 8.8.4.4 63881 53 0 - - - - - - - SEND
    2016-04-18 03:26:57 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND
    2016-04-18 03:26:58 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND
    2016-04-18 03:27:00 DROP UDP 192.168.0.150 8.8.4.4 63881 53 0 - - - - - - - SEND
    2016-04-18 03:27:00 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND
    2016-04-18 03:27:04 DROP UDP 192.168.0.150 8.8.4.4 63881 53 0 - - - - - - - SEND
    2016-04-18 03:27:04 DROP UDP 192.168.0.150 8.8.8.8 63881 53 0 - - - - - - - SEND
    2016-04-18 03:27:23 DROP UDP 192.168.0.150 8.8.4.4 60991 53 0 - - - - - - - SEND
    2016-04-18 03:27:24 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND
    2016-04-18 03:27:25 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND
    2016-04-18 03:27:27 DROP UDP 192.168.0.150 8.8.4.4 60991 53 0 - - - - - - - SEND
    2016-04-18 03:27:27 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND
    2016-04-18 03:27:31 DROP UDP 192.168.0.150 8.8.4.4 60991 53 0 - - - - - - - SEND
    2016-04-18 03:27:31 DROP UDP 192.168.0.150 8.8.8.8 60991 53 0 - - - - - - - SEND
    2016-04-18 03:28:08 DROP UDP 192.168.0.150 8.8.4.4 60959 53 0 - - - - - - - SEND
    2016-04-18 03:28:09 DROP UDP 192.168.0.150 8.8.8.8 60959 53 0 - - - - - - - SEND
    2016-04-18 03:28:10 DROP UDP 192.168.0.150 8.8.8.8 60959 53 0 - - - - - - - SEND
    2016-04-18 03:28:12 DROP UDP 192.168.0.150 8.8.4.4 60959 53 0 - - - - - - - SEND
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    127.0.0.1 is doing some sort of lookup/broadcast on your LAN your box is doing all the time since has nothing better to do.
    206.248.168.x seems to be something called tek savy solutions of your ISP maybe, or possibly akamai web server your computer wants to contact by http (port 80) - likely Microsoft looking for stuff to push to your computer.
    Your box also seems to be requesting something (likely that akamai server) and does DNS lookup via google server (8.8.x.x, port 53).
    I don't see any pings in that log, not one ICMP packet.
    And all I see are outbounds which are being blocked. There's no incoming anything.
     
  7. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    I have asked Teksavvy, my ISP. They don't have any servers.
     
Loading...