PDA

View Full Version : blocking incoming udp packets



JClark
07-08-08, 05:22 AM
Hello Group:

My system: Desktop and laptop networked through Linksys wired router.

Question: My software firewall (Deerfield Visnetic) is constantly
logging blocks of incoming udp packets, the source being 192.168.1.1
(which is presume is the router), destination being 255.255.255.255 or
192.168.1.255.

This doesn't seem to interfere with anything, but just watching the
constant bombardment in the logging screen is annoying.

Can anyone explain what is going on here? Or what, if anything, I can
or should do about it?

I can set the firewall to block and stop logging all udp packets which
do not have a specific rule. This eliminates the constant screen
filling. But I'm not sure if I should do this. I really don't
understand what is happening, which is why I'm asking for help.

I guess I'm just concerned that my system may not be tweaked properly
and could be wasting resources. Perhaps I should change something in
the router setup via the web based configuration program.

Here are a couple of the log entries, copied:

2008/07/08, 05:32:18.406, GMT -0400, 2010, Device 3,
Blocked incoming UDP packet (no matching rule),
src=192.168.1.1, dst=255.255.255.255, sport=520,
dport=520

2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3,
Blocked incoming UDP packet (no matching rule),
src=192.168.1.1, dst=192.168.1.255, sport=8385,
dport=162

Thanks for any explanations, links to sites to educate me, or
suggestions.

Jack

Ansgar -59cobalt- Wiechers
07-08-08, 07:52 AM
JClark <jclark@nomail.invalid> wrote:
> Here are a couple of the log entries, copied:
>
> 2008/07/08, 05:32:18.406, GMT -0400, 2010, Device 3,
> Blocked incoming UDP packet (no matching rule),
> src=192.168.1.1, dst=255.255.255.255, sport=520,
> dport=520

Seems to be a router broadcasting routing information.

> 2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3,
> Blocked incoming UDP packet (no matching rule),
> src=192.168.1.1, dst=192.168.1.255, sport=8385,
> dport=162

Seems to be a network device broadcasting SNMP messages on the local
network.

For further information you need to inspect the packets' contents with a
protocol analyzer (Wireshark, tcpdump, etc.).

Does your Linksys router have the IP address 192.168.1.1? Unless you
need RIP or SNMP on your LAN you should check your router's
configuration.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

VanguardLH
07-08-08, 08:32 AM
JClark wrote:

> Hello Group:
>
> My system: Desktop and laptop networked through Linksys wired router.
>
> Question: My software firewall (Deerfield Visnetic) is constantly
> logging blocks of incoming udp packets, the source being 192.168.1.1
> (which is presume is the router), destination being 255.255.255.255 or
> 192.168.1.255.
>
> This doesn't seem to interfere with anything, but just watching the
> constant bombardment in the logging screen is annoying.
>
> Can anyone explain what is going on here? Or what, if anything, I can
> or should do about it?
>
> I can set the firewall to block and stop logging all udp packets which
> do not have a specific rule. This eliminates the constant screen
> filling. But I'm not sure if I should do this. I really don't
> understand what is happening, which is why I'm asking for help.
>
> I guess I'm just concerned that my system may not be tweaked properly
> and could be wasting resources. Perhaps I should change something in
> the router setup via the web based configuration program.
>
> Here are a couple of the log entries, copied:
>
> 2008/07/08, 05:32:18.406, GMT -0400, 2010, Device 3,
> Blocked incoming UDP packet (no matching rule),
> src=192.168.1.1, dst=255.255.255.255, sport=520,
> dport=520
>
> 2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3,
> Blocked incoming UDP packet (no matching rule),
> src=192.168.1.1, dst=192.168.1.255, sport=8385,
> dport=162
>
> Thanks for any explanations, links to sites to educate me, or
> suggestions.

Is UPnP enabled in the router? Try disabling it or check that it is
disabled.

http://en.wikipedia.org/wiki/Upnp

JClark
07-08-08, 02:05 PM
>Does your Linksys router have the IP address 192.168.1.1? Unless you
>need RIP or SNMP on your LAN you should check your router's
>configuration.On Tue, 8 Jul 2008 14:52:22 +0200 (CEST), Ansgar -59cobalt- Wiechers <usenet-2008@planetcobalt.net> wrote:

Yes, 192.168.1.1 is the router.
UPnP and SNMP are disabled.

I will try to investigate the packets as you suggest.

Thanks.

Jack

JClark
07-08-08, 02:07 PM
On Tue, 8 Jul 2008 08:32:58 -0500, VanguardLH <V@nguard.LH> wrote:

>s UPnP enabled in the router? Try disabling it or check that it is
>disabled.
Yes, UPnP is disabled in the router.
I appreciate your help.
Still not getting a grasp of the overall situation.

Jack

VanguardLH
07-08-08, 04:00 PM
JClark wrote:

> VanguardLH wrote:
>
>> Is UPnP enabled in the router? Try disabling it or check that it is
>> disabled.
>
> Yes, UPnP is disabled in the router.

I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3"
as to what is "device 3". Might it be whatever is plugged into the port
numbered 3 on the router? If so, is that your host or another one? If
another one, try yanking the cable out of port #3 on the router to see
if it all quiets down.

JClark
07-08-08, 05:04 PM
On Tue, 8 Jul 2008 16:00:45 -0500, VanguardLH <V@nguard.LH> wrote:

>JClark wrote:
>
>> VanguardLH wrote:
>>
>>> Is UPnP enabled in the router? Try disabling it or check that it is
>>> disabled.
>>
>> Yes, UPnP is disabled in the router.
>
>I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3"
>as to what is "device 3". Might it be whatever is plugged into the port
>numbered 3 on the router? If so, is that your host or another one? If
>another one, try yanking the cable out of port #3 on the router to see
>if it all quiets down.
Hello VanguardLH,

The firewall (Deerfield Visnetic) recognizes and lists four devices or
"adapters".
#1 is labeled \DEVICE\NDISWANBH (? a WAN miniport)
# 2 is labeled Dialup Adapter
#3 is labeled Local Area Connection
#4 is labeled Local Area Connection

(#3 and #4 correspond to two LAN connections on the motherboard, which
correspond to two networking adapters seen in Device Manager. Only the
one corresponding to Local Area Connection #3 on the firewall is being
used.)

I have configured the firewall to block everything on adapters #1
and #2 and #4.

The one I use is Device #3, LAN.

Returning to the original question, a summary, as I see it (not
necessarily correctly):

It seems the router is sending udp packets to 255.255.255.255 (both
source and destination ports = 520, or to 192.168.1.255 (source port
ranging from 7000 to 7259, and destination port 162.

I have no idea what this all means.

Again, I appreciate your help.

Jack

@lf
07-09-08, 02:35 AM
JClark wrote:
....
> It seems the router is sending udp packets to 255.255.255.255 (both
> source and destination ports = 520, or to 192.168.1.255 (source port
> ranging from 7000 to 7259, and destination port 162.

Ansgar already explained, but since you wrote

> I have no idea what this all means.

I will repaeat one more time, and I will provide some links to
additional informations.

That is broadcast[1]

UDP 520 is a port used by Routing Information Protocol (RIP) [2] and [3].

UDP 162 is a port used by Simple Network Management Protocol (SNMP) [4]
and [5]

IMO everything is OK. But to be sure follow Ansgar advice and inspect
packet content, you can use, for example, Wireshark[6].

[1] http://en.wikipedia.org/wiki/Broadcast_address
[2] http://www.auditmypc.com/port/udp-port-520.asp
[3] http://en.wikipedia.org/wiki/Routing_Information_Protocol
[4] http://www.auditmypc.com/port/udp-port-162.asp
[5] http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
[6] http://www.wireshark.org/

JClark
07-09-08, 06:34 AM
On Wed, 09 Jul 2008 09:35:58 +0200, "@lf" <alf@lf.alf> wrote:

>JClark wrote:
>...
>> It seems the router is sending udp packets to 255.255.255.255 (both
>> source and destination ports = 520, or to 192.168.1.255 (source port
>> ranging from 7000 to 7259, and destination port 162.
>
>Ansgar already explained, but since you wrote
>
>> I have no idea what this all means.
>
>I will repaeat one more time, and I will provide some links to
>additional informations.
>
>That is broadcast[1]
>
>UDP 520 is a port used by Routing Information Protocol (RIP) [2] and [3].
>
>UDP 162 is a port used by Simple Network Management Protocol (SNMP) [4]
>and [5]
>
>IMO everything is OK. But to be sure follow Ansgar advice and inspect
>packet content, you can use, for example, Wireshark[6].
>
>[1] http://en.wikipedia.org/wiki/Broadcast_address
>[2] http://www.auditmypc.com/port/udp-port-520.asp
>[3] http://en.wikipedia.org/wiki/Routing_Information_Protocol
>[4] http://www.auditmypc.com/port/udp-port-162.asp
>[5] http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
>[6] http://www.wireshark.org/
Many thanks! I will spend some time on the links you have provided and
perhaps become better informed.
I may also post something in the Linksys forum (presuming there is
one) to see if I have the router configured correctly.
Again, thanks.

Jack