PDA

View Full Version : new cust. getting weird UDP hits on firewall


bamabama
04-10-2006, 16:23
Firewall showing frequent (blocked) UDP access attempts coming from 10.247.4.1.bootps trying to reach local access point 255.255.255.255.bootpc.

Arin tells me the 10. address is reserved for 'private internet' so I ASS-U-ME that the orgin is actually NTL....

Anyone else seeing this ? or can shed some light on it ?

(If it is NTL I suspect it is DHCP related...)

Paul K
04-10-2006, 16:27
Are you letting your DHCP and DNS servers IP addresses through?

bamabama
04-10-2006, 16:36
That was quick - many thanks.

So you agree with the DHCP thing ?

I don't run DNS locally (on windows) - have a large hosts file and it slows down windows at first net access. no sweat as the remote service works.

I made no change to firewall rules when I went broadband. Just had to changee the windows services setup to start DHCP service. I don't run all the windows services automatically. As the install went okay and I am on the network I have to take it that the DHCP 'connection' is working ! but then again I am not a network guy...

brundles
04-10-2006, 16:44
There are folks on here who know better than I, but that looks more like a general broadcast from a node somewhere in the NTL network rather than anything specifically directed at your PC.

More specifically a BootP Server - I thought these generally created a shed load of noise on LANs and were bad things to have unless they were in a restricted private LAN but hey, what do I know...

bamabama
04-10-2006, 17:59
You know more than I do !!

But why they go for UDP when it is deprecated and or closed off by so many....

Graham M
04-10-2006, 18:06
But why they go for UDP when it is deprecated and or closed off by so many....


Eh!? I hope not...

UDP is used by Streaming Media, VoIP, Online Games, and many more important parts of the internet that help it function!

bamabama
04-10-2006, 18:22
Yep. I should have gone in to more detail.

Several UDP ports need to be closed off/set correctky to avoid exposures.

Closing off UDP in general and then allowing (drilling through) individual ports with associated program pathing controls for specfic application(s) is perfectly valid and a good method IMV.

AntiSilence
04-10-2006, 20:23
You know more than I do !!

But why they go for UDP when it is deprecated and or closed off by so many....

TCP is a very expensive (in terms of resources/performance) as it has to maintain connections and make sure that data gets to where it's supposed to be, and in the correct order. UDP is connectionless and does not have the same overheads as TCP (but with down sides like packet loss unless controlled) and is used by a whole host of applications.

As an example, I play Spearhead and Call Of Duty online. The RCON (Remote CONsole) for controlling the server uses UDP.

---------- Post added at 19:23 ---------- Previous post was at 19:22 ----------

Yep. I should have gone in to more detail.

Several UDP ports need to be closed off/set correctky to avoid exposures.

Closing off UDP in general and then allowing (drilling through) individual ports with associated program pathing controls for specfic application(s) is perfectly valid and a good method IMV.

Fair point also lol :tu:

Graham M
04-10-2006, 20:26
The RCON (Remote CONsole) for controlling the server uses UDP.

You'll probably find it's the same protocol as used for the game->game server transactions as well

AntiSilence
04-10-2006, 20:29
You'll probably find it's the same protocol as used for the game->game server transactions as well

I've never actually checked that before. I do know that EA Games use a code sequence at the beginning of the RCON command, otherwise the game server ignores it! I was making a Windows RCON app and I had to figure it out!

frumpy
27-04-2009, 17:10
Guys
1st post from me in this forum!

I too am seeing loads of hits from my cable modem, like every 0.5-10 seconds.

They are UDP traffic from my modem's IP on port 67 (bootps/DHCP server) to destination 255.255.255.255 destination port 68 (bootpc).

Can anyone say if this is a problem? I just today received a replacement modem from Virgin, it's doing exactly the same thing.

Also.... my neighbour does not see this problem on his network.

At this stage I don't know if it's related but I also suffer from sporadic wireless restarts.


thanks
Paul

Matth
28-04-2009, 23:37
Holy thread resurrection Batman!

And yes, it IS DCHP.

There are two modes of DCHP, the initial broadcast mode, where a system with no address broadcasts a request, and the DHCP server (or on most cable, the UBR private address acting as a DHCP proxy) responds by broadcast.

The second mode is renewal, directed to the DHCP server which is now known.

frumpy
29-04-2009, 17:28
Thanks for making me laugh. :)

All of the devices which connect through my router have a valid IP address, but I see this continual stream of requests all day every day.

How can I discover why this is happening?

thanks