Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firewall blocking while I'm online


  • Please log in to reply
10 replies to this topic

#1 IceCreamJones

IceCreamJones

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 11 April 2016 - 08:01 AM

HI, I'm new to the forum so I want to thank you in advance for your help.

 

My ISP is Verizon (FiOS) and I use their modem, which has a built-in firewall. 

 

I've been checking my firewall log and I'm seeing some very weird blocked traffic that only happen when I'm online.  Some examples:

 

About 10 of these in a row when my Mac was connected to wireless but not doing anything

 

 

Apr    4    Monday    9:51pm (April 3rd)    2016    local5.notice<173>    ulogd[578]:    Blocked    IN=eth0    OUT=    MAC=my router's MAC  Address  SRC=17.110.226.165    (This is "Apple, Inc.")       DST=Router's IP   LEN=52    TOS=00    PREC=0x00    TTL=55    ID=30243    DF    PROTO=TCP    SPT=443    DPT=49156    SEQ=2764419126    ACK=54949267    WINDOW=165    ACK URGP=0    MARK=0

 

A bunch of these in a row:

 

Apr    3    Sunday    1:12pm    2016    local5.notice<173>    ulogd[578]:    Blocked    IN=eth0    OUT=    MAC=my router's MAC  Address   SRC=41.69.28.218    (This is "Vodafone, Egypt")        DST=Router's IP LEN=498    TOS=00    PREC=0x00    TL=55    ID=48637        PROTO=TCP    SPT=57274    DPT=50141    SEQ=3153840577    ACK=4255054160    WINDOW=8192    ACK PSH URGP    MARK=0

 

 

A LOT of these in a row while online. Browsing, checking Outlook.com, etc on my Windows 10 machine:
 

 

Apr    6    Wednesday   8:22pm (April 5)    2016    local5.notice<173> ulogd[581]:    Blocked    IN=eth0    OUT=    MAC=my router's MAC  Address   SRC=209.85.232.156    (This is "Google, Inc.")    DST=Router's IP    LEN=103    TOS=00    PREC=0x00    TTL=48    ID=64422        PROTO=TCP    SPT=443    3 DPT=51454    SEQ=39216501    29 ACK=1248099501    WINDOW=352    ACK PSH URGP=0    MARK=0

 

 

Many, many of these, same Windows 10 machine, same browsing type:

 

 

Apr    7    Thursday    7:19am    2016    local5.    notice<173>    ulogd[581]:    Blocked    IN=eth0    OUT=    MAC=my router's MAC  Address    SRC=63.251.98.12    (This is "Voxel.net")    DST=Router's IP   LEN=71    TOS=00    PREC=0x00    TTL=55    ID=63498    PROTO=TCP    SPT=443    DPT=62549    SEQ=2255184894    ACK=774132708    WIDOW=31    ACK PSH URGP=0    MARK=0

 

All these happen pretty regularly.  Whenever I'm online, several blocks recorded in the firewall logs from one, a few, or all of these sources.

 

In addition, I see a lot of blocks related to traffic from 74.82.47.13, which is a recurring scan from Shadowserver Foundation.  I've reach out to them to see if they're detecting something specific from my IP or MAC but they have not answered.

 

A few questions:

 

  1. What are these blocks indicative of?  Is this a port scan or something else?  Why do you think they're happening?
  2. If these are indeed blocked by the firewall, why is there an acknowledgement code in each?
  3. Can someone please define the following codes? 

 

  • TOS=00
  • PREC=0x00
  • ID=54788: what is this ID for?
  • SEQ=1112272367: what is this seq # for?  What does ti tell me?
  • ACK: why is there an ACK code in a firewall block?  Shouldn't it be 0?
  • ACK URGP=0
  • MARK=0
  • DF

Thanks in advance for any guidance you can give on this issue.  If there's anything relevant you'd like to add in addition to answering my questions, I really appreciate it!


Edited by IceCreamJones, 11 April 2016 - 08:04 AM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 11 April 2016 - 12:24 PM

It looks like you sanitized the log entries you posted. Can you confirm that the only changes you made to the log are what appears in bold?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 11 April 2016 - 12:27 PM

HI,

 

  1. Can someone please define the following codes? 

 

  • TOS=00
  • PREC=0x00
  • ID=54788: what is this ID for?
  • SEQ=1112272367: what is this seq # for?  What does ti tell me?
  • ACK: why is there an ACK code in a firewall block?  Shouldn't it be 0?
  • ACK URGP=0
  • MARK=0
  • DF

Thanks in advance for any guidance you can give on this issue.  If there's anything relevant you'd like to add in addition to answering my questions, I really appreciate it!

 

They would be hard to explain to you if you're not familiar with the details of TCP connections.

How good do you understand TCP?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 IceCreamJones

IceCreamJones
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 11 April 2016 - 12:30 PM

Thanks for the replies.  Yes, the only things I changed were the items in bold.  I did reorder some things for readability but haven't left anything out.  I've been reading up on TCP and have a basic understanding and I could probably follow along with an explanation.  Thanks again.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 11 April 2016 - 01:45 PM

Then you learned about ports? SPT is Source PorT and DPT is Destination PorT.

You know what port 443 is?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 IceCreamJones

IceCreamJones
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 11 April 2016 - 01:55 PM

Yes, HTTP over SSL (HTTPS).  I know about source and destination, I just need to know about the terms I specified, why a "block" still returns an ACK code and what this traffic looks like to people who know better than I do.  Thanks again.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 11 April 2016 - 02:43 PM

Since the source port is 443 (for that first packet) and the destination port is a high port, we can safely assume that this packet is a reply to a TLS connection your machine started. Data flows both ways in a TCP connection. Data that was received needs to be acknowledged. Your machine sends a packet to the server, the server sends back a reply and also acknowledges the data it received.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 IceCreamJones

IceCreamJones
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 11 April 2016 - 02:59 PM

I see.  But why are these blocked by the firewall, and why in such a high volume?    Also, in one of my examples, the source port is 57274.

 

The firewall in the router is very basic, configuration-wise, by the way.  It only has High (block everything) Medium (basic setting that's running now) and Low (block nothing) settings, and since I'm running Medium, I'm not sure why it would be blocking traffic I requested.  On the Mac machine (my first example), it was just sitting doing nothing.  I wasn't browsing.  On my last example, I don;t even know what Voxel.net is but it's not a site I go to. 

 

Thanks again.



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 11 April 2016 - 03:14 PM

I'm also wondering why these packets are blocked by the firewall, since it looks your machine initiated the connection.

Unfortunately the log does not say why (for example the rule that blocked it).

 

I also saw that source port with a high number, it's in your second example. I don't know what traffic that is. Apparently this port is used by Apple's Xsan technology, but I don't think that's the case here.

http://www.adminsub.net/tcp-udp-port-finder/57274

https://en.wikipedia.org/wiki/Xsan


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 IceCreamJones

IceCreamJones
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 14 April 2016 - 01:06 PM

Yep, no Apple SAN outside the firewall or anything.  How weird.

 

Thanks a lot for looking into this!



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:08 PM

Posted 14 April 2016 - 02:27 PM

You're welcome.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users