Menu
What's new
By:
Filters Better Search

Huge Increase In Firewall Drops

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bluzfanmr1

bluzfanmr1

Senior Member
Recently, after having the same Comcast WAN IP for about 2.5 years, my IP changed to a new one. Since then, the number of firewall drops has increased massively to the point of 3-5 attempts, every 3-5 seconds. It used to be I would get a few drops every minute or two. There are only a few hits where the DST is my WAN IP but most of them show a DST of 255.255.255.255. The drops are coming from various IP's but the MAC address is always close to about 5 different numbers such as this:
Code: 
May 16 11:47:00 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:0f:08:00 SRC=73.98.97.68 DST=255.255.255.255
May 16 11:46:58 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:e4:08:00 SRC=98.60.201.185 DST=255.255.255.255
May 16 11:46:53 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:a4:08:00 SRC=174.56.0.202 DST=255.255.255.255

I think from what I've previously learned here, I can safely ignore this and this is the firewall working as it should. Is that indeed true? Or is there something wrong within my network? I'm just alarmed by the massive increase in the number of hits. What is the purpose of a DST of 255.255.255.255 instead of my WAN IP and why are those showing up in my log?

Thanks for any help or confirmation on this.
 
It's just Ethernet broadcast traffic, ignore it. The only odd thing is the variation in IP address ranges, but they all belong to Comcast so I guess that's just their weird internal network design. Maybe they're migrating some of their network equipment.
 
ColinTaylor said:
It's just Ethernet broadcast traffic, ignore it. The only odd thing is the variation in IP address ranges, but they all belong to Comcast so I guess that's just their weird internal network design. Maybe they're migrating some of their network equipment.
Click to expand...
Thanks for the confirmation, appreciate it.
 
C:\Windows\system32>nslookup 73.98.97.68
Name: c-73-98-97-68.hsd1.nm.comcast.net
Address: 73.98.97.68

C:\Windows\system32>nslookup 98.60.201.185
*** pi.hole can't find 98.60.201.185: Non-existent domain

98.60.201.185 | Comcast Cable Communications LLC | AbuseIPDB

www.abuseipdb.com www.abuseipdb.com

C:\Windows\system32>nslookup 174.56.0.202
Name: c-174-56-0-202.hsd1.nm.comcast.net
Address: 174.56.0.202

All of them are Comcast IP's located in NM. Seem to be residential IP's from the naming of the DNS. Might be someone doing an nmap scan or something or as stated CC doing some changes to the network.
 
Tech Junky said:
C:\Windows\system32>nslookup 73.98.97.68
Name: c-73-98-97-68.hsd1.nm.comcast.net
Address: 73.98.97.68

C:\Windows\system32>nslookup 98.60.201.185
*** pi.hole can't find 98.60.201.185: Non-existent domain

98.60.201.185 | Comcast Cable Communications LLC | AbuseIPDB

www.abuseipdb.com www.abuseipdb.com

C:\Windows\system32>nslookup 174.56.0.202
Name: c-174-56-0-202.hsd1.nm.comcast.net
Address: 174.56.0.202

All of them are Comcast IP's located in NM. Seem to be residential IP's from the naming of the DNS. Might be someone doing an nmap scan or something or as stated CC doing some changes to the network.
Click to expand...
I did notice that these were all Comcast IP's and, since I live in a condo complex with a very crowded environment, wondered if it could possibly be a nefarious neighbor or someone's infected device. I think I'll report this to Comcast and see what happens. Thanks for the reply.
 
Yeah, with them all in different subnets it's not likely it's neighbors. It could be something on the CC side generating a ping scan of the node you're on to see who's active before they bring it down for maintenance. Since there weren't any malicious complaints about the IP's in question it might just be alert and keep tabs on it for a little while unless you notice an impact. Seems like the router is doing its job though dropping them. Otherwise if you contact them you can ask to purge your MAC and reboot the CM to get a new IP and see if anything changes.
 
Tech Junky said:
Seems like the router is doing its job though dropping them.
Click to expand...
I would consider disabling logging however if the router is getting a lot of dropped packets, as logging these will put a strain on the router's CPU.
 
RMerlin said:
I would consider disabling logging however if the router is getting a lot of dropped packets, as logging these will put a strain on the router's CPU.
Click to expand...
I was going to say that it is putting somewhat of a load on the router and it's noticeable to me, especially when trying to follow the System Log page. I had to remove scribe, which made things better but messy, then being overloaded with drops.
 
I am having the same issue
Aug 16 13:38:11 - kern.warn kernel: [18096.197012] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58115 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:11- kern.warn kernel: [18096.215569] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58115 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:14 - kern.warn kernel: [18098.735544] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58116 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:14 - kern.warn kernel: [18098.754105] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58116 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:16 - kern.warn kernel: [18100.902542] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:25:08:00 SRC=76.142.131.25 DST=255.255.255.255 LEN=194 TOS=0x00 PREC=0x20 TTL=64 ID=26065 DF PROTO=UDP SPT=2190 DPT=2190 LEN=174 MARK=0x100000
Aug 16 13:38:16 - kern.warn kernel: [18100.911520] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:06:08:00 SRC=76.31.214.118 DST=255.255.255.255 LEN=194 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=UDP SPT=2190 DPT=2190 LEN=174 MARK=0x100000
Aug 16 13:38:16 - kern.warn kernel: [18100.911732] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:06:08:00 SRC=76.31.214.118 DST=255.255.255.255 LEN=194 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=UDP SPT=2190 DPT=2190 LEN=174 MARK=0x100000
 
@vert360
76.142.132.57 - Comcast
76.142.131.25 - Comcast
76.31.214.118 - Comcas

And you're using a Tivo which uses UDP:2190

So, let me guess you use Comcast as your ISP?
 
You must log in or register to reply here.

Similar threads

B
Skynet Outbound blocks
Replies
1
Views
503
BeachGuy
B
D
[ASUS AX86U Merlin] Blink Sync Module does not connect (connects to iphone hotspot)
Replies
0
Views
968
dasusm
D
J
Skynet Skynet - Blocked outbounds coming from the router itself?
Replies
12
Views
918
JuanGF
J
P
Skynet show inbound block on Digital TV Vlan300
Replies
4
Views
932
poudenes
P
C
system log shows KERNEL Accept with UDP 67/68?
Replies
3
Views
606
chillm8t
C

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 850 (members: 30, guests: 820)
Top