Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1480 posts

Uber Geek
+1 received by user: 360


Topic # 150788 3-Aug-2014 12:38
Send private message

I have my firewall only accepting forwarded connections that are initiated (new) from known devices on my internal network.  Anything else, with the exception of a dst-nat (port forward) rule created for torrents is blocked.  This includes anything that creates a upnp port forward.  If you're not something I know of, you get blocked and labelled a 'spammer'.  Should a 'spammer' try any unsolicited connection a second time, they get blocked outright with no exceptions for a duration of time.

Through this I notice in the logs that every few seconds there are connection attempts being made to a UPnP created port forward entry, as follows:



Running netstat -ao shows that the service is as highlighted below:


Any ideas?

Create new topic
Infrastructure Geek
4043 posts

Uber Geek
+1 received by user: 193

Trusted
Microsoft NZ
Subscriber

  Reply # 1101339 3-Aug-2014 22:33
Send private message

cant quite read the text in the first image




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


988 posts

Ultimate Geek
+1 received by user: 202


  Reply # 1101345 3-Aug-2014 22:45
Send private message

Looks like torrent related traffic to me. It is not unusual to still receive traffic from peers for hours/days even after you close your client.
Could also be Skype.

 
 
 
 




1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1101370 4-Aug-2014 00:05
Send private message

^ no, it's not torrent traffic. the port forward was created by upnp. what created the port forward?  service with pid 972 as per my screenshot.

if you hit quote on my post you'll see the data easier.


2316 posts

Uber Geek
+1 received by user: 665

Trusted
Subscriber

  Reply # 1101417 4-Aug-2014 07:38
Send private message

Capture a few second traffic using WireShark maybe?




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1101663 4-Aug-2014 12:37
Send private message

yeah the device can do this by itself to a file ... will have to when I get more time (it's only my home router :))

Just rather odd that considering that a windows service is opening up a port, then i'm getting attempts to it from random non-microsoft addresses.  my initial thoughts are something like onedrive might have a push update function, and third parties are somehow able to abuse this.

should be interesting as it could effect everyone with windows 8 seeing all domestic routers nowadays have upnp enabled and will blindly accept traffic



1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1102820 5-Aug-2014 19:33
Send private message

Not particularly human readable

[headers stripped]
Data (52 bytes)
0000 60 00 00 00 00 00 3b 15 20 01 00 00 9d 38 6a b8 `.....;. ....8j.
0010 24 f6 36 66 c5 53 f1 79 20 01 00 00 9d 38 90 d7 $.6f.S.y ....8..
0020 0c 3c 33 4d 86 9c e4 12 01 04 79 a6 23 11 04 04 .<3M......y.#...
0030 00 00 00 00 ....

Infrastructure Geek
4043 posts

Uber Geek
+1 received by user: 193

Trusted
Microsoft NZ
Subscriber

  Reply # 1102950 5-Aug-2014 22:16
Send private message

MadEngineer: ^ no, it's not torrent traffic. the port forward was created by upnp. what created the port forward?  service with pid 972 as per my screenshot.

if you hit quote on my post you'll see the data easier.



What about Skype?  Do you have that running?  (question asked alongside torrents above)

As for the pid972, may be the "IP Helper" or another service - perhaps an app (may well be nothing to do with windows) on your machine is calling a upnp api via that windows service




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1103737 7-Aug-2014 00:05
Send private message

I have skype installed, but it doesn't run on startup and isn't sitting in the background.  my machine is quite clean

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.