Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    UDP connection request

    I often receive firewall (Outpost on 98SE) alerts that some computer is trying to connect to IE, via UDP on such & such port. I instinctively block such connections, but I'm wondering if there is anything legitimate that would need to connect using this protocol. Would it be appropriate to set a general rule to block all such communication attempts?

    thanks

    Alan

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    I don't pretend to know anything about the protocol or why it is used, but my Sygate log has many UDP connections daily. A few examples are "polling" from my cable provider, the little utility called About Time that I use to maintian my clock, and so on. However, as I scan the log, they seem to always involve an outgoing AND an imcoming record (packets?) so I never question it, since they're all elements that I know about. If yours are incoming only, does it not give an indication of the IP address so you could do a Whois to see what you can learn?

  4. #3
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    Hi Al

    I should have been more specific - Is there a valid reason why something external would want to communicate on my browser (IE6) port, using UDP? I might ask my ISP if they use UDP in the manner you describe, but (also with little knowledge) I can't see its relevance to the browser. There may be a corresponding outbound communication if I allowed the inbound one, but I've not done this so far, so I can't tell. And unfortunately I haven't retained a log file for the purpose of tracing - maybe I should start.

    cheers

    Alan

    Edited - Looking at the connections for my current session only, there are UDP connections outbound to my cable ISP (I've blocked inbound altogether now). The remote port is reported as "DNS", and one of the reasons for the connection is to allow DNS resolution.

  5. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: UDP connection request

    What do you mean by your browser port? Typically your applications will be assigned a random port number, so anything inbound to that port number has a good chance of knowing something about your communications during the current session.

    TCP is used where you want to make sure you got the whole communication. Most applications use TCP; only a few use UDP, which does not check that packets were delivered. DNS uses UDP, I guess it's easier to make the application ask again than to use TCP. Streaming audio and video may use UDP because there's no point in re-sending a lost packet from half a second ago.

  6. #5
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    The kind of information I get from the firewall alert is something along the lines of "so and so IP address is trying to connect with iexplore.exe via UDP" or similar. I presumed from this that "it" was trying to use the port usually assigned to HTTP (the browser port?) I'm not that sure of what tree I'm barking up here though.

    I'm pretty sure that it wouldn't be streaming AV, since there's nothing related to that on the pages in the browser, but maybe it's something else suited to a datagram, like confirmation of my IP address by my cable ISP?

    Alan

  7. #6
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    20,414
    Thanks
    1
    Thanked 597 Times in 534 Posts

    Re: UDP connection request

    Alan,
    I think your first instinct was correct. If it is really valid and important whoever/whatever will find an alternate way to contact you.

    Joe

  8. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: UDP connection request

    I don't think I've ever seen that, but I'm also behind the corporate firewall most of the time, so maybe that's why. Because Internet Explorer uses ephemeral (temporary) ports for normal browing, I would not expect Outpost to think a particular port is assigned to it. On the other hand, you might have an add-in or something that does have a fixed port number. I guess if you find something not working, you'll know what it was. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  9. #8
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    <hr>...so and so IP address is trying to connect... <hr>
    If it were me I couldn't stand not knowing. Don't you think it would be worth backtracing the IP address? If you firewall software won't do it, here's a link I use all the time for IP address lookup.

    (For anyone who sees this link, the Domain Explorer at that link is good for looking up "wildcard" words in a domain name.)

  10. #9
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    Hi Jefferson (and Bigal re: your lookup suggestion)

    I disabled the firewall rule I had in place to block these connections, waited a couple of day, and bingo. A typical alert + trace is attached below. The site is just some ISP/hosting service I have no connection with (pardon pun). Unfortunately my firewall doesn't offer the option to allow/ block these requests on an individual basis. It goes into "Learning Mode", which I don't understand yet.

    So what I've done is to create a rule that blocks any and all requests to IE that use the UDP protocol. But the question remains - is there a legitimate reason for anything (not just some unknown computer) to try to talk to a browser using UDP?

    Alan

    Edited - Just got another from the same remote port on 203.192.46.103, which I can't trace, ping or lookup.

  11. #10
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: UDP connection request

    Whois source says the following
    inetnum: 203.192.40.0 - 203.192.47.255
    netname: LLK-IPSTARGW
    country: TH
    descr: iPStar Gateway
    descr: Satellite Internet Provider
    admin-c: YL11-AP
    admin-c: YL3-AP
    tech-c: SS134-AP
    status: ASSIGNED NON-PORTABLE
    changed: 20040218
    mnt-by: MAINT-TH-SHINSAT
    source: APNIC

    person: Klongthip Teerarassamee
    nic-hdl: YL11-AP
    e-mail:
    address: 41/103 Rattanatibet Rd., Nonthaburi 11000, Thailand
    phone: +66-2-599-4173
    fax-no: +66-2-976-3015
    country: TW
    changed: 20030808
    mnt-by: MAINT-TW-CHTI
    source: APNIC

    person: Somkid Yokpol
    nic-hdl: YL3-AP
    e-mail:
    address: 41/103 Rattanatibet Rd., Nonthaburi 11000, Thailand
    phone: +66-2-599-4170
    fax-no: +66-2-976-3015
    country: TW
    changed: 20030808
    mnt-by: MAINT-TW-CHTI
    source: APNIC

    person: Suwat Singhatep
    nic-hdl: SS134-AP
    e-mail:
    address: 41/103 Rattanathibet Road,
    address: Bangkasor, Nonthaburi 11000
    phone: +66-2-599-3000 ext. 769
    fax-no: +66-2-976-3015
    country: TH
    changed: 20040218
    mnt-by: MAINT-TH-SHINSAT
    source: APNIC

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  12. #11
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    Thanks Dave. I don't believe I have any connection at all with this mob, so I'm quite happy to shut them out. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> But what service did you use to glean this info, and how did you know what DNS range to search for?

    Alan

  13. #12
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Re: UDP connection request

    See BigAl's <post#=394357>post 394357</post#> (above) and I used the number that you posted above. The Whois source found the range.

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  14. #13
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: UDP connection request

    Do you have the free version? In the Pro $$ version, there is a detailed log of the "allowed" transmissions. If you have such a log, do you see anything that might conceivably have invited these contacts? (I'd go by the timestamps...)

  15. #14
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    I use the freebie and do have a log file. I can't see anything that would be associated with such unknown connections though. They seem like the same ilk as those random pings one hears of, with computers sweeping DNS ranges to see what's "live". I notice that there is a lot of UDP traffic generally, but these "strange" host computers are always the ones trying to communicate with IE. Comms from my ISP, for instance, are logged as being with OUTPOST, not aimed at the browser. I'm going to run with my IE blocking rule for now, and see what happens I guess.

    Alan

  16. #15
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: UDP connection request

    Thanks Dave (and BigAl) - couldn't see for looking first time round! <img src=/S/stupidme.gif border=0 alt=stupidme width=30 height=30>

    Alan

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •