my Mcafee firewall shows that many continually attempt connection to my udp ports from some dns server as shown in 'mcafee firewall 4.jpg'
dns.mas.optusnet.com.au is one of the dns servers as shown in 'my dns.jpg'
sometimes these connections don't appear, only attemp connection to my computer from gateway 192.168.1.1 as shown in 'gateway.jpg'
it seems my connection speed to internet is slow when these connection appear.
are these connection from hacker? why are these attack from dns server?
I have to use a dns server to connect to internet.
I would appreciate your help very much.
Not being able to read that language means I have no idea what is said there. What McAfee product and version are you using and which section are those pics from? If it's Incoming Connections then don't worry about it as they are all blocked.
Message was edited by: Ex_Brit on 01/10/13 6:34:50 EDT AM
I uploaded again photos from firewall internet/network incoming events log and translated relevant info to English.
as you can see, these are incoming connections to my UDP ports from DNS servers and router gateway.
mcafee security center version: 9.11,
virus scan version: 13.11
personal firewall: 10.11
if these incoming connections are attack, why are they from DNS servers and gateway? because I need DNS server to connect to internet, so almost evertime when I connect to internet, these connections appear, although sometimes they don't appear.
also, sometimes there are many incoming connections from local LAN computer as shown in 'mcafee firewall 2 english.jpg'
there are also continually incoming ICMP Ping connections from IP address in China which I use mcafee firewall to trace to.
I can understand attacks from local LAN computers or from computers from internet, but I don't understand why many attacks(if they are) are from DNS server? could someone fake their IP address to DNS server?
I'd appreciate your help very much.
1. Try changing the DNS server that you use. I see the IP address for Google (184.108.40.206), but if you're using Google I don't know why the optusnet addresses are present in your logs. Optus is a legitimate Australian service provider (http://www.optus.com.au/aboutoptus/About+Optus) so perhaps Google is the primary DNS server and Optus is the backup.
DNS Servers and Home Networking
Computers on your home network locate a DNS server through the Internet connection setup properties. Providers give their customers the public IP address(es) of primary and backup DNS servers. You can find the current IP addresses of your DNS server configuration via several methods:
There are other DNS servers you can use : they are listed in "Top Free Internet DNS Servers"
2. IP addresses 192.168.1.1 and 192.168.1.106 : these are private IP addresses for your router.
If you have unknown traffic coming from these addresses it is possible your router has been hacked. Most people do not change their router's default password, so many routers can be easily hacked. First, here's an easy way to check your router's IP address - the information is at the top right of the screen : http://www.routeripaddress.com/routers_with_default_address_192.168.1.106/
If your router has an IP address of 192.168.1.1 this next page is relevant -
If the router has an IP address of 192.168.1.1, you can connect to it by opening a Web browser and visitinghttp://192.168.1.1/
This allows you to log into the router's administrator console and access its configuration screens
3. Taking two examples from your screenshots :
1/ an attempted UDP connection to port 64946 - this port is an Ephemeral (dynamic, or private) port, whose number is above the highest port number that can be registered with IANA.
This range (49152–65535) is used for custom or temporary purposes and for automatic allocation of ephemeral ports
UDP is often used with time-sensitive applications, such as audio/video streaming, and uTorrent requires Port 64946 to be open on a Linksys router according to this post from their forum.
2/ an attempted TCP connection to port 2869 - this is likely to be used by Internet Connection Sharing, Windows Firewall or Local Network Sharing; in the ghacks.net example the service making the connection attempt was Windows Media Player Network Sharing Service.
4. I could continue, but there is some basic advice I can give :
- Set Google to be your primary DNS server, if you haven't done so already.
- Set your McAfee firewall to Stealth.
- Check that all your ports are closed by using GRC's Shields Up program; in Firewall settings close any that Shields Up finds are open unless you need those ports to be open.
- Keep checking your network and system logs to monitor for any unusual activity.
THIS IS VERY IMPORTANT: You are using an obsolete version of the software. It is no longer supported and I doubt very much if is protecting you adequately. I suggest you uninstall immediately and purchase a current version or contact whomever you obtain your software from to get the latest version (SecurityCenter 12.x).
In any case Incoming Connections are merely there for your information and need not concern you as the ones listed are all blocked with your current settings, as I previously stated. But Hayton is explaining that part better than I can.
Incidentally, what is your operating system and is it totally up to date?
Message was edited by: Ex_Brit on 02/10/13 8:51:43 EDT AM