What's new

Huge Increase In Firewall Drops

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bluzfanmr1

Senior Member
Recently, after having the same Comcast WAN IP for about 2.5 years, my IP changed to a new one. Since then, the number of firewall drops has increased massively to the point of 3-5 attempts, every 3-5 seconds. It used to be I would get a few drops every minute or two. There are only a few hits where the DST is my WAN IP but most of them show a DST of 255.255.255.255. The drops are coming from various IP's but the MAC address is always close to about 5 different numbers such as this:
Code:
May 16 11:47:00 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:0f:08:00 SRC=73.98.97.68 DST=255.255.255.255
May 16 11:46:58 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:e4:08:00 SRC=98.60.201.185 DST=255.255.255.255
May 16 11:46:53 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:a4:08:00 SRC=174.56.0.202 DST=255.255.255.255

I think from what I've previously learned here, I can safely ignore this and this is the firewall working as it should. Is that indeed true? Or is there something wrong within my network? I'm just alarmed by the massive increase in the number of hits. What is the purpose of a DST of 255.255.255.255 instead of my WAN IP and why are those showing up in my log?

Thanks for any help or confirmation on this.
 
It's just Ethernet broadcast traffic, ignore it. The only odd thing is the variation in IP address ranges, but they all belong to Comcast so I guess that's just their weird internal network design. Maybe they're migrating some of their network equipment.
 
It's just Ethernet broadcast traffic, ignore it. The only odd thing is the variation in IP address ranges, but they all belong to Comcast so I guess that's just their weird internal network design. Maybe they're migrating some of their network equipment.
Thanks for the confirmation, appreciate it.
 
C:\Windows\system32>nslookup 73.98.97.68
Name: c-73-98-97-68.hsd1.nm.comcast.net
Address: 73.98.97.68

C:\Windows\system32>nslookup 98.60.201.185
*** pi.hole can't find 98.60.201.185: Non-existent domain

C:\Windows\system32>nslookup 174.56.0.202
Name: c-174-56-0-202.hsd1.nm.comcast.net
Address: 174.56.0.202

All of them are Comcast IP's located in NM. Seem to be residential IP's from the naming of the DNS. Might be someone doing an nmap scan or something or as stated CC doing some changes to the network.
 
C:\Windows\system32>nslookup 73.98.97.68
Name: c-73-98-97-68.hsd1.nm.comcast.net
Address: 73.98.97.68

C:\Windows\system32>nslookup 98.60.201.185
*** pi.hole can't find 98.60.201.185: Non-existent domain

C:\Windows\system32>nslookup 174.56.0.202
Name: c-174-56-0-202.hsd1.nm.comcast.net
Address: 174.56.0.202

All of them are Comcast IP's located in NM. Seem to be residential IP's from the naming of the DNS. Might be someone doing an nmap scan or something or as stated CC doing some changes to the network.
I did notice that these were all Comcast IP's and, since I live in a condo complex with a very crowded environment, wondered if it could possibly be a nefarious neighbor or someone's infected device. I think I'll report this to Comcast and see what happens. Thanks for the reply.
 
Yeah, with them all in different subnets it's not likely it's neighbors. It could be something on the CC side generating a ping scan of the node you're on to see who's active before they bring it down for maintenance. Since there weren't any malicious complaints about the IP's in question it might just be alert and keep tabs on it for a little while unless you notice an impact. Seems like the router is doing its job though dropping them. Otherwise if you contact them you can ask to purge your MAC and reboot the CM to get a new IP and see if anything changes.
 
Seems like the router is doing its job though dropping them.
I would consider disabling logging however if the router is getting a lot of dropped packets, as logging these will put a strain on the router's CPU.
 
I would consider disabling logging however if the router is getting a lot of dropped packets, as logging these will put a strain on the router's CPU.
I was going to say that it is putting somewhat of a load on the router and it's noticeable to me, especially when trying to follow the System Log page. I had to remove scribe, which made things better but messy, then being overloaded with drops.
 
I am having the same issue
Aug 16 13:38:11 - kern.warn kernel: [18096.197012] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58115 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:11- kern.warn kernel: [18096.215569] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58115 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:14 - kern.warn kernel: [18098.735544] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58116 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:14 - kern.warn kernel: [18098.754105] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:54:08:00 SRC=76.142.132.57 DST=255.255.255.255 LEN=89 TOS=0x00 PREC=0x20 TTL=64 ID=58116 PROTO=UDP SPT=49665 DPT=47809 LEN=69 MARK=0x100000
Aug 16 13:38:16 - kern.warn kernel: [18100.902542] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:25:08:00 SRC=76.142.131.25 DST=255.255.255.255 LEN=194 TOS=0x00 PREC=0x20 TTL=64 ID=26065 DF PROTO=UDP SPT=2190 DPT=2190 LEN=174 MARK=0x100000
Aug 16 13:38:16 - kern.warn kernel: [18100.911520] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:06:08:00 SRC=76.31.214.118 DST=255.255.255.255 LEN=194 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=UDP SPT=2190 DPT=2190 LEN=174 MARK=0x100000
Aug 16 13:38:16 - kern.warn kernel: [18100.911732] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:06:08:00 SRC=76.31.214.118 DST=255.255.255.255 LEN=194 TOS=0x00 PREC=0x20 TTL=63 ID=0 DF PROTO=UDP SPT=2190 DPT=2190 LEN=174 MARK=0x100000
 
@vert360
76.142.132.57 - Comcast
76.142.131.25 - Comcast
76.31.214.118 - Comcas

And you're using a Tivo which uses UDP:2190

So, let me guess you use Comcast as your ISP?
 
Similar threads

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top