I get lots of "Stealth Mode connection attempt"s from my DNS server. They seems
to occur when I open web pages or otherwise generate dns requests. You would
think this traffic would be passed by the firewall, and not blocked. Thankfully dns still works, but I don't like to fill up log files.
Jul 16 17:27:59 : Stealth Mode connection attempt to UDP 192.168.37.3:62845 from 220.127.116.11:53
Jul 16 17:28:04 : Stealth Mode connection attempt to UDP 192.168.37.3:52647 from 18.104.22.168:53
Jul 16 17:29:27 : Stealth Mode connection attempt to UDP 192.168.37.3:56128 from 22.214.171.124:53
Jul 16 17:29:28 : Stealth Mode connection attempt to UDP 192.168.37.3:54862 from 126.96.36.199:53
Jul 16 17:29:29 : Stealth Mode connection attempt to UDP 192.168.37.3:61581 from 188.8.131.52:53
Jul 16 17:29:46 : Stealth Mode connection attempt to UDP 192.168.37.3:59857 from 184.108.40.206:53
Is it a bug?
It's not blocked traffic per se.
The best analog I can think of is say you were to ask someone what their three favorite TV shows were, but when you hear the first answer you go off to watch it and don't bother to wait for them to finish their reply.
All a stealth mode connection means is that something on the remote server tried to send data to a particular port on your machine, but nothing on your machine was listening for data on that port (in this case, anymore.)
Hi William, I too get Stealth Mode TCP/UDP stuff even when I am asleep at night. Some seem to emanate from router 192 to 192 but others are truly "scanning?" from verifiable sources.
One thread I found brought this response from the 'apparent' source:
+The “attacks” you are seeing on your system are not attacks per se. Although we cannot say definitively without seeing the logs of your firewall, we have seen dozens of similar reports over the past few months with exactly the same symptoms.+
+The IP address you have reported to us, 24.64.XX.XX, is not currently in use nor has it even been assigned to any device in the past 90+ days. You are likely also seeing probes from many other random IPs within the 24.64.X.X range. All of these probes will be UDP. All of the probes will be directed at ports 1026, 1027 & 1028 on your computer. All of them are spoofing their origin.+
+This traffic is NOT originating from XXXX's network.+
+What is actually happening is that there is an unscrupulous advertiser which is spoofing XXXX IP addresses in the 220.127.116.11/16 range and is trying to send messenger pop-ups to computers in order to dupe people into buying a product. It has been quite a thorn in our side because it is falsely indicating XXXX customers at are fault for the traffic.+
+Your security software is smart enough to deflect these probes but not smart enough to know what is really going on. Each probe it sees is interpreted as an attack on your system and you are notified accordingly. Understandably, this can be quite alarming but, in this case, is actually nothing to be concerned with. In the future, any UDP probes you see from 24.64.X.X IPs on ports 1026, 1027 & 1028 can be ignored. Please do keep us apprised of ANY other attacks you may see from XXXX IP addresses.+
+If you have any further questions or comments please do not hesitate to contact us.+
+Acceptable Use Policy Management Team+
I sent a similar abuse comment to a verified WHOIS just now.
The router has UPnP (PNP) off and has a 21 alphanumeric password for security reasons.
There's something weird about all this but Little Snitch should stop any unrequested answers, if they get through (I think?)
"...requests are being responded to by our servers and the destination servers but the response is being reported back as malicious in your "Stealth Mode" log. ...The same thing seems to happen for users using other DNS providers when in "Stealth Mode."
It doesn't happen in 10.5.x. I have dual boot, and 10.5 running on the same hardware doesn't fill
the firewall log with "stealth mode connect attempt..." messages.
Since it happens to scores of people on different IP providers, I consider it an "across the board"
bug. True, it is really nothing more than an annoyance, and it is totally harmless, but it is still a
bug, even if it is just a "reporting harmless bogus information" bug.
Not sure it's a bug. I turned off Stealth Mode as my router, 'Stealths.' These reports, so far, have now ceased.
However, it's also strange that my router is designated as the DNS Server and when Stealth Mode enabled reports 'router to my machine IP' traffic.
This even happens overnight and I know the OS communicates but often an IP appears that has nothing to do with this communication?
When I reported 'abuse' to one such 'intrusion' I was told it was my machine/me-interpreting FW incorrectly, and was referred to this discussion?