Previous 1 2 Next 16 Replies Latest reply: Oct 18, 2010 2:19 AM by WhiteHatH4x0r
jasgaravito Level 1 Level 1 (0 points)
I opened console yesterday and it said, several times:

Stealth Mode connection attempt to UDP 192.168.1.2:64414 from 8.8.8.8:53



I checked today and it is the same

5/19/10 9:19:57 PM Firewall[74] Stealth Mode connection attempt to UDP 192.168.1.2:64414 from 8.8.8.8:53


Does this mean my computer is being attacked or something like that?

How can I be protected and get rid of it, whatever it is?

Black MacBook, Mac OS X (10.6.3)
  • Barney-15E Level 8 Level 8 (42,625 points)
    That is Google's Public Domain Name Server. It is probably responding to a request from your computer and the computer thinks the response is stealth connection attempt.
  • Drdul Level 1 Level 1 (15 points)
    @Barney: Thanks for the explanation. I'm getting a lot of these, too. Any noob-friendly suggestions as to how to configure the firewall to let these requests through?
  • William Kucharski Level 6 Level 6 (14,890 points)
    You don't need/want to.

    Basically what it means is that the remote side sent your computer data after you had already closed the connection.

    It's annoying in the logs, but it doesn't harm anything.
  • Drdul Level 1 Level 1 (15 points)
    @William: Thanks! Good to know I don't have to do anything and I don't have to worry about it.
  • dhwagner Level 1 Level 1 (0 points)
    I get lots of "Stealth Mode connection attempt"s from my DNS server. They seems
    to occur when I open web pages or otherwise generate dns requests. You would
    think this traffic would be passed by the firewall, and not blocked. Thankfully dns still works, but I don't like to fill up log files.

    Jul 16 17:27:59 : Stealth Mode connection attempt to UDP 192.168.37.3:62845 from 68.94.156.1:53
    Jul 16 17:28:04 : Stealth Mode connection attempt to UDP 192.168.37.3:52647 from 68.94.156.1:53
    Jul 16 17:29:27 : Stealth Mode connection attempt to UDP 192.168.37.3:56128 from 68.94.156.1:53
    Jul 16 17:29:28 : Stealth Mode connection attempt to UDP 192.168.37.3:54862 from 68.94.156.1:53
    Jul 16 17:29:29 : Stealth Mode connection attempt to UDP 192.168.37.3:61581 from 68.94.156.1:53
    Jul 16 17:29:46 : Stealth Mode connection attempt to UDP 192.168.37.3:59857 from 68.94.156.1:53

    Is it a bug?
  • William Kucharski Level 6 Level 6 (14,890 points)
    It's not blocked traffic per se.

    The best analog I can think of is say you were to ask someone what their three favorite TV shows were, but when you hear the first answer you go off to watch it and don't bother to wait for them to finish their reply.

    All a stealth mode connection means is that something on the remote server tried to send data to a particular port on your machine, but nothing on your machine was listening for data on that port (in this case, anymore.)
  • Tony Curtis Level 1 Level 1 (5 points)
    Hi William, I too get Stealth Mode TCP/UDP stuff even when I am asleep at night. Some seem to emanate from router 192 to 192 but others are truly "scanning?" from verifiable sources.

    One thread I found brought this response from the 'apparent' source:

    +The “attacks” you are seeing on your system are not attacks per se. Although we cannot say definitively without seeing the logs of your firewall, we have seen dozens of similar reports over the past few months with exactly the same symptoms.+

    +The IP address you have reported to us, 24.64.XX.XX, is not currently in use nor has it even been assigned to any device in the past 90+ days. You are likely also seeing probes from many other random IPs within the 24.64.X.X range. All of these probes will be UDP. All of the probes will be directed at ports 1026, 1027 & 1028 on your computer. All of them are spoofing their origin.+

    +This traffic is NOT originating from XXXX's network.+

    +What is actually happening is that there is an unscrupulous advertiser which is spoofing XXXX IP addresses in the 24.64.0.0/16 range and is trying to send messenger pop-ups to computers in order to dupe people into buying a product. It has been quite a thorn in our side because it is falsely indicating XXXX customers at are fault for the traffic.+

    +Your security software is smart enough to deflect these probes but not smart enough to know what is really going on. Each probe it sees is interpreted as an attack on your system and you are notified accordingly. Understandably, this can be quite alarming but, in this case, is actually nothing to be concerned with. In the future, any UDP probes you see from 24.64.X.X IPs on ports 1026, 1027 & 1028 can be ignored. Please do keep us apprised of ANY other attacks you may see from XXXX IP addresses.+

    +If you have any further questions or comments please do not hesitate to contact us.+

    Regards,

    +Acceptable Use Policy Management Team+
    ========
    I sent a similar abuse comment to a verified WHOIS just now.

    The router has UPnP (PNP) off and has a 21 alphanumeric password for security reasons.

    There's something weird about all this but Little Snitch should stop any unrequested answers, if they get through (I think?)

    regards
  • Tony Curtis Level 1 Level 1 (5 points)
    I just booted from a backup that had DoorStop & Who's There Apps. The OSX FW indicated 'scanning' is NOT picked-up by this App? Therefore, one thinks it's benign?

    regards
  • KJK555 Level 4 Level 4 (2,895 points)
    Actually it seems to be a bug in Snow Leopard.

    http://forums.opendns.com/comments.php?DiscussionID=7286

    Message was edited by: KJK555
  • Chris CA Level 9 Level 9 (77,925 points)
    Actually it seems to be a bug in Snow Leopard.

    ???
    The link you posted does not indicate that.
  • KJK555 Level 4 Level 4 (2,895 points)
    "...requests are being responded to by our servers and the destination servers but the response is being reported back as malicious in your "Stealth Mode" log. ...The same thing seems to happen for users using other DNS providers when in "Stealth Mode."

    It doesn't happen in 10.5.x. I have dual boot, and 10.5 running on the same hardware doesn't fill
    the firewall log with "stealth mode connect attempt..." messages.

    Since it happens to scores of people on different IP providers, I consider it an "across the board"
    bug. True, it is really nothing more than an annoyance, and it is totally harmless, but it is still a
    bug, even if it is just a "reporting harmless bogus information" bug.
  • Chris CA Level 9 Level 9 (77,925 points)
    Ogay.
    I get it also. Anywhere from every few seconds to every few minutes.
  • Chris CA Level 9 Level 9 (77,925 points)
    "Ogay"?!?! How about "Okay", I see what you are saying.
  • Tony Curtis Level 1 Level 1 (5 points)
    Not sure it's a bug. I turned off Stealth Mode as my router, 'Stealths.' These reports, so far, have now ceased.

    However, it's also strange that my router is designated as the DNS Server and when Stealth Mode enabled reports 'router to my machine IP' traffic.

    This even happens overnight and I know the OS communicates but often an IP appears that has nothing to do with this communication?

    When I reported 'abuse' to one such 'intrusion' I was told it was my machine/me-interpreting FW incorrectly, and was referred to this discussion?

    HTH
Previous 1 2 Next