Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Stealth Mode connection attempt

I opened console yesterday and it said, several times:

Stealth Mode connection attempt to UDP 192.168.1.2:64414 from 8.8.8.8:53



I checked today and it is the same

5/19/10 9:19:57 PM Firewall[74] Stealth Mode connection attempt to UDP 192.168.1.2:64414 from 8.8.8.8:53


Does this mean my computer is being attacked or something like that?

How can I be protected and get rid of it, whatever it is?

Black MacBook, Mac OS X (10.6.3)

Posted on May 19, 2010 7:23 PM

Reply
Question marked as Best reply

Posted on May 19, 2010 8:03 PM

That is Google's Public Domain Name Server. It is probably responding to a request from your computer and the computer thinks the response is stealth connection attempt.
16 replies

Jul 16, 2010 3:34 PM in response to Dogcow-Moof

I get lots of "Stealth Mode connection attempt"s from my DNS server. They seems
to occur when I open web pages or otherwise generate dns requests. You would
think this traffic would be passed by the firewall, and not blocked. Thankfully dns still works, but I don't like to fill up log files.

Jul 16 17:27:59 : Stealth Mode connection attempt to UDP 192.168.37.3:62845 from 68.94.156.1:53
Jul 16 17:28:04 : Stealth Mode connection attempt to UDP 192.168.37.3:52647 from 68.94.156.1:53
Jul 16 17:29:27 : Stealth Mode connection attempt to UDP 192.168.37.3:56128 from 68.94.156.1:53
Jul 16 17:29:28 : Stealth Mode connection attempt to UDP 192.168.37.3:54862 from 68.94.156.1:53
Jul 16 17:29:29 : Stealth Mode connection attempt to UDP 192.168.37.3:61581 from 68.94.156.1:53
Jul 16 17:29:46 : Stealth Mode connection attempt to UDP 192.168.37.3:59857 from 68.94.156.1:53

Is it a bug?

Jul 16, 2010 6:45 PM in response to dhwagner

It's not blocked traffic per se.

The best analog I can think of is say you were to ask someone what their three favorite TV shows were, but when you hear the first answer you go off to watch it and don't bother to wait for them to finish their reply.

All a stealth mode connection means is that something on the remote server tried to send data to a particular port on your machine, but nothing on your machine was listening for data on that port (in this case, anymore.)

Sep 28, 2010 4:31 PM in response to Dogcow-Moof

Hi William, I too get Stealth Mode TCP/UDP stuff even when I am asleep at night. Some seem to emanate from router 192 to 192 but others are truly "scanning?" from verifiable sources.

One thread I found brought this response from the 'apparent' source:

+The “attacks” you are seeing on your system are not attacks per se. Although we cannot say definitively without seeing the logs of your firewall, we have seen dozens of similar reports over the past few months with exactly the same symptoms.+

+The IP address you have reported to us, 24.64.XX.XX, is not currently in use nor has it even been assigned to any device in the past 90+ days. You are likely also seeing probes from many other random IPs within the 24.64.X.X range. All of these probes will be UDP. All of the probes will be directed at ports 1026, 1027 & 1028 on your computer. All of them are spoofing their origin.+

+This traffic is NOT originating from XXXX's network.+

+What is actually happening is that there is an unscrupulous advertiser which is spoofing XXXX IP addresses in the 24.64.0.0/16 range and is trying to send messenger pop-ups to computers in order to dupe people into buying a product. It has been quite a thorn in our side because it is falsely indicating XXXX customers at are fault for the traffic.+

+Your security software is smart enough to deflect these probes but not smart enough to know what is really going on. Each probe it sees is interpreted as an attack on your system and you are notified accordingly. Understandably, this can be quite alarming but, in this case, is actually nothing to be concerned with. In the future, any UDP probes you see from 24.64.X.X IPs on ports 1026, 1027 & 1028 can be ignored. Please do keep us apprised of ANY other attacks you may see from XXXX IP addresses.+

+If you have any further questions or comments please do not hesitate to contact us.+

Regards,

+Acceptable Use Policy Management Team+
========
I sent a similar abuse comment to a verified WHOIS just now.

The router has UPnP (PNP) off and has a 21 alphanumeric password for security reasons.

There's something weird about all this but Little Snitch should stop any unrequested answers, if they get through (I think?)

regards

Sep 29, 2010 9:58 PM in response to Chris CA

"...requests are being responded to by our servers and the destination servers but the response is being reported back as malicious in your "Stealth Mode" log. ...The same thing seems to happen for users using other DNS providers when in "Stealth Mode."

It doesn't happen in 10.5.x. I have dual boot, and 10.5 running on the same hardware doesn't fill
the firewall log with "stealth mode connect attempt..." messages.

Since it happens to scores of people on different IP providers, I consider it an "across the board"
bug. True, it is really nothing more than an annoyance, and it is totally harmless, but it is still a
bug, even if it is just a "reporting harmless bogus information" bug.

Sep 30, 2010 5:56 PM in response to KJK555

Not sure it's a bug. I turned off Stealth Mode as my router, 'Stealths.' These reports, so far, have now ceased.

However, it's also strange that my router is designated as the DNS Server and when Stealth Mode enabled reports 'router to my machine IP' traffic.

This even happens overnight and I know the OS communicates but often an IP appears that has nothing to do with this communication?

When I reported 'abuse' to one such 'intrusion' I was told it was my machine/me-interpreting FW incorrectly, and was referred to this discussion?

HTH

Sep 30, 2010 8:19 PM in response to Tony Curtis

Whatever it is, it is for sure, an annoyance. I first observed this behavior several months ago, but I
wrote it off as unimportant (at least to me). Other than flooding the "all messages" log with
useless entries, it appears to be harmless.

My recommendation is: If it annoys you, file a bug report with Apple.

Personally I'm not going to waste any more time on it, since the only cure I found is to take the
firewall out of stealth mode, and I am just not going to do that.

Stealth Mode connection attempt

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.