Odd connection attempts. Pls help.

[greywizard]

Ok, system check:

OS: WinXP Pro SP3 running on an Athlon 64 TK55

Firewall: Comodo 3.10

Internet connection: Wireless through a SpeedTouch wireless router/dsl modem @ 4Mbs/384kbs.

BT client: Bitcomet 1.14

I want to emphasize that my BC client is running fine and the port forwarding is going ok too. The thing is, while BC is running I keep finding in the firewall logs (Comodo that is), entries of blocked inbound connection attempts, both on TCP and UDP, on the 2 ports used by Bitcomet and Emule plugin. Except, the application towards which the connections are attempted appears as "Windows Operating System" in the firewall log. Now, I dont't know if these are legit connection attempts or hack attempts. Besides I don't know what process does "Windows Operating System" stand for since I have no such entry in my firewall's network policies list. I can't imagine why would a BT client, try to connect to another process instead of Bitcomet. But if, anyways this is a legit way to attempt a connection then I should try and find a way to allow this in order to get more peers.

Besides in the logs there are many different IPs which attempt these connections not just a single one, so except for a botnet atack this doesn't make much sense to me. Any ideas as to why is this happening? I mean is it normal behaviour for BT protocol to involve Windows OS components (not talking here about TCP/IP suite) into achieving connections or it should work just between the two BT clients? Because the BC download works regardless of the fact that these connection are blocked. I'm just thinking that maybe I'm loosing peers this way, which, in the event of not very healthy torrents is a bad thing.

The only entries in my firewall that come close to Windows core components are:

System (which by the way, has an "ask" rule for unmatching requests, so it can't raise the blocking event)

svchost.exe

explorer.exe

alg.exe

Windows Updater Aplications

I have no idea which one could raise this event, but most important if should be allowed in the firewall.

To mods: If this is not posted in the right section please move it and I'm sorry for the length of the post too.

Edited August 4, 2009 by greywizard (see edit history)

[kluelos]

This is normal for P2P. The essence of it is that other peers will attempt to contact you. They got your IP and port number from the tracker or from the DHT network.

Everything else that you normally do on the internet involves you contacting a server, and it replying to you. Normally nobody initially contacts you, only replies to you. Those who try to start contact you are the bad guys, and your firewall is there to block them. It's hyper about incoming unsolicited traffic.

But P2P means you've got those peers trying to initiate contact with you, and you want them to do that. You open your firewall on a designated port, publish that port to the tracker and via DHT, then let your client deal with connection attempts. These will include malware probes, but your client won't recognize them, and so will reject them and keep you safe.

[greywizard]

First of all, thanks for replying. :)

Well, I'm well aware that this is the way P2P works, and for my Bitcomet client, all inbound traffic on the two designated ports reaches my Bitcomet client a.k.a I can download with a green light and everything. What I don't understand is why some of the inbound requests are targeting another application/process but on the designated ports for Bitcomet. And more important, if I should unblock that process as well, in the firewall.

[kluelos]

Sorry if I wasn't clear. They are most probably malware probes targeting vulnerable windows processes in hopes they can get through this open port they found.

It is not a firewall's job to route incoming traffic. You are not unblocking a port "for" an application, but simply unblocking a port for any/all traffic addressed to that port. It is your winsock's job to route the traffic, using the port number for routing. This bit of confusion is the main reason I dislike Commodo. I suppose it's conceptually easier, since the outbound firewalling DOES work that way, and most people don't P2P so are never concerned with inbound traffic. But still...

When BitComet starts, it registers itself with Winsock as the recipient for all traffic on the designated listen port. No other application can share a registered port. Any app that subsequently tries to register for it will be rebuffed by Winsock, and the application will halt with an error.

(This is a common support issue for us, when somebody has an instance of BC set to autostart but doesn't know it, and then tries to start a second instance. BC reports that the port is unavailable, and then dies. Changing ports in the configuration doesn't help, for a hopefully obvious reason.)

So you shouldn't attempt to open the port "for" those other applications, which isn't really the case anyway. You can safely ignore them, but you probably can't stop them. (Use them to show anyone who wonders whether they really need a firewall.)

[greywizard]

Thank you for the heads up man! Now I've really got it. I've been peeking through TCP/IP specifications and all related networking stuff, lately, but I'm still a far cry from grasping it altogether. So, this was really helpful both as theoretical insight and as practical info.

As to the firewall matter, what other firewall (preferably free, too) would you consider a better choice? When I chose Comodo, I did it because it seemed very flexible, low on resources and besides having an IDS, it protects against code injection attempts, too. But I can't say I've tested many others so that's why I'm asking.

Thanks again.

[kluelos]

Commodo is very good as a firewall, especially when compared to a number of others like Outpost or ZoneAlarm. But the Windows built-in is entirely good enough for most people.

I discommend third-party firewalls for the vast majority of users, precisely because they do perform outbound filtering.

That's a good idea if you're very familiar with all of the processes that normally run on your computer, but most folks haven't the first idea. When the firewall says, "blgfltz.exe wants to access the internet, should I allow it?", it's placing the burden of judgment on the LEAST-qualified person around. If you make the wrong choice, if blgfitz.exe turns out to be malware, well, you're the one who allowed it, not the firewall, so it's your fault, not the manufacturer's.

That stinks on ice.

What's worse is that the firewall will train you to allow this. It will nag you to death with access requests when you first install it. Now MAYBE you'll google the first few such requests and find out what is trying to access the net, and that it's harmless/desirable, but most people get sick of that very quickly. Having checked a few times and each time finding there was no problem, they just get used to automatically saying "yes". The firewall has trained them to do this. So when malware DOES come along, chances are they're just going to allow it through anyway. "Nag, nag, about some incomprehensible thing that wants to get to the internet, It's asked me this a hundred times already, so yeah, sure, whatever." Firewalls don't even tell you if they think the thing is probably harmless or malware, they just punt the decision to you, then pass the buck to you for any wrong decisions.

So no, most people shouldn't use third=party firewalls at all.

If you do your regular, recommended hygiene and take recommended precautions with email and downloads, then you won't need to worry about malware phoning home. (Not that, in most cases, most people would know what to do about that anyway.) If they don't have a router, the Windows firewall will protect them from inbound attempts, and BitComet can use ICF to open and close its listen port as needed. If they do, the firmware firewall in the router is all they need.

If you're going to have a third-party firewall, then it becomes incumbent on you to learn its good points and flaws, and how to use it effectively.

[greywizard]

I do agree with you entirely. I remember even now the first time I installed Norton Internet Security on a Win98. I really freaked out when all those pop-ups started to flood my display. I kept thinking: "Oh, my God I have so many security problems that I ddn't know about." I had no clue how to tell apart legit apps from malware and it all seemed so complicated. So I froze almost entirely my LAN and internet connection. On the bright side, this motivated me to start and learn a bit about networking, the processes that run inside my comp and the way this stuff works, so now I'm pretty comfortable whith running a tird-party firewall. And I can name a few times when this has helped me by blocking malware that was trying to call home. In light of this I think I'll stick with my Comodo, as I kind of grew fond of it by now. Thanks.

[The UnUsual Suspect]

I personally love having a bi-directional firewall. If you want one that is user-friendly for an average users, then I'd recommend McAfee. It doesn't block known windows processes, but lets you know when any 3rd party program tries to connect to the net, prompting you to approve it once/always, or outbound only.

[greywizard]

Thanks. I think I'll give it a try. In the trial version of course, because I believe you have to pay for the whole thing. But I'd rather stay on the free side for this kind of software, even if I have to go the extra mile to learn the inner works of the internet and of networking in general. And a few hundred yards I did already :D , and what's better I found out that I like all this networking part of the IT and I don't mind leaning more. I mean I already have some basic knowledge of the main TCP/IP protocols which helped me configure my firewall. It's just that this particular case required a little more and kluelos has cleared that up for me. So I guess that on the long run I'll stick with Comodo, unless I find a better freeware 'cause so far it provided me with pretty much all the protection I needed and it haven't failed me once yet.