Firewall question?
-
Recently checked my firewall logs and notice i have been receiving a lot of udp traffic for foreign ip addresses.
2 Questions
1. What could be causing this?
2. Is this type of traffic something to be worried about?
A few entries for firewall log
block Jun 26 11:53:56 WAN 31.36.164.172:6881 UDP
block Jun 26 11:54:00 WAN 217.208.27.144:24582 UDP
block Jun 26 11:54:00 WAN 58.11.241.99:19714 UDP
block Jun 26 11:54:05 WAN 176.196.83.80:13853 UDP
block Jun 26 11:54:09 WAN 31.36.164.172:6881 UDP
block Jun 26 11:54:09 WAN 61.147.76.24:20106 UDP
block Jun 26 11:54:09 WAN 176.215.185.51:61286 UDP
block Jun 26 11:54:11 WAN 5.18.162.44:43404 UDP
block Jun 26 11:54:14 WAN 82.156.90.132:27642 UDP
block Jun 26 11:54:14 WAN 46.214.17.47:6881 UDP
block Jun 26 11:54:15 WAN 78.241.48.238:8362 UDP
block Jun 26 11:54:15 WAN 213.24.126.166:18423 UDP
block Jun 26 11:54:16 WAN 69.163.4.26:61863 UDP
block Jun 26 11:54:18 WAN 83.250.180.15:21120 UDP
block Jun 26 11:54:25 WAN 174.65.111.180:46064 UDP
block Jun 26 11:54:25 WAN 219.165.163.73:61314 UDP
block Jun 26 11:54:25 WAN 103.225.230.30:18169 UDP
block Jun 26 11:54:28 WAN 213.176.224.71:32201 UDP
block Jun 26 11:54:34 WAN 95.221.120.127:61218 UDP
block Jun 26 11:54:39 WAN 213.21.36.232:44005 UDP
block Jun 26 11:54:46 WAN 180.215.90.159:1027 UDP
block Jun 26 11:54:53 WAN 82.150.42.191:27746 UDP
block Jun 26 11:54:56 WAN 172.56.34.98:37916 UDP
block Jun 26 11:55:12 WAN 81.25.57.45:40959 UDP
block Jun 26 11:55:15 WAN 112.198.64.28:22362 UDP
block Jun 26 11:55:18 WAN 176.92.95.151:59054 UDP
block Jun 26 11:55:20 WAN 178.95.2.200:17189 UDP
block Jun 26 11:55:28 WAN 31.36.164.172:6881 UDP
block Jun 26 11:55:30 WAN 37.147.144.218:54120 UDP
block Jun 26 11:55:37 WAN 119.165.45.85:14445 UDP
block Jun 26 11:55:38 WAN 79.157.73.222:61060 UDP
block Jun 26 11:55:38 WAN 119.165.45.85:14445 UDP
block Jun 26 11:55:41 WAN 190.232.87.63:45682 UDP
block Jun 26 11:55:47 WAN 185.21.216.141:26000 UDP
block Jun 26 11:55:48 WAN 223.206.251.57:12315 UDP
block Jun 26 11:55:58 WAN 67.160.228.87:34175 UDP
block Jun 26 11:56:02 WAN 84.85.106.204:49176 UDP
block Jun 26 11:56:05 WAN 109.148.254.231:47404 UDP
block Jun 26 11:56:07 WAN 94.31.88.219:6881 UDP
block Jun 26 11:56:08 WAN 109.248.74.52:52652 UDP
block Jun 26 11:56:09 WAN 86.71.153.86:26085 UDP -
6881 is generally for Torrents. See if anything like that is running. Bittorent/Azureus etc….
-
TCP port 6881 is the actual listening port for BitTorrent, UDP 6881 is very likely the DHT (distributed hash table) data port. It's very common to see a flood of DHT traffic on your WAN address after quitting your BitTorrent client. Your peers are still trying to connect to the now non-existing DHT node.
-
Its not common to see traffic to your interface for IPs that are not yours. those are not broadcast. So I think his question is why would he be seeing traffic not to his IP?
-
Its not common to see traffic to your interface for IPs that are not yours. those are not broadcast. So I think his question is why would he be seeing traffic not to his IP?
I assumed the IPs in his list are the source IPs and not the destination. If they are the destination, then someone is very wrong with his ISP.
-
The way he worded it - it sound like dest to me.. Which yup would be very odd.
@Kyle can you clarify if those IPs you are seeing our source or dest? Maybe post screen shot showing the headers in the log. The normal log would show what rule blocked them, and seeing both source and dest could shed more insight to what the traffic is.
But there is lots of udp noise out there, I normally just put in to not even log the udp noise.