Troubleshooting blocking comunications (attack?)

[arialtypes 0]

Hello guys. 

 

A few days i posted something related with a ICMPv6 blocked from my router and i keep getting this blocked comunications. 

 

ESET doesnt detect any kind of malware or problem with my network. 

Can someone tell me what this blocked coms mean? 

The mac adresses and ips are hidden but they belong in my network. (my router and my pc) 

The big question that i have is - Is someone tracking something from my router besides my ISP? 

I dont use VPN but i checked my DNS leaks and its all conected with servers from my ISP. (Dont know if its important, im a noob in this stuff) 

 

1st picture - Service Host from Windows

2nd - DNS Client 

3rd - Router

4th - Kernel 

5th - SSDP Detection.

[Marcos 5,070]

The rule of thumb is not to open the firewall troubleshooting wizard unless you actually experience a network-related issue and pausing the firewall resolves it. Just make sure that you mark your local network as trusted when detected. Only in case you encounter a specific network-related issue, run the firewall troubleshooting wizard to see recently blocked connections and unblock the desired one.

[arialtypes 0]

Obrigado pela sua resposta! 

É o seguinte: ano passado, tive um acesso indesejado no meu roteador e acho que ele estava infectado. Eu mudei de roteador duas vezes, novo laptop, coisas de ISP e etc ... 

Então, estou supondo que meu IP e DNS foram alterados quando eles (ISP) instalaram um novo dispositivo (roteador) e eles me dizem que fizeram isso, então estou confiante nele.

Acabei de instalar o ESET na semana passada, não sei realmente como ler algumas coisas e não sou um especialista em rede ..

Resumindo, isso é normal? Eu deveria estar preocupado com esse coms bloqueado? 

 

Mais uma vez obrigado pelo seu tempo. 

 

@marcos 

Edited April 20, 2021 by arialtypes

[arialtypes 0]

ps - it only pops up at troubleshooting when i connect to my network and i can keep using it that it doesnt shows up unless i disconnect and connect again.

[itman 1,659]

The key to determining the Eset Network Troubleshooter issues is the shown through use of 169.254.xxx.xxx IP address shown in the screen shot. If there is an issue with DHCPv4 initialization and resultant local network IP address assignment, Windows will default to assignment in the APIPA address range: 

Quote

(Automatic Private IP Addressing) The Windows function that provides DHCP autoconfiguration addressing. APIPA assigns a class B IP address from 169.254.0.0 to 169.254.255.255 to the client when a DHCP server is either permanently or temporarily unavailable. Designed for small non-routable networks, if a DHCP server becomes available later, the APIPA address is replaced with one from the DHCP server. For example, when a Windows Vista machine starts up, it waits only six seconds to find a DHCP server before assigning an IP from the APIPA range. It then continues to look for a DHCP server. Previous versions of Windows looked for a DHCP server for up to three minutes. See DHCP autoconfiguration addressing, DHCP and private IP address.

https://www.pcmag.com/encyclopedia/term/apipa

Simply put, there appears to be an issue with the DHCP server on your router.

As for the rest of the blocks shown in the Network Troubleshooting screen shots, those all appear to be related to local nertwork traffic such as uPnP, NetBIOS, and the like. This blocked network traffic also points to an issue with the router.

[arialtypes 0]

Obrigado pela sua atenção Senhor! 

 

Então, cerca de 169.254.xxx ive já vi um post que diz que é uma coisa normal, obrigado por isso também! 

 

Sobre o DHCP, tudo o que vi é que é um protocolo que permite que os computadores se conectem entre si (certo?) 

 Acontece que esta é a minha rede doméstica e, além dos dispositivos ISP, não há mais nada conectado. Eu vi a opção DHCP na página de administração do meu roteador, tudo que eu vi é meu laptop e a caixa de TV. Podem ser eles tentando se conectar?

Sobre os outros logs (uPnP , Netbios , etc...) este é um problema perigoso? Estou pensando em ligar para o ISP para ver se eles podem consertar esses problemas porque não estou qualificado para essas coisas. 

 

Obrigado novamente pelo seu tempo, paciência e ajuda! 

 

@ itman

 

Edited April 20, 2021 by arialtypes

[itman 1,659]

This in an English language forum. Use a web translator; e.g. https://translate.google.com/ , to convert to English prior to posting.

[arialtypes 0]

Sorry! Dont know why that wrote in Portuguese. 

So, about the 169.254.xxx ive seen a post that says that is a normal thing. Thank you for that! 

About DHCP, everything that i saw is that DHCP is a protocol that allows PC connect to each other in the same network. right?

The thing is, this is my home network and besides the ISP devices, theres nothing else connected. 
Ive seen the DHCP option in the admin page of my router and everything that i saw was my Laptop and my Box. 

About the other logs (uPnP, Netbios, etc...) is this a dangerous problem? Im thinking about calling to my ISP to see if they can solve this problems because im not qualified for this.
 

@itman

[itman 1,659]

5 minutes ago, arialtypes said:

So, about the 169.254.xxx ive seen a post that says that is a normal thing.

No, it is not a normal thing. It means the local subnet IP addresses are not being properly assigned by the router; most likely due to a DHCPv4 server issue on the router.

Also Eset Networking does not handle APIPA IP address assignment well. This is most likely why your seeing the blocked Network Wizard connections.

[arialtypes 0]

Just now, itman said:

No, it is not a normal thing. It means the local subnet IP addresses are not being properly assigned by the router; most likely due to a DHCPv4 server issue on the router.

Also Eset Networking does not handle APIPA IP address assignment well. This is most likely why your seeing the blocked Network Wizard connections.

really? thank you for that! 

does that means that i might have something malicious in my network that changed those informations? 

Imma call my ISP tomorrow talking about this information. 

[itman 1,659]

33 minutes ago, arialtypes said:

does that means that i might have something malicious in my network that changed those informations? 

Most likely not. Hopefully your ISP can diagnosis what the issue is with your router. This would be especially be the case if they issued the router to you.

[arialtypes 0]

Ok, thank you for your support and time!  

I will contact my ISP to check this situations. @itman

[arialtypes 0]

@itman @Marcos

quick update about this topic : 

Went to the pc store that installed ESET on my machine, they saw the events and i showed them your replys about this situation. They told me as well that this might the problem. We checked some IPs that were showing up at CMD using "netsat" and nothing was wrong. It was so much things to talk about that i forgot to check 2 IPs with them that i saw bad info about that online. 

Those are the IPs that i found in CMD :

151.139.128.14 (timewait)
152.199.19.160 (timewait)

They come back to some Verizon company and another one called Stackpath, but theres also information and reports about malicious activity so i dont know what to trust at this point.

After that, i called my ISP services talking about the situation that we both discussed about DHCPv4, they told me that they are going to see if something is wrong with the router and conection and they will call me later. 

I also referred those 2 IPs that i found in CMD, they recommended me to informe the authorities and they also said that they are going to check those IPs. 

So, i dont think that theres need to call the authorities and talk about this situation because, first - they told me from the beggining that my IP was changed when the devices were changed. second - i dont have any kind of information about the problem so i dont know really what to say besides that i found some IPs adresses in my CMD because im waiting for the ISP to call me and inform me about this situation. 

Does anyone knows if this IPs are safe and should i be worried? 

 

Thank you all.

 

 

Edited April 21, 2021 by arialtypes

[itman 1,659]

1 hour ago, arialtypes said:

Those are the IPs that i found in CMD :

151.139.128.14 (timewait)
152.199.19.160 (timewait)

Those IP address are associated with Highwinds Network Group. They are a legit ISP provider. There is one reference to it engaging in suspect activity: https://scamalytics.com/ip/isp/highwinds-network-group but in reality, almost the same can be said for any major CDN provider. They all have one or more suspect domains associated with them. Note that the IP addresses you referenced are not listed in the above scamalytics link.

Note that Eset will protect you against known malicious domains.

[arialtypes 0]

@itman For real? So why does IPQualityScore.com says that those IPs are very dangerous? they rate them above 90 in a scale of 0-100? Also, ive seen a website that shows reports from users in last days.

 

And why im i being connected to a USA ISP? (Windows Related?)  Sorry for my ignorance on this topic.

 

Thank you once again.

 

[itman 1,659]

38 minutes ago, arialtypes said:

And why im i being connected to a USA ISP? (Windows Related?) 

It's the way the Internet works. The Internet consists of a world-wide network; commonly referred to as the "backbone," of servers for load distribution purposes.

[arialtypes 0]

Hmmm ok... i really conserned about this. 

Rn it doesnt shows up those ips but its showing a ipv6 adress that i took print screen and this time connection its established.

My pc just "crashed" or something, it was like he reboot but kept on... everything disappeard, right side icons... just like a transition you know? went to check the cmd netstat command again, it wasnt there. 

when it was i used netstat -a -b to see where he was connected, it was connected to spoolsv.exe, i dont have a printer. I saw the file in w32 folder, so i dont really understand why this is happening. 

 

@itman

Edited April 21, 2021 by arialtypes

[itman 1,659]

At this point, I believe it is time you contract your in-country Eset support concern for assistance.

[arialtypes 0]

How is that? ESET can support me in my Country? 

If not, should i show this reports to the store (honest and trust worthy people) once again? 

Im still waiting for my ISP, could take hours or days..  @itman

I really dont know any other kind of service that i can contact, you have been one of the biggest helps that ive had so far. Thank you for that.

[itman 1,659]

2 minutes ago, arialtypes said:

How is that? ESET can support me in my Country? 

https://www.eset.com/pt/about/contactos/

[arialtypes 0]

The thing is, all this IPs are showing up at CMD, and im finding them it those commands (netstat, netstat -a -b), not ESET. 

From ESET i just get comunications blocked, that must be because of the IP like u refered. 

@itman

 

Edited April 21, 2021 by arialtypes