Graimer Posted September 27, 2008 Report Share Posted September 27, 2008 Hey. I have recently installed fiber ("optical internet" in english maybe?) and installed a dlink dir-655 to maintain a good network here at home. Well, I have recently noticed that when I'm on utorrent(and only when utorrent is open), some IPs from canada try to connect to me, but are thankfully being blocked by my router. The weird thing is that they are trying to use the h.323 protocal(isn't that video and voip protocol?), and it's attemted 7-8times normally in a row, then a couple of minutes break then it's on again. I just can't understand why this only occours when utorrent is open? Also, sometimes(rarely) my computer tries to use PPTP to a computer out on the web like VPN, but this also just happends when i use utorrent. I do not have any vpn connections or programs installed, neither skype or anything voip(to cause the spamming of h.323 i mean). Anyone experienced anything like this? Adding a little bit of my router log here if it can help.[iNFO] Fri Sep 19 17:19:04 2008 H.323 ALG rejected packet from 142.68.80.152:1720 to MINEKSTERNEIP:62449[iNFO] Fri Sep 19 17:16:56 2008 Above message repeated 8 times[iNFO] Fri Sep 19 17:01:30 2008 PPTP ALG rejected packet from 10.0.0.110:61036 to 80.41.188.94:1723[iNFO] Fri Sep 19 16:59:57 2008 Above message repeated 5 times[iNFO] Fri Sep 19 16:57:44 2008 PPTP ALG rejected packet from 10.0.0.110:60860 to 80.41.188.94:1723[iNFO] Fri Sep 19 16:57:41 2008 H.323 ALG rejected packet from 142.68.80.152:1720 to MYEXTERNALIP:60865[iNFO] Fri Sep 19 16:57:13 2008 H.323 ALG rejected packet from 142.68.80.152:1720 to MYEXTERNALIP:60659[iNFO] Fri Sep 19 16:55:05 2008 Above message repeated 8 times[iNFO] Fri Sep 19 16:53:36 2008 H.323 ALG rejected packet from 142.68.80.152:1720 to MYEXTERNALIP:60361[iNFO] Fri Sep 19 16:51:28 2008 Above message repeated 8 times[iNFO] Fri Sep 19 16:49:05 2008 H.323 ALG rejected packet from 142.68.80.152:1720 to MYEXTERNALIP:59976[iNFO] Fri Sep 19 16:46:58 2008 Above message repeated 8 times[iNFO] Fri Sep 19 16:46:27 2008 PPTP ALG rejected packet from 10.0.0.110:59731 to 80.41.188.94:1723[iNFO] Fri Sep 19 16:44:29 2008 Above message repeated 7 times[iNFO] Fri Sep 19 16:30:48 2008 PPTP ALG rejected packet from 10.0.0.110:58205 to 80.41.188.94:1723[iNFO] Fri Sep 19 16:29:40 2008 Above message repeated 5 times[iNFO] Fri Sep 19 16:28:31 2008 PPTP ALG rejected packet from 10.0.0.110:57881 to 80.41.188.94:1723I may also add that for some reason, utorrent is using ports like 5**** and 6**** even though i have set 23726 as my utorrent port in preferences, why? (i saw it using tcpviewer from microsoft sysinternals suite) And at last, the ports used in the pptp connections sent by me unknowningly are not to be seen in tcpviewer, most likely because utorrent or something else is trying to use it for two seconds then closes..Thanks, hope that you guys could help me Link to comment Share on other sites More sharing options...
DreadWingKnight Posted September 27, 2008 Report Share Posted September 27, 2008 1> when the local post isn't the port you set in the preferences, it's an outgoing connection.2> Your router's firewall appears to not attempt to accurately identify the traffic. It only bases the traffic type on the port used.All in all, this is the same as http://utorrent.com/faq.php#Help.21_.C2.B5Torrent_is_sending_e-mails.2Faccessing_the_web.2Fetc.21 Link to comment Share on other sites More sharing options...
Graimer Posted September 27, 2008 Author Report Share Posted September 27, 2008 okey, but didn't really get too much out of what you said. Because my MAIN questions(that you didn't answer) was: Why the hell is someone that i'm connected to through utorrent trying to use h.323 alg connections? and why is my utorrent(most likely) trying to use pptp to a server outside my network. And what did you mean with not accurately identifying the traffic(you mean what's incoming and outgoing?), because if you look at the messages it says that the h.323 are FROM "outside ip" TO "my ip", and the pptp FROM "my ip" TO "outside ip".. so someones is trying to connect from the outside to me using h.323, and for some reason i'm trying to set a vpn with someone else...BTW: what i meant to say in the first post with telling you that utorrent uses 5**** and 6**** ports(seen with tcpview software in windows), was that utorrent was using ports similar to the ones the PPTP attempt uses to get out and the port the h.323 tries to connect to from the outside.. If that made anything clearer^^ Link to comment Share on other sites More sharing options...
DreadWingKnight Posted September 27, 2008 Report Share Posted September 27, 2008 Why the hell is someone that i'm connected to through utorrent trying to use h.323 alg connections?It's NOT ACTUALLY h.323 connections. Just connections on the traditional h.323 ports.Same as for the PPTP port. It's not actually doing what you think it's doing.what i meant to say in the first post with telling you that utorrent uses 5**** and 6**** ports(seen with tcpview software in windows)These are the ports on the local side of the connection correct? Those are outbound connections. The port defined in your preferences is EXCLUSIVELY for INBOUND connections. Link to comment Share on other sites More sharing options...
Switeck Posted September 27, 2008 Report Share Posted September 27, 2008 Possible causes:UDP use by Teredo's IPv6 handling.UDP DHT packets.Your router naming a protocol just because it's seeing activity on a port normally used for other protocols.Hostiles trying to connect to your computer unrelated to uTorrent? (...such as a computer running BitTorrent which has a virus/trojan on it that tries to reconnect to any ips it sees and infect them.)Do note in TCP view your computer's outgoing port usage as well as the ports of target ips. Normally, uTorrent uses ports in roughly the 1000-5000 range (the ephemeral ports) for your computer's OUTGOING port...but it might also use a rare port higher than that for special functions such as DHT, LPD, Resolve IPs, and Teredo IPv6. Link to comment Share on other sites More sharing options...
Graimer Posted September 27, 2008 Author Report Share Posted September 27, 2008 kk, thanks... so then the h.323 connections are set on ignore in my head ^^ but is 57881, 58205 & 59731 normally used for pptp?switeck, thanks for the information, i can say that i have not installed ipv6/teredo in utorrent and have also disable ipv6 on my network card, but it can be dht ofc. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted September 27, 2008 Report Share Posted September 27, 2008 Which side of the connection are those ports used on? Link to comment Share on other sites More sharing options...
Graimer Posted September 27, 2008 Author Report Share Posted September 27, 2008 from first post: [iNFO] Fri Sep 19 16:46:27 2008 PPTP ALG rejected packet from 10.0.0.110:59731 to 80.41.188.94:1723[iNFO] Fri Sep 19 16:44:29 2008 Above message repeated 7 times[iNFO] Fri Sep 19 16:30:48 2008 PPTP ALG rejected packet from 10.0.0.110:58205 to 80.41.188.94:1723[iNFO] Fri Sep 19 16:29:40 2008 Above message repeated 5 times[iNFO] Fri Sep 19 16:28:31 2008 PPTP ALG rejected packet from 10.0.0.110:57881 to 80.41.188.94:1723 log from my router.. it's a local port, since it says from my internalip(10.0.0.110) Link to comment Share on other sites More sharing options...
DreadWingKnight Posted September 27, 2008 Report Share Posted September 27, 2008 That would be the ports used for outgoing connections.Again, filter it from your mind. Link to comment Share on other sites More sharing options...
Graimer Posted September 27, 2008 Author Report Share Posted September 27, 2008 kk, thanks ^^ it just takes up all my log on the router, so wanted to check if anyone was trying to attack me from the outside maybe. Again, thanks for great support. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.