Firewall is blocking a connection that it's not set to block...

[jamesp81]

I administer some Windows Server 2008 R2 machines for my company. I have firewall rules in place to block any connection to these servers from IP addresses not administered by ARIN as well as some ARIN addresses where attacks were launched from.

I'm getting the following line in my firewall logs:

DROP UDP 169.254.22.24 224.0.0.252 62372 5355 58 - - - - - - - RECEIVE

It varies some, especially the port numbers, but it's always the same protocol, source IP, and destination IP. I don't have either IP address range blocked in the firewall rules. Anyone have an idea what might be going on here?

And, don't laugh at me, network security wasn't what I was trained in, so it's kind of a new hat for me

 

[riser]

Is 169.x a valid IP range in your network environment? UDP is a send and forget protocol where TCP will send ACKS to verify it was received.

Which Firewall is blocking it? Public, Domain, home? I think that's the three out there.

 

[jamesp81]

Is 169.x a valid IP range in your network environment? UDP is a send and forget protocol where TCP will send ACKS to verify it was received.

Which Firewall is blocking it? Public, Domain, home? I think that's the three out there.

169.x is not a valid IP range on our internal network, but I don't have it blocked either.

Being blocked by Windows Firewall w/ Advanced Security, using the Private profile.

 

[riser]

You are dealing with a network broadcast storm. It could be that you have File and Printer sharing turned off or have different sharing/security setup which is causing it to drop. It could also be that the broadcast is not meant for that computer and it is dropping it.

Do you have systems out there using NetBIOS - mainly 2000 and older systems? Something is broadcasting. If you have network guys, you might want to see if they can trace where the signal is coming from.

It is interesting that it isn't a valid IP range and still coming through.

 

[jamesp81]

You are dealing with a network broadcast storm. It could be that you have File and Printer sharing turned off or have different sharing/security setup which is causing it to drop. It could also be that the broadcast is not meant for that computer and it is dropping it.

Do you have systems out there using NetBIOS - mainly 2000 and older systems? Something is broadcasting. If you have network guys, you might want to see if they can trace where the signal is coming from.

It is interesting that it isn't a valid IP range and still coming through.

Unfortunately, no network guys. Just me

Oldest systems we are running are XP. Some of these may be using Netbios, but I'd have to check.