Stealth Mode connection attempt and network configuration changed messages

[LPPU]

The console lists these messages and they worry me to say the least. I haven't made any network configuration changes myself, and I get tons of those Stealth Mode connection attempt messages. What's the deal with this?

10/4/10 3:16:23 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:56082 from 192.168.0.1:53
10/4/10 3:16:23 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:62911 from 192.168.0.1:53
10/4/10 3:16:29 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:57831 from 192.168.0.1:53
10/4/10 3:16:34 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:57193 from 192.168.0.1:53
10/4/10 3:16:35 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:61654 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:50738 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:49759 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:51576 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:62784 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:61884 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:52997 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:56394 from 192.168.0.1:53
10/4/10 3:18:26 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:59854 from 192.168.0.1:53
10/4/10 3:18:44 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:61695 from 192.168.0.1:53
10/4/10 3:18:44 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:59122 from 192.168.0.1:53
10/4/10 3:18:44 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:52360 from 192.168.0.1:53
10/4/10 3:18:44 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:62393 from 192.168.0.1:53
10/4/10 3:18:45 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:65351 from 192.168.0.1:53
10/4/10 3:19:03 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:62216 from 68.94.156.1:53
10/4/10 3:20:39 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:57821 from 192.168.0.1:53
10/4/10 3:20:41 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:53810 from 192.168.0.1:53
10/4/10 3:20:41 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:58303 from 192.168.0.1:53
10/4/10 3:20:41 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:61073 from 192.168.0.1:53
10/4/10 3:20:41 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:62699 from 192.168.0.1:53
10/4/10 3:20:41 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:50652 from 192.168.0.1:53
10/4/10 3:20:43 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:53819 from 192.168.0.1:53
10/4/10 3:20:56 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:50052 from 192.168.0.1:53
10/4/10 3:20:57 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:54342 from 192.168.0.1:53
10/4/10 3:23:14 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:50483 from 192.168.0.1:53
10/4/10 3:23:14 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:60221 from 192.168.0.1:53
10/4/10 3:23:14 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:58396 from 192.168.0.1:53
10/4/10 3:23:14 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:62809 from 192.168.0.1:53
10/4/10 3:24:03 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:49768 from 192.168.0.1:53
10/4/10 3:24:04 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:56256 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:64542 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:64929 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:56267 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:56751 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:52951 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:63258 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:52634 from 192.168.0.1:53
10/4/10 3:24:05 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:60188 from 192.168.0.1:53
10/4/10 3:24:06 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:55236 from 192.168.0.1:53
10/4/10 3:24:07 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:54119 from 192.168.0.1:53
10/4/10 3:24:45 PM Firewall[53] Stealth Mode connection attempt to UDP 192.168.0.2:54211 from 192.168.0.1:53
10/4/10 3:30:12 PM configd[13] network configuration changed.

 

[miles01110]

UDP is used for a lot of things. Do you have any sort of sharing (iTunes, printer, file) on in your network? How about a router or network printer? All of those can send out UDP broadcasts.

 

[LPPU]

I'm not sharing anything to my knowledge. I know I made sure all sharing preferences under sharing weren't enabled. The way I connect to the internet is by plugging my Macbook into a modem via ethernet cable. I think the modem may have a built in router, but no other computers are hooked up to it. Just mine. Also, in the log there was at least one entry saying TCP I believe instead of UDP.

 

[tag]

Alright I did some tests since I was bored. I enabled my software firewall and had little snitch running. Everytime I went to a new website these showed up. Actually these showed up everytime I went to a new website. And randomly, sometimes 1 entry per site, sometimes 3.

Oct  4 18:31:59 memory-core Firewall[97440]: Stealth Mode connection attempt to UDP 192.168.1.6:63062 from 192.168.1.1:53
Oct  4 18:31:59 memory-core Firewall[97440]: Stealth Mode connection attempt to UDP 192.168.1.6:58907 from 192.168.1.1:53

Now this is showing that these connections are being sent from my router, via port 53 to my laptop on random ports (which happens if my computer doesn't respond to the first port it tries a few other random ones from what I've read). Now port 53 is used for DNS resolution, so after this little research it seems that your web browser is requesting a DNS lookup from the cache, when it's not there or even when it is, the router sends many packets back as it hasn't heard a response from your computer. In the end I'm slightly confused as to why the computer isn't recieving it properly but honestly wouldn't be at all worried as they are related to simple DNS lookups and there doesn't seem to be any loading errors resulting from this.

 

[brandeded]

After some investigation, I see that in my case this was skype.

I caught the connections with a network flow probe, and found on a localhost that it was skype by using netstat to find the process that was exposing the port which the traffic was on, in this case 6837.

On OSX:
netstat -apn | grep :6837

On Windows (I use TCPview usually):
netstat -ab> %tmp%\netstatbyprocs.log
findstr -ni 6837 %tmp%\netstatbyprocs.log


I have posted in the Skype forum.

Skype randomly chooses a port to establish connections with, and this is the port 6837 in my instance. It is worth noting that I block outgoing connections on this port (most ports) and UPnP on my network, so I'm curious what Skype is trying to do.

Good luck,

Matt