Flooed with 2190 (TiVo) and 5678(Remote Replication Agent Connection) connections

A few days ago I happened to check the IP log and found thousands of probes for 2190 (TiVoConnect Beacon) from other Comcast IP addresses. There are also some for port 5678 (Remote Replication Agent Connection). These are all sourced from the same port # 2190 - 255.255.255.255:2190. I’ve tried blocking them in iptables but they still get recorded. Is anyone else seeing this ?

Hi @dgavin

Welcome to the IPFire community.

I am not seeing anything like that where I am (Europe).
As long as you haven’t opened any of those ports with a Port Forward rule then all of that traffic will be blocked and won’t get in. It will just flood your logs.

The easiest approach to stop that logging would be to turn on the location block for the country that those attempts are coming from. This will stop all incoming traffic from that country and not log it. You will still be able to have outgoing connections and the responses from web surfing etc.
The only issue would be if you have some service such as a web server that you have opened a port for to allow external access for as that would also be blocked.

3 Likes

Which network? Green , red?

Whois IP 255.255.255.255
Updated 2 days ago

ARIN WHOIS data and services are subject to the Terms of Use

available at: Whois Terms of Use - American Registry for Internet Numbers

If you see inaccuracies in the results, please report at

Reporting a Whois Inaccuracy - American Registry for Internet Numbers

Copyright 1997-2022, American Registry for Internet Numbers, Ltd.

NetRange: 240.0.0.0 - 255.255.255.255
CIDR: 240.0.0.0/4
NetName: SPECIAL-IPV4-FUTURE-USE-IANA-RESERVED
NetHandle: NET-240-0-0-0-0
Parent: ()
NetType: IANA Special Use
OriginAS:
Organization: Internet Assigned Numbers Authority (IANA)
RegDate:
Updated: 2013-08-30
Comment: Addresses starting with 240 or a higher number have not been allocated and should not be used, apart from 255.255.255.255, which is used for “limited broadcast” on a local network.
Comment:
Comment: This block was reserved by the IETF, the organization that develops Internet protocols, in the Standard document and in RFC 1112. The documents can be found at:
Comment: RFC 1112 - Host extensions for IP multicasting
Ref: https://rdap.arin.net/registry/ip/240.0.0.0

OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 12025 Waterfront Drive
Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90292
Country: US
RegDate:
Updated: 2012-08-31
Ref: https://rdap.arin.net/registry/entity/IANA

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: ICANN
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: email@iana.org
OrgAbuseRef: https://rdap.arin.net/registry/entity/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName: ICANN
OrgTechPhone: +1-310-301-5820
OrgTechEmail: email@iana.org
OrgTechRef: https://rdap.arin.net/registry/entity/IANA-IP-ARIN

ARIN WHOIS data and services are subject to the Terms of Use

available at: Whois Terms of Use - American Registry for Internet Numbers

If you see inaccuracies in the results, please report at

Reporting a Whois Inaccuracy - American Registry for Internet Numbers

Copyright 1997-2022, American Registry for Internet Numbers, Ltd.

All of the polls are coming on my red interface from IP addresses within Comcast’s network which is where I’m located. They aren’t getting through - they’re just flooding the logs to the point where I might miss something important. The only incoming traffic allowed is VOIP connections locked down to originating from my service providers IP range.

This could be anyone in your neighborhood
Having something misconfigured and broadcast
over the web. Trash traffic most likely.

1 Like

I am in the US and I am not seeing this.

Is the actual IP address the 255.255.255.255?

I’d try powering down the IPFire box and the cable modem. Then power-up the cable modem, wait 60 seconds, then power-up the IPFire box. And see if this clears out the odd 255.255.255.255 noise.

Hi,

255.255.255.255 is a broadcast address, so there is no sense in conducting WHOIS lookups, since this address is not allocated to a certain individual or organization.

However, 255.255.255.255 is specified as a broadcast address for a local network only, and must not be forwarded to other networks by routing or firewalling equipment. If this is the case, then I guess Comcast has networking issues in their infrastructure.

There is nothing you can do about this. Aside from that, such broadcast packets do not pose any danger, and IPFire does not forward them outside a certain network, following the specification.

Thanks, and best regards,
Peter Müller

4 Likes