ufw logs- port 44444

[Ms. Daisy]

My ufw.log shows a huge amount of blocked activity to one particular IP. I've tried to trace the IP but it times out. I'm concerned after comparing my log to the basic security wiki (which I helped author, let's just ignore the irony of that for a minute, can we?)

What caught my interest is the volume of blocked requests (50ish in the last 2 days) and the ports used (44444).

Code:

 Jan 24 15:44:08 MsDaisy-Computer kernel: [ 1296.544822] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=1088 PROTO=ICMP TYPE=8 CODE=0 ID=2913 SEQ=1   
  Jan 24 15:44:56 MsDaisy-Computer kernel: [ 1344.922839] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=1089 PROTO=UDP SPT=47414 DPT=33434 LEN=40  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.553723] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.553844] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.553948] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554050] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554153] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554256] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554360] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554464] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554570] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515  
 Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554731] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515

Is it time to reinstall?

[OpSecShellshock]

Hmmm. Well I know that port in TCP is associated with a couple Windows trojans, but I haven't been able to find out much about it on the UDP side, unless it's something used by your router or ISP. Did you look up any information about the external IP address?

It's getting blocked, whatever it is, which of course vindicate's DT's firewall rule suggestions. 44444 is an unassigned port, so it could be anything. What's the external IP?

[Ms. Daisy]

The destination is 224.0.0.251. That's multicast, right? I'm afraid I don't really understand its use beyond that it sends a packet simultaneously to multiple locations.

I tried whois, but it doesn't return anything for that IP. The only other thing I did with that IP was traceroute and tracepath, but both of those fail. The traceroute returns "operation not permitted" even with sudo.

I'm also interested to know why it's calling out.

[Dangertux]

Wee vindication

That is multicast traffic, as such traceroute will fail (it's a reserved IP). It's unlikely that it is malicious in nature. It is also not a distinct indicator that your system is compromised.

Do you use cable Internet service?

[Ms. Daisy]

yup.
What can I read to understand this?

[OpSecShellshock]

That's definitely a multicast IP. I'm suspecting some kind of media playing application is involved, but not sure how to confirm that. Do you have any of those running?

[Dangertux]

It's trying to talk to your modem rather... It's trying to respond to what your modem is saying.

[Ms. Daisy]

That's definitely a multicast IP. I'm suspecting some kind of media playing application is involved, but not sure how to confirm that. Do you have any of those running?

I do not have anything other than firefox, log file viewer, and ruby running.

It's trying to talk to your modem rather... It's trying to respond to what your modem is saying.

My modem... you mean my cable modem? Not the router?

[Dangertux]

Yep the modem. See multicast is used in this case to discover devices on the network that are "alive".

So it will pass through the router (and likely be forwarded)

[Ms. Daisy]

It also used these ports:

Code:

SPT=33764 DPT=33434
SPT=52674 DPT=44444
SPT=60251 DPT=44444
SPT=5353 DPT=5353

OK. So the modem wants to know what devices are connected. It's checking all the devices continuously throughout the day? So this is something that takes up a lot of log space but is otherwise innocuous?