Hundreds of suspicious messages coming from random sources [closed]

I'm having a serious problem and I'm getting out of options.

Out of the blue, my Windows 10 laptop with McAfee started reporting hundreds of suspicious messages blocked by the laptop firewall (I don't have a router firewall). The origin is random (though most of them come from Akamai.net) and the port is random as well, but in many cases there are dangerous ports such as 138 that's used to manage the NetBIOS.

This happens in all the laptops in my network, and I don't know how to stop these messages from coming in.

See sample messages here.

One thing I did, was to take one of the laptops and reinstall Windows 10 (from the image in the laptop itself) outside of my WiFi network. The strange thing was that even after resetting the entire disk and reinstalling Windows, these messages started coming in again, without even being ever connected to my network.

Any ideas what's going on and how to solve this problem?


Solution 1:

Let's check those source IPs:

  • 3.208.40.114 and 3.15.107.215 is owned by AWS, and these IPs are used by parse.ly as an application/website analytics and 1x1 pixel tracker.

  • 52.216.0.0/14 and 52.216.128.0/18 is owned by AWS and used by AWS to serve S3 APIs.

  • 74.125.21.95 is owned by Google, serving Google search.

  • 204.154.111.153 is used by DoubleVerify analytics.

Most of the IPs described are safe, and its origin can be tracked. Probably you're trying to browse the internet when you're receiving this messages.

Furthermore, most of the warnings connected through your PC via ephemeral ports, i.e. client-side communication port in TCP/UDP. These connections are short-lived and usually client-initiated, so if there's anything wrong, probably you can check and scan your PC to be safe.

Highly possible it's a case of hyperactive firewall, but please confirm it by cross-checking your antivirus log with your browsing activity.

Next, let's check your local network logs:

  • 3702/UDP is used for WS-Discovery broadcasts
  • 5355/UDP is used for LLMNR broadcasts
  • 137/UDP and 138/UDP are used by Windows' NetBIOS services

All these services are safe within your local network, and usually are broadcasts or unicasts. You can firewall these networks if you want, but you'll block your clients discovery if you do so.