"Suspicious incoming network connections blocked" ...Way too many?

MPatch

Prominent
Jul 17, 2017
4
0
510
S8Gqeiv.png


Just today, for the first time, I ended up checking the Security History of my McAfee, only to find a HUGE (at least it struck me that way) list of blocked incoming IPs within just the past 24 hours.

I have NO idea what this means, or what's going on. I definitely feel scared, because I am so in the dark on this. I feel like this shouldn't be normal, but I have no idea.

I live in a house with two others in my family. Most of the devices in the household are protected by McAfee, and one with free AVG.
There are 2 PCs, 2 laptops, and a few extraneous devices that use the router in this house.

Why would there be so many incoming network connections? It makes me so uncomfortable thinking that I am being constantly barraged with them.

Does this mean that one of the 4 computers in this household is likely infected with something?
This isn't actually normal, is it?
Would every computer receive the "incoming network connection", even if it is not the device that is infected?

I could use any advice at all, or any information. Please help!


Edit: I checked my Security History on a different computer, and there was only a single network connection blocked within the past 24 hours. So I feel I've already narrowed down the reality to this one computer having some sort of issue. (I'm running a scan now.)
 
Solution
Could even be an ad coming from their servers.

I used this site https://www.iplocation.net/ to find the locations and owners. Now if they were all Russian, or China, then you'd probably be trying to be hacked, but the router probably stops most of that and it's just ad's or something that it's blocking automatically.


If that's true, I'll certainly feel better and will be happy to have been worried over nothing. (and sorry for wasting everyone's time, as well)

Thank you for telling me this, though. I just didn't know how this stuff worked, and took the context of something being "blocked" as something that could only have bad connotations, rather than something that would simply just happen while browsing.

 
Could even be an ad coming from their servers.

I used this site https://www.iplocation.net/ to find the locations and owners. Now if they were all Russian, or China, then you'd probably be trying to be hacked, but the router probably stops most of that and it's just ad's or something that it's blocking automatically.
 
Solution


Thank for for going to the trouble to check that for me, and respond to me right off the bat.
I WAS just watching stuff on YahooView, so if normal browsing activity causes this to happen, then after learning that, I feel unsurprised.

Again, thank you very much.

 
You are right to question this in the first place. A modern firewall is supposed to know the difference between a server somewhere on the Internet attempting to send more-or-less unsolicited traffic to your computer (inbound traffic), vs a server on the Internet sending you information in response to your having initiated the traffic (so-called outbound traffic, and the associated responses).
It is normal for a firewall sitting directly on the Internet to see a lot of potentially malicious inbound traffic. However, the "suspicious incoming traffic" McAfee seems to be blocking sure looks like the usually-harmless responses to web browsing requests that one would expect to see. I.e. my guess is that the "incoming" traffic is not "inbound" traffic in the modern sense of the word. I might further guess that McAfee is blocking the traffic based on some kind of reputation score for the associated IP addresses. The problem with that is that yahoo, google, akamai and AWS are servers used for both benign and malicious purposes. It is not really a sufficient reason to block the traffic. I've seen this before with McAfee. I am not sure, but it seems like it is probably blocking traffic you actually want to have it let through. I wish I could suggest a fix, but my best advice is to switch to a better product.
 
My McAfee Security History report started looking a lot like yours (different specific IP addresses, but the same messages and same pattern). For me the messages began 12/27/2017, which coincidentally was the day that Windows Update updated my machine to Ws 10 v.1709. I discovered it just a couple of days ago, and have been trying to research it. Like you, I'm not comfortable that apparent attacks are happening every few seconds or minutes.

I used https://www.arin.net/ (American Registry for Internet Numbers) to look up several of the IP addresses shown in McAfee's history (using the" SEARCH Whois" field in the upper right corner of the page). The address owners were primarily Amazon, Akamai, Time Warner, GoDaddy, Steadfast, Liveperson, Google... nothing blatantly foreign, but still nothing that should be hitting my machine at times when I don't even have a browser open! And what they have in common is that they're all hosts of some sort, domains whose addresses might be intended for use by their clients rather than by the named corporation itself.

In my research, I ran across this article on botnets that attack using spoofed IP addresses from well-known companies, constantly shifting among addresses:
https://www.akamai.com/us/en/about/news/press/2017-press/fast-flux-botnets-still-wreaking-havoc-on-internet-according-to-akamai-research.jsp
Could this be what's happening? A fast-flux botnet trying to plant malware on our innocent little machines to co-opt them into abetting their nefarious plans? Are the benign-looking IP addresses the reason these particular connection attempts are getting past the router's firewall to begin with, and making it as far as McAfee's security check?

Here's hoping that someone who understands incoming connection attempts better than I do can shed some more light on this. Thanks!