Home Forums Networks & Cross-Platform Networking Stealth Mode connection attempts

Ever since firing up my new iMac running Lion almost 2 years ago, whenever I am online, I have been experiencing constant (ie, dozens per minute!) bombardment with "Stealth Mode connection attempts" directed at my local IP address (which changes from session to session) from various sources, including DNS servers (both ISP provided and those recently added). My firewall seems to foil their connection.

A sample of such (with local IP address partially disguised) follows:

13-08-18 3:13:08.549 Firewall: Stealth Mode connection attempt to TCP 205.206.***.**:58670 from 74.125.226.131:80

13-08-18 3:25:52.366 Firewall: Stealth Mode connection attempt to UDP 205.206.***.**:58847 from 208.67.220.220:53

13-08-18 9:46:58.042 Firewall: Stealth Mode connection attempt to TCP 205.206.***.**:59372 from 63.151.28.57:80

13-08-18 9:50:37.610 Firewall: Stealth Mode connection attempt to UDP 205.206.***.**:52020 from 208.67.222.222:53

13-08-18 9:51:31.862 Firewall: Stealth Mode connection attempt to TCP 205.206.***.**:59454 from 23.62.239.33:80

13-08-18 9:53:15.424 Firewall: Stealth Mode connection attempt to UDP 205.206.***.**:53866 from 208.67.222.222:53

Questions:

(1) Are these attempted incursions into my system innocuous?

(2) What do they represent?

(3) Is there any means by which to stop this from happening, preferably at source (since the originating IP addresses appear to be reasonably finite in number)?

These are all harmless, and can be ignored.

A ... connection attempt to TCP ... from ... :80

happens when you close a browser window before it has fully loaded. (Having Javascript on the page that periodically queries the server for live updates counts as "not fully loaded".) The server is still trying to send the missing parts of the page, but the page is no longer there to listen. An incoming packet without a listening socket a "stealth mode connection attempt", according to the firewall, even if it is not actually a connection attempt.

A ... connection attempt to TCP ... from ... :443

is the same thing, except for an https: page. You didn't report any of those, but if you see one you can ignore it, too.

A ... connection attempt to UDP ... from ...:53

is a slow response from a DNS server. Your computer sends out a DNS request to one server, doesn't get a quick response, so it tries an alternate server. One of the two servers answers, and then some time later the other server answers. The second reply is, according to the firewall, a "stealth mode connection attempt" (even though there's no such thing as a DNS connection, DNS being a "connectionless protocol").

Many thanks for your response and expertise.

But why would the firewall be involved or for that matter a legitimate request be a "stealth mode connection attempt", both of which would suggest to me something malicious in the works?

"Stealth mode" doesn't mean that something on your network is trying to access you in a stealthy way. It means your computer is configured not to reply to incoming packets, even to say "sorry, I can't process this packet."

The firewall would be involved because it's looking at every packet into or out of your computer. That's its job.

I have no idea why they chose to word the message the way they did. It certainly causes a lot of anxiety.

What they should perhaps have said, instead of "Stealth mode connection attempt", is something like "unexpected incoming packet discarded". Maybe in their mind those two wordings are equivalent. Or maybe they think "unexpected" raises its own set of questions. I don't know.

But yes, "stealthy" makes people think "surreptitious" or "sneaky", and only evil-doers are surreptitious, so people natural take the message to mean they're under attack. The wording they chose is much scarier than it ought to be.

Many thanks to both you and tacit.
I'll try to sleep better now that the edge has been taken off.