Drops in Sys Log

[Widmark]

Trying to figure out WTH is causing drops in the router's system log for an ASUS RT-AC66U with Motorola SB6141 cable modem. Drops seem to happen in the wired connection between the router and the cable modem since the cable modem MAC address is referenced over and over, but just spit balling.

IPv6 is not currently enabled on router, and curiously on the cable modem's config page it shows "Modem's IP Mode: IPv6 Only". Possible hint? I would prefer to stay away from the complexity of IPv6 until I am paying a price for not using... like speed or instability issues.

Any help greatly appreciated.

CABLE MODEM CONFIG PAGE:

GENERAL SYSTEM LOG FROM ASUS ROUTER (some info redacted):

Dec 30 15:51:13 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52235 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:51:13 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52236 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:51:14 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52237 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:51:16 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52238 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:51:19 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52239 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:51:40 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=183.XXX.XX.XXX DST=XX.XX.XXX.XX <1>LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=39968 PROTO=TCP <1>SPT=3187 DPT=23 SEQ=1286607188 ACK=0 WINDOW=8539 RES=0x00 SYN URGP=0


Dec 30 15:52:04 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=180.172.188.153 DST=XX.XX.XXX.XX <1>LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=1378 PROTO=TCP <1>SPT=6750 DPT=22 SEQ=1286607188 ACK=0 WINDOW=17852 RES=0x00 SYN URGP=0


Dec 30 15:52:15 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=88.XXX.XX.XXX DST=XX.XX.XXX.XX <1>LEN=44 TOS=0x00 PREC=0x00 TTL=228 ID=39508 PROTO=TCP <1>SPT=41998 DPT=23 SEQ=1368850432 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405AC)


Dec 30 15:52:39 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=123.165.233.159 DST=XX.XX.XXX.XX <1>LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=47701 PROTO=TCP <1>SPT=44481 DPT=22 SEQ=1286607188 ACK=0 WINDOW=64498 RES=0x00 SYN URGP=0


Dec 30 15:53:13 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=183.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15550 DF PROTO=TCP <1>SPT=20644 DPT=1433 SEQ=542248024 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405A001010402)


Dec 30 15:53:15 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=183.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=18628 DF PROTO=TCP <1>SPT=20644 DPT=1433 SEQ=542248024 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405A001010402)


Dec 30 15:53:34 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=187.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=36798 PROTO=TCP <1>SPT=2772 DPT=6789 SEQ=1286607188 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0


Dec 30 15:55:58 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52265 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:55:58 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52266 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:55:58 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52267 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:55:59 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52268 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:55:59 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52269 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:56:01 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52270 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:56:04 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=96.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=676 TOS=0x00 PREC=0x00 TTL=52 ID=52271 PROTO=UDP <1>SPT=5060 DPT=32497 LEN=656


Dec 30 15:56:43 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=158.xxx.xx.xxx DST=XX.XX.XXX.XX <1>LEN=441 TOS=0x18 PREC=0x00 TTL=45 ID=38703 DF PROTO=UDP <1>SPT=5107 DPT=5060 LEN=421


Dec 30 15:56:52 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=124.xxx.x.xxx DST=XX.XX.XXX.XX <1>LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=8898 DF PROTO=TCP <1>SPT=64169 DPT=1433 SEQ=3251678201 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030001010402)


Dec 30 15:56:53 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=23.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=TCP <1>SPT=33725 DPT=80 SEQ=2877263258 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0


Dec 30 15:56:55 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=124.XX.XX.XX DST=XX.XX.XXX.XX <1>LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=19439 DF PROTO=TCP <1>SPT=64169 DPT=1433 SEQ=3251678201 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030001010402)


Dec 30 15:57:01 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=95.XX.XX.XX DST=XX.XX.XXX.XX <1>LEN=44 TOS=0x00 PREC=0x00 TTL=233 ID=57780 PROTO=TCP <1>SPT=10889 DPT=23 SEQ=1179975680 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405AC)


Dec 30 15:57:10 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=109.XX.XXX.XX DST=XX.XX.XXX.XX <1>LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=47018 PROTO=TCP <1>SPT=61923 DPT=6789 SEQ=1286607188 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0


Dec 30 15:57:22 kernel: DROP <4>DROP IN=eth0 OUT= MAC=[cable modem MAC address]<1>SRC=125.XX.XX.XX DST=XX.XX.XXX.XX <1>LEN=44 TOS=0x00 PREC=0x00 TTL=236 ID=28288 PROTO=TCP <1>SPT=46652 DPT=6789 SEQ=1286607188 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405AC)

 

[degrub]

is your router set to drop inbound pings from the WAN ?

 

[Widmark]

is your router set to drop inbound pings from the WAN ?

If this is what you are referring to, its set to NO:

 

[ColinTaylor]

I see nothing unusual there, just the normal noise/port scanning that you'll get on your WAN interface. You've turning on logging of dropped packets. (The reason you see the MAC address of the cable modem is because that's what your WAN interface is connected to.)

123.165.233.159 and 180.172.188.153 are both Chinese addresses.

 

[Widmark]

Thanks... it sounds like these are pings from suspicious characters... and good that their pings are dropped.

It would be nice to be able to add the pinging source IPs to a blacklist but I don't think there is an easy way to do this... and I'm guessing it's unlikely that any of these pingers would be trying to hack in having no reason to think my IP is live?

 

[ColinTaylor]

Technically they are not "pinging" you, they are port scanning you. A ping (echo request) is an ICMP type 8 packet.

If you examine your log for the destination port (DPT) they are trying to connect to you will see numbers like 22, 23, 1433 and 80. These are common ports used for SSH, Telnet, SQL Server and HTTP. So provided that you are not exposing any of these (or other) services to the internet then there is nothing for the hackers to connect to.

Using a third party firmware like Merlin's you could create custom scripts that blacklist certain IP addresses, but the default action of the router is to drop these connections anyway (unless, as I said, you are deliberately allowing these services).

EDIT: You don't say what specific firmware version you are running, but have a look at the Administration > System page. Look for things like "Allow SSH access from WAN" and "Enable Web Access from WAN" and make sure they are set to "No".

 

[Widmark]

This is really helpful stuff Colin, thanks. It looks like a few of these groups scanning my ports are focused on 5060. Since I use an SIP phone, I'm a little concerned with that. I've never allowed Telnet or any kind of administration from the WAN.

I am running 3.0.0.4.380.4180 on an ASUS RT-AC66U. I have wanted to go to Merlin but not looking forward to learning new settings and having to fiddle. I wonder if blocking IP addresses from port scanning (I am used to doing this on Wordpress from a completely different public facing server) will actually flag the port scanners that they have a "live" one and then they would just try from another IP. Seems on websites the only way to stop the hack attempts is to block entire countries from accessing a site. I would switch to Merlin tomorrow if there is an easy way to create a script to block entire countries! I'm going to start looking at any connections that are not dropped from these various unknown IPs... thats probably the more concerning eh?

 

[ColinTaylor]

As far as I can tell from your redacted log all of the SIP traffic is coming from the same address, so I'd guess that that is the normal behaviour of your SIP provider. (But I don't really know anything about SIP).

If you don't have any services (apart from SIP) exposed to the internet then the default action is to "DROP" any unsolicited packets. So any would be hackers can't tell that you are there. You could install Merlin and start blacklisting countries, but you'd just be duplicating what the router already does.

Blacklists are only really relevant if you are deliberately running internet facing services, like web servers or VPN. Even then it's arguable that they are just giving you a false sense of security. Most port scans (and by implication, hacking attempts) come from China, but they can come from anywhere, including the USofA.

Confession: I do block IP addresses on my router, but not as a security measure. I run a VPN server and every time someone tries to connect to it, it creates 5 entries in my syslog. The volume of these becomes very annoying. As 95% of these attempts come from a) Shodan or b) China I block those.

 

[sfx2000]

EDIT: You don't say what specific firmware version you are running, but have a look at the Administration > System page. Look for things like "Allow SSH access from WAN" and "Enable Web Access from WAN" and make sure they are set to "No".

That's the primary advice - also look at any ports/services that are being forwarded - port scans are a constant non-issue for the most part, but it's always best to be safe and only expose what is needed...

 

[Widmark]

That's the primary advice - also look at any ports/services that are being forwarded - port scans are a constant non-issue for the most part, but it's always best to be safe and only expose what is needed...

Yeah I noticed some old settings that I can't remember why they are there... under Firewall>Network Services I have a bunch of entries filtering ports 7:9 both TCP and UDP to my router gateway IP (filter table type set to blacklist). I should have written it down... thinking it had something to do with my NAS or VPN settings.

I looked up the main IP scanning my 5060 port... duh, it is my SIP provider! Oh well at least I know.

Thanks again.