kernel: [BLOCKED - INBOUND]

[JohnD5000]

Can anyone tell me what all these kernel: [BLOCKED - INBOUND] lines are in my log...and how to stop them? I get a line like this every 3-10 seconds!

Running an AC86U with Merlin 386.2_4

Note: the MAC=ZZ part is my routers mac address, not sure what the rest is.

May 24 21:52:34 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:18:8b:9d:d4:58:22:08:00 SRC=193.27.228.188 DST=XX.XX.XXX.X LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=14450 PROTO=TCP SPT=40068 DPT=57105 SEQ=1368156261 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

 

[dave14305]

It's Skynet. Disable inbound blocking in the menu, or disable logging in the menu. Or ignore the logs.

EDIT: The DST= value would be your WAN address. Most people prefer to redact that info.

 

[JohnD5000]

It's Skynet. Disable inbound blocking in the menu, or disable logging in the menu. Or ignore the logs.

EDIT: The DST= value would be your WAN address. Most people prefer to redact that info.

Thanks I disabled logging in Skynet.

 

[ahab]

Hate to hijack but have a related question. I get a ton of this traffic, the ZZZZs would represent my router's MAC and the XXXXs are my public IP, to the point that once or twice a day it cripples my AX86U. There are instances when I'll get 40-50 each second for a little while and the router will drop all outbound connections. It doesn't reboot but the CPU usage goes 100% on one, maybe two cores, and the other two are fairly high as well. After a few minutes everything returns to business as usual. Not sure if this would be classified as a DoS attack, but that would fit my understanding of the situation. The last attack about an hour ago came from what looks like an ISP in Bergen NJ.

I think the good news is that the Skynet firewall is blocking said traffic, but dropping my connection is a major PITA. What are my options here? More importantly, how unsafe it this?

Here's a snip, as I said, there were about 50 per second for a few minutes.

May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=64272 PROTO=TCP SPT=32766 DPT=30510 SEQ=2942035713 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=12606 PROTO=TCP SPT=32766 DPT=10296 SEQ=1446933049 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=46488 PROTO=TCP SPT=32766 DPT=56223 SEQ=2225931576 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=13577 PROTO=TCP SPT=32766 DPT=63242 SEQ=962373948 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=15348 PROTO=TCP SPT=32766 DPT=64513 SEQ=4141460682 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=38554 PROTO=TCP SPT=32766 DPT=32254 SEQ=2908782683 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=42700 PROTO=TCP SPT=32766 DPT=6947 SEQ=2489112272 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=23675 PROTO=TCP SPT=32766 DPT=14053 SEQ=2013528481 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=23898 PROTO=TCP SPT=32766 DPT=55447 SEQ=86568690 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=38067 PROTO=TCP SPT=32766 DPT=31639 SEQ=3108078619 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=30385 PROTO=TCP SPT=32766 DPT=47731 SEQ=2241243133 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=62681 PROTO=TCP SPT=32766 DPT=35442 SEQ=4115338644 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=48080 PROTO=TCP SPT=32766 DPT=24375 SEQ=3180826584 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=59026 PROTO=TCP SPT=32766 DPT=64621 SEQ=98333120 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=33585 PROTO=TCP SPT=32766 DPT=7261 SEQ=731313235 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=60776 PROTO=TCP SPT=32766 DPT=58273 SEQ=925984246 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=50241 PROTO=TCP SPT=32766 DPT=23969 SEQ=4017484511 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54614 PROTO=TCP SPT=32766 DPT=58161 SEQ=2516147544 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=28433 PROTO=TCP SPT=32766 DPT=58337 SEQ=583526351 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=43207 PROTO=TCP SPT=32766 DPT=181 SEQ=749454157 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=51190 PROTO=TCP SPT=32766 DPT=48101 SEQ=1783371564 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=25791 PROTO=TCP SPT=32766 DPT=31834 SEQ=163017690 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:19 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=37537 PROTO=TCP SPT=32766 DPT=59406 SEQ=1038553488 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=44446 PROTO=TCP SPT=32766 DPT=565 SEQ=1270400148 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=23755 PROTO=TCP SPT=32766 DPT=1440 SEQ=3753914964 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=26843 PROTO=TCP SPT=32766 DPT=35415 SEQ=3762784691 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
May 25 12:26:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=64.227.14.214 DST=XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=33210 PROTO=TCP SPT=32766 DPT=19796 SEQ=2323556305 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

 

[ColinTaylor]

Looks like normal hacking/scanning attempts. Welcome to the internet.

64.227.14.214 | DigitalOcean LLC | AbuseIPDB

www.abuseipdb.com

Make sure you don't have any services (HTTP, SSH, etc.) exposed to the internet on standard ports otherwise they will attract more attention than normal.

 

[dave14305]

And if you don’t have any open ports on the WAN, Skynet inbound blocking is really unnecessary IMO and can just create false anxiety because the regular firewall would have blocked those incoming connection attempts anyway. But it would have done it silently.

 

[ahab]

Do you think removing Skynet from the picture would prevent the router from overloading and dropping connections? I guess it's pretty easy to find out... I don't care about the log files but having my office VPN drop every few hours as the router goes into convulsions is annoying at best.