understand asus rt-56u router logs (possible invasion)

[phill1978]

any ideas:

kernel: DROP <4>DROPIN=ppp0 OUT= MAC= <1>SRC=210.6.206.198 DST=146.90.230.0 <1>LEN=60 TOS=0x00 PREC=0x80 TTL=45 ID=61264 DF PROTO=TCP <1>SPT=1247 DPT=23 SEQ=577273818 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (

i get lots of these DROPIN=ppp0 OUT= MAC=

i did a whois on the source IP and it came back with..

http://www.ip-adress.com/whois/210.6.206.198

Hong Kong / china ? is this accurate and why is this address on my router logs. the destination is plusnet london network.

did i buy a piece of asian spyware when purchasing an Asus


DROP <4>DROPIN=ppp0 OUT= MAC= <1>SRC=217.212.238.132 DST=146.90.230.0 <1>LEN=93 TOS=0x00 PREC=0xA0 TTL=50 ID=0 DF PROTO=UDP <1>SPT=3478 DPT=61971 LEN=73

^ thats a Swedish server

is this just DNS listings


im getting permanent listings in the router log (im on the latest firmware)

Nov 13 19:38:34 kernel: DROP <4>DROPIN=ppp0 OUT= MAC= <1>SRC=64.34.169.244 DST=146.90.230.0 <1>LEN=60 TOS=0x00 PREC=0x80 TTL=56 ID=62831 DF PROTO=TCP <1>SPT=47176 DPT=80 SEQ=774176840 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5D52F5270000000001030307)
Nov 13 19:38:37 kernel: DROP <4>DROPIN=ppp0 OUT= MAC= <1>SRC=64.34.169.244 DST=146.90.230.0 <1>LEN=60 TOS=0x00 PREC=0x80 TTL=56 ID=62832 DF PROTO=TCP <1>SPT=47176 DPT=80 SEQ=774176840 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5D52F8150000000001030307)
Nov 13 19:38:43 kernel: DROP <4>DROPIN=ppp0 OUT= MAC= <1>SRC=64.34.169.244 DST=146.90.230.0

pages of this stuff ^^

I have QOS off and most things are fairly standard. i have the firewall on the router and UPNP off. I also have no VPN setup. just a fairly standard CHAP PPPO connection to plustnet radius.

any ideas folks ?

64.34.169.244 <- this one seems to be a genuine attack attempt going by the comments.

http://www.ipillion.com/ip/64.34.169.244


what can i do to safe guard against any access other than what i already have set as standard.

 

[jdabbs]

I wouldn't worry. Door rattling from exotic locales is part of the magic of participating in a global communications network. Typical scenario: some enterprising individual has a server that attempts to connect to every IP address on the Internet in hopes of identifying computers that run an outdated copy of LousySoftware Deluxe 2005. These systems can later be hacked into to join a botnet or send spam or whatever.

Remember, you see those log entries because they were blocked. Personally, I'd be more concerned about the ones that get through.

You can tell what services they are looking for by the port they attempt to connect to.

First is TCP 23, Telnet. Telnet and SSH are protocols used for management. Once an IP is identified with an open Telnet/SSH port, the next step for attackers is to run through a list of username/password combinations in hopes of gaining access.

Second is heading to a high-range dynamic port, but coming from UDP 3478, which is STUN. Probably from an IM or VOIP client.

Third and fourth are TCP 80, which is HTTP. IIS used to be a favorite target, but Apache is regularly targeted these days. Web servers can play an instrumental role in botnet ecology. Unlike PCs, which can be thrown in a laptop bag for weeks, the relatively high uptime environment makes them an ideal candidate for hosting malware or becoming a command and control node.

How do you protect your resources?
Most consumer networks run NAT. Although NAT has design flaws, one of its key advantages is that devices on the external network (the Internet) can't communicate with devices on the internal network unless the firewall can tell which port on the outside matches up with the PC/port on the inside. This means that unless LousySoftware Deluxe 2005 has a port open on the external interface, attackers can't get to it.

When it comes to determining what ports are open, most people stop wondering at port forwarding rules. Ever had to "open a port on X" on your firewall? That's port forwarding. Those are the applications you should be concerned about. Beyond that, you have to look into port translation, upnp, and stateful firewalls which I'm not willing to tackle.

What can I do about software that has an open port?
If the provider patches vulnerabilities, keep the software up to date. If they don't, look for alternatives.

 

[phill1978]

excellent response sir!

I like the term door rattling hehe is that an official one?

I also have turned on my plusnet isp firewall to medium (separate to my own local router) as part of my account settings, it was turned to off. things are still working so that's a bonus.

with regards to port forwarding im aware of what it is but as of yet haven't done it although might have to if i want to access my files remotely from an internal file server

thanks again, il rest easier now

 

[jdabbs]

I noticed I was looking at the source port for the first and second firewall entries, when the destination is the relevant one. The original post has been amended. Too close to dinnertime, I guess.

A quick google search shows "doorknob rattling" is a pretty common term for the behavior. "Unsolicited connection attempts" doesn't have that dismissive connotation that "doorknob rattling" has.

As far as putting a file share on the Internet is concerned, you might want to consider cloud storage instead. The trade-off is security you can control vs having to rely on your ability to secure the device. Personal data is debatable, but for low-harm data like your music collection, not having to worry about the latest security flaw of the week is a no-brainer.