Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Firewall attacks from Telecoms Worldwide (anyone e...
Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??
21-02-2014 4:57 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Or are you seeing a different Trend / Consistency in your logs
I use https://ipdb.at/ & http://en.utrace.de/ to check the IP addresses although some may have a different preferred choice
Some recent attacks has been documented @ http://community.plus.net/forum/index.php/topic,122856.msg1076068.html#msg1076068
I use https://ipdb.at/ & http://en.utrace.de/ to check the IP addresses although some may have a different preferred choice
Some recent attacks has been documented @ http://community.plus.net/forum/index.php/topic,122856.msg1076068.html#msg1076068
Quote Recorded Events
Time Message
Warning Feb 20 20:34:03 IDS scan parser : tcp port scan: 87.248.210.254 [Limelight Networks Italy] scanned at least 10 ports at [IP Address Removed] . (1 of 1) : 87.248.210.254 [Limelight Networks Italy] [IP Address Removed] 0040 TCP 80->57789 [...R..] seq 4134307862 win 0
Error Feb 20 19:20:27 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.39.31.142 [Information OVH Systems France] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable
Error Feb 20 19:05:27 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.39.31.142 [Information OVH Systems France] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable
Warning Feb 20 18:42:09 IDS scan parser : tcp port scan: 173.194.34.165 [lhr14s22-in-f5.1e100.net ISP GOOGLE Mountain View California USA] scanned at least 10 ports at [IP Address Removed] . (1 of 1) : 173.194.34.165 [IP Address Removed] 0040 TCP 80->56009 [...R..] seq 348313452 win 0
Error Feb 20 18:24:51 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 213.208.135.76 [webmachine Unixsecurity Network VIE-IX Austria] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable
Warning Feb 20 14:07:06 IDS scan parser : stealth tcp full xmas scan: 66.196.116.134 [nktomi Corporation SunnyVale California hostname is reg1.push.mobile.vip.bf1.yahoo.com] scanned at least 10 ports at [IP Address Removed] . (1 of 1) : 66.196.116.134 [IP Address Removed] 0040 TCP 443->50859 [...R..] seq 869128548 win 0
Error Feb 20 13:05:28 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 24.35.19.113 [Broadstripe hostname c-24-35-19-113.customer.broadstripe.net Severn Maryland USA] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Communication Administratively Prohibited
Error Feb 20 12:56:32 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 114.36.163.56 [CHTD, Chunghwa Telecom Co., Ltd Taiwan] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Communication Administratively Prohibited
Error Feb 20 12:43:00 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 92.62.51.152 [Nienschanz Telecom Ltd Russia] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable
Message 1 of 4
(3,796 Views)
3 REPLIES 3
Re: Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??
21-02-2014 6:49 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
In general, you and everyone else will see this stuff all the time.
If you don't see any single packets to common TCP or UDP ports such as tcp port 23 (telnet), tcp port 22 (ssh) or udp port 53 (dns), that must be either because you have the Plusnet broadband firewall enabled so that those packets are dropped before being sent to your router, or just that your router doesn't log every single unexpected packet.
e.g. selected packets today
However, firewall log entries are not necessarily due to some malicious activity. Log entries from port 80 or 443 from a Google IP address are probably related to web browsing, perhaps some TCP connections to the page were not closed cleanly.
also entries from any of 4 Plusnet IP addresses while you're browsing these forums, which might make an "ACK scan" if there are enough of them, such as:
are because Plusnet's still haven't sorted out the forums / forum servers yet: https://community.plus.net/forum/index.php/topic,117757.0.html
If you don't see any single packets to common TCP or UDP ports such as tcp port 23 (telnet), tcp port 22 (ssh) or udp port 53 (dns), that must be either because you have the Plusnet broadband firewall enabled so that those packets are dropped before being sent to your router, or just that your router doesn't log every single unexpected packet.
e.g. selected packets today
[00:22:15] IN=ppp0 OUT= MAC= SRC=122.136.196.116 DST=91.125.my.ip LEN=83 TOS=0x00 PREC=0x80 TTL=104 ID=61904 PROTO=UDP SPT=29872 DPT=53 LEN=63
[00:46:32] IN=ppp0 OUT= MAC= SRC=188.92.75.120 DST=91.125.my.ip LEN=44 TOS=0x00 PREC=0x80 TTL=40 ID=49517 PROTO=TCP SPT=56439 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0
[02:54:33] IN=ppp0 OUT= MAC= SRC=189.157.20.232 DST=91.125.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=45 ID=20685 DF PROTO=TCP SPT=59312 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
However, firewall log entries are not necessarily due to some malicious activity. Log entries from port 80 or 443 from a Google IP address are probably related to web browsing, perhaps some TCP connections to the page were not closed cleanly.
also entries from any of 4 Plusnet IP addresses while you're browsing these forums, which might make an "ACK scan" if there are enough of them, such as:
[06:41:12] IN=ppp0 OUT= MAC= SRC=84.93.235.210 DST=91.125.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=55 ID=26780 DF PROTO=TCP SPT=44340 DPT=13401 WINDOW=262 RES=0x00 ACK PSH URGP=0
are because Plusnet's still haven't sorted out the forums / forum servers yet: https://community.plus.net/forum/index.php/topic,117757.0.html
Message 2 of 4
(934 Views)
Re: Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??
21-02-2014 8:35 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I know we all will see this stuff all the time
However I am referring to the latest trend / consistency I am seeing from Telecoms Worldwide, as per title
Not everybody will be capturing packets
I am referring to the onboard Security log
http://192.168.1.254/cgi/b/events/?be=0&l0=1&l1=2
However I am referring to the latest trend / consistency I am seeing from Telecoms Worldwide, as per title
Quote Feb 21 08:04:01 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 175.119.119.19 [Hanaro Telecom Seoul Korea] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable
Not everybody will be capturing packets
I am referring to the onboard Security log
http://192.168.1.254/cgi/b/events/?be=0&l0=1&l1=2
Message 3 of 4
(934 Views)
Re: Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??
21-02-2014 1:06 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
A large block of IP addresses assigned to British Telecom for example, will be for broadband customers.
According to the standard whois command line program:
175.119.119.19 is from 175.112.0.0 - 175.127.255.255, SK Broadband Co Ltd (Seoul, South Korea)
92.62.51.152 is from 92.62.48.0 - 92.62.51.255, PNTL; SatTel Corporation, Ltd; brand PiN Telecom (Russia)
114.36.163.56 is from 114.36.0.0/16 which just says HINET-NET from (whois.twnic.net, so Taiwan)
So they could just be IP addresses of broadband customer connections in those countries.
According to the standard whois command line program:
175.119.119.19 is from 175.112.0.0 - 175.127.255.255, SK Broadband Co Ltd (Seoul, South Korea)
92.62.51.152 is from 92.62.48.0 - 92.62.51.255, PNTL; SatTel Corporation, Ltd; brand PiN Telecom (Russia)
114.36.163.56 is from 114.36.0.0/16 which just says HINET-NET from (whois.twnic.net, so Taiwan)
So they could just be IP addresses of broadband customer connections in those countries.
Message 4 of 4
(934 Views)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Firewall attacks from Telecoms Worldwide (anyone e...