Plusnet
Sunday 22nd November 2009Login | Register | Help
Home » Forum » Technology Discussions » Web and Internet » DNS Port Scans
Pages: [1]

DNS Port Scans

  • Oldjim
  • Forum Moderator
  • Posts: 8593
  • View Profile
« on 31/10/2009, 10:35 »
I have just upgraded the firmware on my Netgear router and the log is now showing some very odd results.
These scans are from the DNS servers
Quote
Sat, 2009-10-31 10:23:26 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:36 - UDP Packet - Source:208.67.220.220,53 Destination:192.168.0.2,52702 - [DOS]
Sat, 2009-10-31 10:24:36 - UDP Packet - Source:208.67.220.220,53 Destination:192.168.0.2,57713 - [DOS]
Sat, 2009-10-31 10:24:37 - UDP Packet - Source:208.67.220.220,53 Destination:192.168.0.2,65106 - [DOS]
Sat, 2009-10-31 10:24:37 - UDP Packet - Source:212.159.13.50,53 Destination:192.168.0.2,55783 - [DOS]
Sat, 2009-10-31 10:24:37 - UDP Packet - Source:212.159.13.50,53 Destination:81.174.168.118,56402 - [DOS]
Sat, 2009-10-31 10:24:37 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:39 - UDP Packet - Source:212.159.13.50,53 Destination:192.168.0.2,63830 - [DOS]
Sat, 2009-10-31 10:24:40 - UDP Packet - Source:212.159.13.50,53 Destination:192.168.0.2,59892 - [DOS]
Sat, 2009-10-31 10:24:40 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:41 - UDP Packet - Source:212.159.13.50 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:42 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:43 - UDP Packet - Source:212.159.13.50 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:43 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:43 - UDP Packet - Source:212.159.13.50 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:45 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:45 - UDP Packet - Source:212.159.13.50 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:45 - UDP Packet - Source:208.67.220.220 Destination:192.168.0.2 - [PORT SCAN]
Sat, 2009-10-31 10:24:46 - UDP Packet - Source:212.159.13.50 Destination:192.168.0.2 - [PORT SCAN]
I assume that this is normal activity. This is the firewall settings so I don't know why I am getting the reports
Actually I know why I am getting the reports but I don't know why the router thinks they are DOS attacks and Port Scans

« Last Edit: 31/10/2009, 10:41 by Oldjim »


* 2009-10-31_103322.jpg (53.59 KB, 728x402 - viewed 8 times.)

* 2009-10-31_103937.jpg (19.81 KB, 505x201 - viewed 8 times.)
Jurassic Coast
Dorset Area Ramblers
Jim
Logged
« Reply #1 on 01/11/2009, 18:48 »
Someone with the same problem.

http://forums.opendns.com...nts.php?DiscussionID=4517

I had a funny thing with Opendns yesterday (not Netgear), on Ebay every time I clicked on an item for sale, Opendns blocked it as a "phishing site." Cured that by changing dn server for a few hours..
West Sussex
Logged
  • ASBO DOG
  • Bright Spark
  • *
  • Posts: 3670
  • Monk or Mugger?
  • View Profile
« Reply #2 on 01/11/2009, 18:52 »
i get this with the xbox jim all thoe mine are allways dos never had port scans, on my v4 i had to re down grade back to the old firmware.

am still runing V5.01.09  due to all other firmwares since giving this same issue of blocking geniue traffic
        Plusnet community collaborative spotify playlist, add your tracks here -->
Logged
  • Oldjim
  • Forum Moderator
  • Posts: 8593
  • View Profile
« Reply #3 on 01/11/2009, 19:21 »
I upgraded the firmware as part of a troubleshooting exercise with Netgear and, touch wood, it seems to have fixed the problem I was seeing.
I have raised the question with Netgear - just waiting for a response
Jurassic Coast
Dorset Area Ramblers
Jim
Logged
  • Peter Vaughan
  • Usergroup Member
  • *
  • Posts: 13641
  • Unofficial ledgendary bright spark bod!
  • View Profile
« Reply #4 on 01/11/2009, 20:24 »
First, disable the DOS monitoring option as it is not actually a DOS and just fills your log up.

Second the DNS entries are likely to be delayed reponses to DNS lookups you have sent to the identified DNS servers. The Netgear opens up a UDP session when your PC sends out a DNS request but this only remains open for a very short time. If the DNS server fails to reply within this short time the netgear reports it as a port scan or DOS.

It is nothing to worry about. I tend not to enable any of the netgear monitoring options as they often just cause confusion and in the case of DOS it just plain wrong! Just let the firewall do its stuff silently.
plusnet ADSL Customer (PlusNet Pro)
PlusNet Usergroup | PUG Forums | Usertools | PUG Issue Tracker - Please vote!!
Volunteer at the National Museum of Computing @ Bletchley Park - Looking for donations of old games consoles, PCs and software. Contact me for details
Logged
  • Oldjim
  • Forum Moderator
  • Posts: 8593
  • View Profile
« Reply #5 on 01/11/2009, 20:29 »
Peter,
I appreciate that but what I am finding is a few sites not found due to the DNS lookup being a bit slow and being blocked.
I have asked Netgear how to white list the DNS servers
Jurassic Coast
Dorset Area Ramblers
Jim
Logged
  • Peter Vaughan
  • Usergroup Member
  • *
  • Posts: 13641
  • Unofficial ledgendary bright spark bod!
  • View Profile
« Reply #6 on 01/11/2009, 20:38 »
Are you using your netgear as the DNS server on your PCS - i.e. you use the IP address of the router as your DNS server? If so, don't as it is not very good at it. I always set the DNS servers manually in any PCs I use so they go direct to the DNS servers.

I'm not aware of any way to whitelist any IPs in the netgear routers.
plusnet ADSL Customer (PlusNet Pro)
PlusNet Usergroup | PUG Forums | Usertools | PUG Issue Tracker - Please vote!!
Volunteer at the National Museum of Computing @ Bletchley Park - Looking for donations of old games consoles, PCs and software. Contact me for details
Logged
  • Oldjim
  • Forum Moderator
  • Posts: 8593
  • View Profile
« Reply #7 on 01/11/2009, 21:01 »
I wasn't aware of that .
Before updating the firmware I hadn't seen any problems.
Goes away to find out how to set the DNS servers in Windows 7  Grin
Edit - it's very easy just need to decide whether to do it for both ipv4 and ipv6

« Last Edit: 01/11/2009, 21:03 by Oldjim »

Jurassic Coast
Dorset Area Ramblers
Jim
Logged
« Reply #8 on 02/11/2009, 07:56 »
Why could you possibly need IPv6?

If you've run out of addresses on your home network you must have a lot of computers...

Question = Answered Tongue
Logged
Pages: [1]
Home » Forum » Technology Discussions » Web and Internet » DNS Port Scans
Jump to:  

Related Sites

Community Apps

Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!

View the Plusnet Open Source applications page

About Plusnet

We sell broadband, phone, VoIP and more to homes and businesses in the UK. Winner of 9 out of 11 Categories in the 2008 USwitch survey. Winner of "Best Consumer ISP" at 2008 ISPA awards. Voted number 1 in the Broadband Choices 2008 survey.

© Plusnet plc All Rights Reserved. E&OE

Powered by SMF | SMF © 2006-2008, Simple Machines LLC

Add to Technorati Favourites