cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Router log

mushy
Grafter
Posts: 182
Registered: ‎16-10-2012

Router log

‎26-11-2012 9:05 PM

Just happened to login into the router and getting lots of the following errors, could anyone explain what it means ?
I'm not sure if some one is trying to gain entry through the router if i didn't know better
Router is Technicolor 582n
Recorded Events
Time Message  
Nov 26 20:31:44 FIREWALL replay check (1 of 7): Protocol: ICMP Src ip: 85.113.225.180 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:30:16 FIREWALL replay check (1 of 5): Protocol: ICMP Src ip: 83.53.34.147 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:29:47 LOGIN User admin logged in on [HTTP] (from 192.168.XXX.XXX)
Nov 26 20:29:06 FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 83.53.34.147 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:28:01 FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 77.122.137.65 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Host Unreacheable
Nov 26 20:26:58 FIREWALL replay check (1 of 3): Protocol: ICMP Src ip: 77.122.137.65 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Host Unreacheable
Nov 26 20:24:55 FIREWALL replay check (1 of 8): Protocol: ICMP Src ip: 94.89.15.81 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:22:58 FIREWALL replay check (1 of 4): Protocol: ICMP Src ip: 77.122.137.65 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Host Unreacheable
Nov 26 20:21:54 FIREWALL icmp check (1 of 3): Protocol: ICMP Src ip: 71.61.149.41 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Host Unreacheable
Nov 26 20:21:08 FIREWALL replay check (1 of 4): Protocol: ICMP Src ip: 88.22.32.157 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:20:47 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 88.252.186.211 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:19:41 FIREWALL icmp check (1 of 3): Protocol: ICMP Src ip: 151.45.117.83 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:19:05 FIREWALL replay check (1 of 7): Protocol: ICMP Src ip: 81.37.113.81 Dst ip: 46.XXX.XXX Type: Destination Unreachable Code: Port
Unreacheable
Nov 26 20:18:33 FIREWALL icmp check (1 of 3): Protocol: ICMP Src ip: 190.147.41.78 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Host Unreacheable
Nov 26 20:16:42 FIREWALL replay check (1 of 2): Protocol: ICMP Src ip: 193.17.253.3 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:16:25 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 95.102.19.17 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:15:23 FIREWALL replay check (1 of 2): Protocol: ICMP Src ip: 81.36.26.166 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:14:26 SNTP Synchronised to server: 212.159.13.49
Nov 26 20:14:19 FIREWALL replay check (1 of 11): Protocol: ICMP Src ip: 80.245.117.58 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 26 20:13:09 FIREWALL replay check (1 of 13): Protocol: ICMP Src ip: 83.53.34.147 Dst ip: 46.208.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Message 1 of 10
(9,751 Views)
0 Thanks
9 REPLIES 9
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Router log

‎27-11-2012 2:22 AM

Those are unsolicited probes from the internet which your router is correctly blocking. As examples a  whois check shows 77.122.137.65 originates in Ukraine and 88.252.186.211 in Turkey.
A small number of these probes is normal and nothing to worry about. The larger number you are seeing is unusual though your router is protecting you. Assuming your IP address is dynamic I suggest logging into the router's web interface and disconnecting from Plusnet; wait a few seconds then reconnect. That should give you a new IP address which should stop the probes.
David
Message 2 of 10
(2,239 Views)
0 Thanks
mushy
Grafter
Posts: 182
Registered: ‎16-10-2012

Re: Router log

‎27-11-2012 9:14 AM

Thanks spraxyt
I suspected as much and did a soft disconnect of the router this morning as it looked as though it had still been happening all night, i will check it again when i get home this evening.
Not sure what you could do in the event of having a static IP though apart from hoping they don't manage to get through.
Steve
Message 3 of 10
(2,239 Views)
0 Thanks
Gus
Aspiring Pro
Posts: 3,236
Thanks: 26
Fixes: 3
Registered: ‎31-07-2007

Re: Router log

‎27-11-2012 11:13 AM

If you use any sharing software[|P2P], that software will store your IP address and look for it for a few hours to a day after you close it.  Or it could just be the bots that systematically scan each and every IP address looking for a insecure one.
If you are concerned you can stop pings from the internet, that will cut down on them but not stop them because of the bots.  Click Toolbox and then Firewall, it is a pick a task at the bottom, Allow PING on your WAN interface disable it if on.  Note if you use thinkbroadband.com's ping tool that will stop working with that turned off.
FTTP 500 regrade from Tues 28th November
Message 4 of 10
(2,239 Views)
0 Thanks
mushy
Grafter
Posts: 182
Registered: ‎16-10-2012

Re: Router log

‎27-11-2012 1:38 PM

I very rarely use P2P software but suspect my daughter does now and again but will look at disabling the pings unless it is going to cause any significant problems. I don't use the thinkbroadband.com's ping tool so that shouldn't be an issue.
I will have a look later on tonight when i get home and check if there have been any more occurances in the logs.
All help is very much appreciated.
Steve
Message 5 of 10
(2,239 Views)
0 Thanks
mushy
Grafter
Posts: 182
Registered: ‎16-10-2012

Re: Router log

‎27-11-2012 7:57 PM

Quote from: Gus
If you are concerned you can stop pings from the internet, that will cut down on them but not stop them because of the bots.  Click Toolbox and then Firewall, it is a pick a task at the bottom, Allow PING on your WAN interface disable it if on.  Note if you use thinkbroadband.com's ping tool that will stop working with that turned off.

It is turned off by default on Fibre router version of Technicolor 582n but have seen less attacks this afternoon
Message 6 of 10
(2,239 Views)
0 Thanks
mushy
Grafter
Posts: 182
Registered: ‎16-10-2012

Re: Router log

‎28-11-2012 8:26 PM

Still seem to be getting loads of errors in the router log as listed below if any one could elaborate on some of them
Is the "SNTP Synchronised to server" something to do with timing on PN's servers
I guess the "FIREWALL icmp check" is intruders trying it on, not so sure about the "IDS fragment parser : fragment out-of-order" bits

Nov 28 19:27:30 FIREWALL icmp check (1 of 6): Protocol: ICMP Src ip: 88.78.174.70 Dst ip: 146.90.XXX.XXX Type: Time Exceeded Code: Fragment Reassembly Time Exceeded
Nov 28 19:26:36 IDS fragment parser : fragment out-of-order (1 of 4) : 83.41.157.155 146.90.XXX.XXX 1492 UDP 6881->6881 frag 13683:1472@0+
Nov 28 19:25:32 IDS fragment parser : fragment out-of-order (1 of 17) : 70.27.237.109 146.90.XXX.XXX 1492 UDP 6881->6881 frag 3555:1472@0+
Nov 28 19:24:27 IDS fragment parser : fragment out-of-order (1 of 45) : 194.112.179.106 146.90.XXX.XXX 1492 UDP 19835->6881 frag 23437:1472@0+
Nov 28 19:23:55 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 94.223.154.11 Dst ip: 146.90.XXX.XXX Type: Time Exceeded Code: Fragment Reassembly Time Exceeded
Nov 28 19:23:26 IDS fragment parser : fragment out-of-order (1 of 5) : 93.133.131.87 146.90.XXX.XXX 1004 UDP 6881->6881 frag 4782:984@0+
Nov 28 19:23:24 FIREWALL replay check (1 of 22): Protocol: ICMP Src ip: 212.101.58.235 Dst ip: 146.90.XXX.XXX Type: Destination Unreachable Code: Communication Administratively Prohibited
Nov 28 19:22:36 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 94.134.164.138 Dst ip: 146.90.XXX.XXX Type: Destination Unreachable Code: Host Unreacheable
Nov 28 19:22:16 IDS fragment parser : fragment out-of-order (1 of 13) : 80.143.121.167 146.90.XXX.XXX 1492 UDP 6881->6881 frag 30680:1472@0+
Nov 28 19:22:03 FIREWALL replay check (1 of 2): Protocol: ICMP Src ip: 176.109.164.188 Dst ip: 146.90.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 28 19:14:05 SNTP Synchronised again to server: 212.159.13.49
Nov 28 18:14:05 SNTP Synchronised again to server: 212.159.13.49
Nov 28 17:14:05 SNTP Synchronised to server: 212.159.13.49
Nov 28 16:14:05 SNTP Synchronised to server: 212.159.13.50
Nov 28 15:14:05 SNTP Synchronised to server: 212.159.6.9
Nov 28 14:14:05 SNTP Synchronised again to server: 212.159.13.49
Nov 28 13:14:05 SNTP Synchronised to server: 212.159.13.49
Nov 28 12:14:05 SNTP Synchronised to server: 212.159.6.10
Nov 28 11:14:05 SNTP Synchronised to server: 212.159.13.50
Nov 28 10:14:05 SNTP Synchronised to server: 212.159.6.9
Nov 28 09:14:05 SNTP Synchronised to server: 212.159.13.50
Nov 28 08:14:05 SNTP Synchronised to server: 212.159.6.10
Nov 28 07:14:05 SNTP Synchronised to server: 212.159.6.9
Nov 28 06:14:05 SNTP Synchronised to server: 212.159.13.50
Nov 28 05:14:05 SNTP Synchronised to server: 212.159.6.10
Nov 28 04:14:05 SNTP Synchronised to server: 212.159.13.49
Nov 28 03:14:05 SNTP Synchronised to server: 212.159.6.9
Nov 28 02:14:05 SNTP Synchronised again to server: 212.159.13.49
Nov 28 01:50:43 FIREWALL replay check (1 of 31): Protocol: ICMP Src ip: 146.66.152.15 Dst ip: 146.90.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 28 01:49:18 FIREWALL replay check (1 of 9): Protocol: ICMP Src ip: 81.171.115.35 Dst ip: 146.90.XXX.XXX Type: Destination Unreachable Code: Port Unreacheable
Nov 28 01:14:05 SNTP Synchronised again to server: 212.159.13.49
Message 7 of 10
(2,239 Views)
0 Thanks
Gus
Aspiring Pro
Posts: 3,236
Thanks: 26
Fixes: 3
Registered: ‎31-07-2007

Re: Router log

‎28-11-2012 8:34 PM

Quote
Is the "SNTP Synchronised to server" something to do with timing on PN's servers

Is just the router updating its date/time from plusnet servers, you can change how often with using a telnet command.
http://community.plus.net/forum/index.php/topic,105421.msg899028.html#msg899028
I set mine to every 24 hours which is more than enough and saves on log spam, as the web interface log doesn't hold that much
FTTP 500 regrade from Tues 28th November
Message 8 of 10
(2,239 Views)
0 Thanks
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Router log

‎28-11-2012 8:53 PM

Port 6881 is apparently some old "default" port used by bittorrent, so the log entries could be due to bittorrent:

  • the router not coping well with the large number of connections

  • other peers still trying to connect after the bittorrent program has been closed

  • congestion or traffic management causing the packets to arrive late


I doubt the firewall icmp check is "intruders trying it on", that would be more like:
[tt]Tue, 2012-11-20 12:04:11 - TCP Packet - Source:88.226.15.190,2949 Destination:87.113.X.X,23 - [DOS]
Tue, 2012-11-20 12:04:12 - TCP Packet - Source:83.66.75.111,4045 Destination:87.113.X.X,23 - [DOS]
Tue, 2012-11-20 12:04:12 - TCP Packet - Source:94.121.254.9,3885 Destination:87.113.X.X,23 - [DOS]
Tue, 2012-11-20 12:04:12 - TCP Packet - Source:78.163.127.101,3086 Destination:87.113.X.X,23 - [DOS][/tt]
(Not the same router, but they're attempts to connect to port 23, telnet).
Message 9 of 10
(2,239 Views)
0 Thanks
mushy
Grafter
Posts: 182
Registered: ‎16-10-2012

Re: Router log

‎28-11-2012 9:37 PM

Thanks for the help guys, i will try to telnet the settings once telnet is added into windows features and time to see what torrents my daughter is downloading.
Cheers
Steve
Message 10 of 10
(2,239 Views)
0 Thanks