cancel
Showing results for 
Search instead for 
Did you mean: 

Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??

TORPC
Grafter
Posts: 5,163
Registered: 08-12-2013

Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??

Or are you seeing a different Trend / Consistency in your logs
I use https://ipdb.at/ & http://en.utrace.de/ to check the IP addresses although some may have a different preferred choice Wink
Some recent attacks has been documented @ http://community.plus.net/forum/index.php/topic,122856.msg1076068.html#msg1076068
Quote
Recorded Events
Time              Message
Warning Feb 20 20:34:03 IDS scan parser : tcp port scan: 87.248.210.254 [Limelight Networks Italy] scanned at least 10 ports at [IP Address Removed] . (1 of 1) : 87.248.210.254 [Limelight Networks Italy] [IP Address Removed] 0040 TCP 80->57789 [...R..] seq 4134307862 win 0

Error Feb 20 19:20:27 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.39.31.142 [Information OVH Systems France] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable

Error Feb 20 19:05:27 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.39.31.142 [Information OVH Systems France] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable

Warning Feb 20 18:42:09 IDS scan parser : tcp port scan: 173.194.34.165 [lhr14s22-in-f5.1e100.net ISP GOOGLE Mountain View California USA] scanned at least 10 ports at [IP Address Removed] . (1 of 1) : 173.194.34.165 [IP Address Removed] 0040 TCP 80->56009 [...R..] seq 348313452 win 0

Error Feb 20 18:24:51 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 213.208.135.76 [webmachine Unixsecurity Network VIE-IX Austria] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable

Warning Feb 20 14:07:06 IDS scan parser : stealth tcp full xmas scan: 66.196.116.134 [nktomi Corporation SunnyVale California hostname is reg1.push.mobile.vip.bf1.yahoo.com] scanned at least 10 ports at [IP Address Removed] . (1 of 1) : 66.196.116.134 [IP Address Removed] 0040 TCP 443->50859 [...R..] seq 869128548 win 0

Error Feb 20 13:05:28 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 24.35.19.113 [Broadstripe hostname c-24-35-19-113.customer.broadstripe.net Severn Maryland USA] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Communication Administratively Prohibited

Error Feb 20 12:56:32 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 114.36.163.56 [CHTD, Chunghwa Telecom Co., Ltd Taiwan] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Communication Administratively Prohibited

Error Feb 20 12:43:00 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 92.62.51.152 [Nienschanz Telecom Ltd Russia] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable

3 REPLIES
Community Veteran
Posts: 4,972
Thanks: 363
Fixes: 16
Registered: 10-06-2010

Re: Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??

In general, you and everyone else will see this stuff all the time.
If you don't see any single packets to common TCP or UDP ports such as tcp port 23 (telnet), tcp port 22 (ssh) or udp port 53 (dns), that must be either because you have the Plusnet broadband firewall enabled so that those packets are dropped before being sent to your router, or just that your router doesn't log every single unexpected packet.
e.g. selected packets today
[00:22:15] IN=ppp0 OUT= MAC= SRC=122.136.196.116 DST=91.125.my.ip LEN=83 TOS=0x00 PREC=0x80 TTL=104 ID=61904 PROTO=UDP SPT=29872 DPT=53 LEN=63
[00:46:32] IN=ppp0 OUT= MAC= SRC=188.92.75.120 DST=91.125.my.ip LEN=44 TOS=0x00 PREC=0x80 TTL=40 ID=49517 PROTO=TCP SPT=56439 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0
[02:54:33] IN=ppp0 OUT= MAC= SRC=189.157.20.232 DST=91.125.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=45 ID=20685 DF PROTO=TCP SPT=59312 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

However, firewall log entries are not necessarily due to some malicious activity. Log entries from port 80 or 443 from a Google IP address are probably related to web browsing, perhaps some TCP connections to the page were not closed cleanly.
also entries from any of 4 Plusnet IP addresses while you're browsing these forums, which might make an "ACK scan" if there are enough of them, such as:
[06:41:12] IN=ppp0 OUT= MAC= SRC=84.93.235.210 DST=91.125.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=55 ID=26780 DF PROTO=TCP SPT=44340 DPT=13401 WINDOW=262 RES=0x00 ACK PSH URGP=0 

are because Plusnet's still haven't sorted out the forums / forum servers yet: https://community.plus.net/forum/index.php/topic,117757.0.html
TORPC
Grafter
Posts: 5,163
Registered: 08-12-2013

Re: Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??

I know we all will see this stuff all the time
However I am referring to the latest trend / consistency I am seeing from Telecoms Worldwide, as per title Wink
Quote
Feb 21 08:04:01 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 175.119.119.19 [Hanaro Telecom Seoul Korea] Dst ip: [IP Address Removed] Type: Destination Unreachable Code: Port Unreacheable

Not everybody will be capturing packets
I am referring to the onboard Security log
http://192.168.1.254/cgi/b/events/?be=0&l0=1&l1=2
Community Veteran
Posts: 4,972
Thanks: 363
Fixes: 16
Registered: 10-06-2010

Re: Firewall attacks from Telecoms Worldwide (anyone else seeing this trend) ??

A large block of IP addresses assigned to British Telecom for example, will be for broadband customers.
According to the standard whois command line program:
175.119.119.19 is from 175.112.0.0 - 175.127.255.255, SK Broadband Co Ltd (Seoul, South Korea)
92.62.51.152 is from 92.62.48.0 - 92.62.51.255, PNTL; SatTel Corporation, Ltd; brand PiN Telecom (Russia)
114.36.163.56 is from 114.36.0.0/16 which just says HINET-NET from (whois.twnic.net, so Taiwan)
So they could just be IP addresses of broadband customer connections in those countries.