cancel
Showing results for 
Search instead for 
Did you mean: 

Firewall reports losts of blocked connections from one source

amcclean
Rising Star
Posts: 1,817
Thanks: 7
Registered: ‎30-07-2007

Firewall reports losts of blocked connections from one source

I have just looked at the firewall on the PN supplied router and have noticed multiple blocks of with the following text. I have tried a reverse lookup to find out the origin of the address but it comers back as blocked/ unreachable. I have only had this router connected for about 40 mins and have about 30 of these blocks:
FIREWALL replay check (1 of 2): Protocol: ICMP Src ip: 69.43.161.161 Dst ip: 212.*.*.* Type: Destination Unreachable Code: Port Unreacheable
I now have thios one too:
IDS proto parser : tcp null port (1 of 1) : 123.151.42.61 212.*.*.*  0040 TCP 12200->0 [S.....] seq 1564181392 win 8192
Can anyone shed some light for my peace of mind.
Thanks
podman
{Edit Title modified}
11 REPLIES 11
Routefinder
Grafter
Posts: 453
Thanks: 1
Registered: ‎01-08-2007

Re: Firewall reports losts of blocked connections from one source

The second one comes up as in China http://www.ip-adress.com/whois/123.151.42.61
The first one is :-
IP:
69.43.161.161
server location:
San Diego in United States
ISP:
Castle Access
So not sure if that helps but Huh
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Firewall reports losts of blocked connections from one source

My opinion is that small numbers of these are "normal" and can be ignored. For lots of them ...  Huh
But if you really want to be confused about what they mean try this topic. Roll_eyes
David
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Firewall reports losts of blocked connections from one source

A whois lookup for 69.43.161.161 gives:
Quote
Trellian Pty Ltd NET-69-43-161-0-1 (NET-69-43-161-0-1) 69.43.161.0 - 69.43.161.255
Castle Access Inc ARIN-CASTLE-ALLOC (NET-69-43-128-0-1) 69.43.128.0 - 69.43.207.255
amcclean
Rising Star
Posts: 1,817
Thanks: 7
Registered: ‎30-07-2007

Re: Firewall reports losts of blocked connections from one source

Thank you I couldn't find any info on the last one.
I have removed the pn router as late last night I found a post in the forums talking about a number of ports which were left open. I wasn't wanting to take the risk.
podman
orbrey
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 10,540
Registered: ‎18-07-2007

Re: Firewall reports losts of blocked connections from one source

Hi podman,
Not sure what those are? As far as we're aware the only port open on the WAN side of the router is 51005, though I'll not go into details of what's on there and how it responds to queries (though I've no doubt the information is available on google). If you could link to the post we'd be grateful.
alanf
Aspiring Pro
Posts: 1,931
Thanks: 78
Fixes: 1
Registered: ‎17-10-2007

Re: Firewall reports losts of blocked connections from one source

Have you considered using the Plusnet Broadband Firewall to block unwanted traffic before it reaches your router?
http://www.plus.net/support/security/firewalls/broadbandfirewall.shtml
Beware that if you change product Plusnet in its wisdom disables the Broadband Firewall without telling you that it has done so and you have to reset it.
http://community.plus.net/forum/index.php/topic,74679.16.html
amcclean
Rising Star
Posts: 1,817
Thanks: 7
Registered: ‎30-07-2007

Re: Firewall reports losts of blocked connections from one source

HI,
It was thread on the PN forums. I can't find it just now but it contained the eror texts in it's main text.
podman
30FTTC06
Pro
Posts: 2,286
Thanks: 108
Fixes: 4
Registered: ‎18-02-2013

Re: Firewall reports losts of blocked connections from one source

I've had 123.* and 69.* ip's hitting me as well, not sure if it maybe related or not, i cleared my logs after flushing the old ip, but i see the 123.* Hit me again last night.
IDS proto parser : tcp null port (1 of 1) : 123.151.42.61 xx.115.191.xx 0040 TCP 12200->0 [S.....] seq 884179504 win 8192
I'll keep an eye on it.
30FTTC06
Pro
Posts: 2,286
Thanks: 108
Fixes: 4
Registered: ‎18-02-2013

Re: Firewall reports losts of blocked connections from one source

2 more times yesterday, i get the same ip hitting me. Anybody have any more info on this ip ?
IDS proto parser : tcp null port (1 of 1) : 123.151.42.61 xx.112.4.xx 0040 TCP 12209->0 [S.....] seq 555868298 win 8192
IDS proto parser : tcp null port (1 of 1) : 123.151.42.61 xx.112.4.xx 0040 TCP 12200->0 [S.....] seq 1254269395 win 8192
IP address: 123.151.42.61
ISP: CHINANET TIANJIN PROVINCE NETWORK
Organization: China Telecom TIANJIN
City: Tianjin
Region: Tianjin
Country: China (CN)
latitude: 39.1422
longitude: 117.1767

Checking IP against the top SPAM source databases and Email Policy block lists...
Note this may include some end-user IP address ranges which should not be delivering unauthenticated SMTP email.
123.151.42.61 is blacklisted! --> [dnsbl-1.uceprotect.net] - IP 123.151.42.61 is UCEPROTECT-Level 1 listed. See info
123.151.42.61 is not in any known email block lists, including ISP Policy blocks.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Firewall reports losts of blocked connections from one source

I just searched for 123.151.42.61 in my saved logs. 123.151.42.61 appeared in pretty much every day since July 6th which was the first day saved. Earlier 123.151.42.61 generally tried to connect to TCP port 8080, then various port numbers such as 8008, 9081, 9090, then 1723 for a bit, occasionally port 80, back to ports around 8000-9000, and this "null port" or port 0, which I assume isn't a valid port number and is an attempt to exploit some bug (bugs which were probably fixed years ago), started on November 26th.
Here's a selection of IPs from yesterday's log (I picked out packets going to ports 22,23,1433 and 53)
IN=ppp0 OUT= MAC= SRC=98.89.227.142 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=39 ID=21188 DF PROTO=TCP SPT=48340 DPT=23 WINDOW=4380 RES=0x00 SYN URGP=0 
IN=ppp0 OUT= MAC= SRC=192.210.53.38 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=117 ID=256 PROTO=TCP SPT=55307 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=192.184.63.94 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=110 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=125.130.109.148 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=49 ID=52741 DF PROTO=TCP SPT=3901 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=121.139.63.155 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=50 ID=62106 DF PROTO=TCP SPT=2834 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=222.99.209.220 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=49 ID=35914 DF PROTO=TCP SPT=4104 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=77.222.172.241 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=41 ID=13578 DF PROTO=TCP SPT=4196 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=60.185.149.68 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=43 ID=11452 DF PROTO=TCP SPT=58227 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=113.106.200.182 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=35 ID=47673 DF PROTO=TCP SPT=55074 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=181.51.250.97 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=45 ID=18864 DF PROTO=TCP SPT=55282 DPT=23 WINDOW=4380 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=50.151.217.100 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=49 ID=63079 DF PROTO=TCP SPT=2560 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=218.28.116.227 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=96 ID=256 PROTO=TCP SPT=6000 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=222.189.239.14 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=37.4.219.206 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=46 ID=54534 DF PROTO=TCP SPT=50434 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=37.4.219.206 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=46 ID=54535 DF PROTO=TCP SPT=50434 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=61.55.191.148 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=102 ID=46497 PROTO=TCP SPT=45491 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=202.90.153.109 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=21923 PROTO=TCP SPT=56155 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=5.166.171.92 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=118 ID=27878 DF PROTO=TCP SPT=2622 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=176.36.133.73 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=55 ID=62771 DF PROTO=TCP SPT=37855 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=128.39.145.49 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=49 ID=31344 DF PROTO=TCP SPT=45863 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=128.39.145.49 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=49 ID=31345 DF PROTO=TCP SPT=45863 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=81.215.2.198 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=49 ID=38401 DF PROTO=TCP SPT=37515 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=103.28.149.215 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=116 ID=4291 PROTO=TCP SPT=30309 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=202.100.206.37 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=96 ID=256 PROTO=TCP SPT=6000 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=64.120.249.11 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=111 ID=256 PROTO=TCP SPT=41350 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=119.147.216.77 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=103 ID=42429 PROTO=TCP SPT=6819 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=85.233.64.4 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=118 ID=27468 PROTO=TCP SPT=19237 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=218.7.19.254 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=93 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=1.93.48.94 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=89 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=58.64.182.105 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=101 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=222.64.206.218 DST=37.152.my.ip LEN=86 TOS=0x00 PREC=0x80 TTL=43 ID=3281 PROTO=ICMP TYPE=3 CODE=3 [SRC=37.152.my.ip DST=222.64.206.218 LEN=58 TOS=0x00 PREC=0x00 TTL=241 ID=17 PROTO=UDP SPT=12646 DPT=22062 LEN=38 ]
IN=ppp0 OUT= MAC= SRC=218.65.52.100 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=121.15.232.229 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=98 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=61.147.103.168 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=221.123.147.83 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=89 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=23.23.144.239 DST=37.152.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=37 ID=6416 DF PROTO=TCP SPT=35908 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=61.55.191.148 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=102 ID=38020 PROTO=TCP SPT=23608 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=201.252.238.67 DST=37.152.my.ip LEN=56 TOS=0x00 PREC=0x80 TTL=43 ID=44533 DF PROTO=TCP SPT=60894 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=60.211.213.66 DST=37.152.my.ip LEN=48 TOS=0x00 PREC=0x80 TTL=103 ID=64485 PROTO=TCP SPT=28751 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=198.13.103.134 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=118 ID=256 PROTO=TCP SPT=20177 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=103.24.155.190 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=112 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=23.228.193.84 DST=37.152.my.ip LEN=40 TOS=0x00 PREC=0x80 TTL=110 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0

I wouldn't worry about it too much.
30FTTC06
Pro
Posts: 2,286
Thanks: 108
Fixes: 4
Registered: ‎18-02-2013

Re: Firewall reports losts of blocked connections from one source

Cheers ejs, most stuff i can explain away, but not that one. My galaxy tab 10.1 hasn't updated for so long now i just like to keep an eye on things.