cancel
Showing results for 
Search instead for 
Did you mean: 

Router error log - attempted intrusion?

Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Router error log - attempted intrusion?

This is from the error log
Quote
Error Aug 12 10:06:35 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:57:54 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:55:04 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:52:30 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:46:40 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:42:27 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:40:49 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:39:46 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:36:40 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:35:02 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:31:11 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:30:01 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:27:33 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 09:21:04 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 69.31.34.209 Dst ip: <my IP address>Type: Time Exceeded Code: Time to Live exceeded in Transit
Given that these appear to be hacking attempts should I be concerned and could it affect the responsiveness of my system. One solution - although it may cause problems for the next person to get my fixed IP address - is to move to a dynamic one as I don't really need a fixed one. It just came as standard on my old product and I never bothered changing it
16 REPLIES 16
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Router error log - attempted intrusion?

Were you gaming at or before the time of those log entries? The ICMP Destination Unreachable log entries are common in Razer's log and 5.135.8.125 is described as "GAMEVPS" (presumably meaning a game virtual private server) in a whois lookup.
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

I don't game or use P2P
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

and it is still happening
Quote
Error Aug 12 13:19:47 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:18:38 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:15:47 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:14:28 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:13:14 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:09:42 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Info Aug 12 13:07:52 SNTP Synchronised to server: 212.159.6.10
Error Aug 12 13:08:11 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:07:01 FIREWALL icmp check (1 of 7): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 13:00:43 FIREWALL icmp check (1 of 3): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:58:05 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:54:45 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:53:41 FIREWALL icmp check (1 of 4): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:50:41 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:49:00 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:46:42 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 5.135.128.114 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:44:51 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:42:44 FIREWALL icmp check (1 of 3): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 12:41:37 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 174.127.72.35 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Wulfy
Grafter
Posts: 59
Registered: ‎01-08-2013

Re: Router error log - attempted intrusion?

Hi Oldjim,
Ping isnt something to worry about its a simple check to see if a IP is online or reachable, unfortunately its often used as a prelude to a port scan to find open ports by a hacker. By default i believe the plusnet router is set to drop and ignore these any ways (and if not just set it to anyway) and you can safely disregard these.
They shouldn't have any impact of your online performance (unless they were coming in at a rate of knots) and will still likely to show up with a dynamic ip or a fixed ip.
Best regards,
Chris Berry
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

I am not sure if that is a factor as my router is set to respond to pings as I run the TBB monitor and that doesn't show up in the log
Wulfy
Grafter
Posts: 59
Registered: ‎01-08-2013

Re: Router error log - attempted intrusion?

Just done a quick check on the ips listed there one being for an instanbul gov site one being a NL site, I'm not sure why the tbb checker isnt showing up on there (as i use it myself as well) but pings can be disregarded safely
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Router error log - attempted intrusion?

I don't think pings/tracerts will be reported in the router log whether it is set to respond to WAN pings or not. Those are "normal" messages either way and the router knows how to deal with them.
I think the messages posted by Oldjim are communication error messages sent by the source destinations notifying that a message (allegedly) sent to that host could not be delivered. Part of the message should enable the router to identify which of its local hosts sent the message and so return it to that host for appropriate action. However since the router cannot identify a local host it just logs the message as an "error".
It's possible that when several seemingly identical messages are logged they are not actually identical, the "original message" part not shown in the log might be different - in the hope of hitting upon a local-host match. Should the remote host be lucky there is potential for the local host to be compromised.
All speculation, of course. I normally get 5 or 6 of these types of message a day, yesterday's collection as follows
[quote=telnet log so earliest at top]
<102> Aug 10 23:12:55 SNTP Synchronised again to server: 212.159.13.49
<81> Aug 11 05:23:26 FIREWALL icmp check (1 of 1):
Protocol: ICMP  Src ip: 178.33.100.149 Dst ip: <My IP>
Type: Time Exceeded Code: Time to Live exceeded in Transit
<81> Aug 11 20:29:04 FIREWALL icmp check (1 of 1):
Protocol: ICMP  Src ip: 188.138.9.74 Dst ip: <My IP>
Type: Destination Unreachable Code: Port Unreacheable
<81> Aug 11 20:52:51 FIREWALL icmp check (1 of 1):
Protocol: ICMP  Src ip: 188.138.9.74 Dst ip: <My IP>
Type: Destination Unreachable Code: Port Unreacheable
<81> Aug 11 21:24:23 FIREWALL icmp check (1 of 1):
Protocol: ICMP  Src ip: 188.138.9.74 Dst ip: <My IP>
Type: Destination Unreachable Code: Port Unreacheable
<81> Aug 11 22:57:22 FIREWALL icmp check (1 of 1):
Protocol: ICMP  Src ip: 67.16.142.54 Dst ip: <My IP>
Type: Time Exceeded Code: Time to Live exceeded in Transit
<102> Aug 11 23:12:11 SNTP Synchronised to server: 212.159.6.10
Can't think of any reason why Oldjim's IP should be receiving more.
David
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

I am being picked on and mostly from Turkey
Quote
Error Aug 12 16:55:28 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:51:32 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:47:01 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:23:46 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:20:47 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:12:55 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:11:50 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:10:11 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:09:07 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Info Aug 12 16:07:55 SNTP Synchronised to server: 212.159.13.49
Error Aug 12 16:06:44 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.8.125 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:04:58 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:03:10 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 16:01:56 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 15:56:00 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 15:50:58 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 15:49:35 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 15:47:34 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable
Error Aug 12 15:45:18 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.107.230.170 Dst ip: <my IP address>Type: Destination Unreachable Code: Port Unreacheable

spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Router error log - attempted intrusion?

I wonder if they "know you are there" from ping response? Could try turning that off for a while. TBB monitor will turn red, but if you are bothered you could disable that for the duration.
David
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

will try that and see what happens
First thing that happened was the router crashed
Back on line now and ping responder disabled
Also the router web interface is much quicker so I think it was getting a bit clogged up  Undecided
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Router error log - attempted intrusion?

It might be possible to extract some more information from the telnet commands "firewall debug stats" and "ids pattern stats".
You would think it would be possible to configure things so that the ping responder only replies to the tbb source IP addresses, I guess the command for that should be something like "service system ipadd name=PING_RESPONDER ip=80.249.99.164/28".
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

Doesn't tell us anything
{admin}=>firewall debug stats
Statistics
==========
Used rule contexts              : 0
Total rule contexts             : 256
Total packets parsed            : 32277
Packets parsed in hook sink     : 3141
Packets parsed in hook forward  : 24590
Packets parsed in hook source   : 4209
Packets dropped in hook sink    : 3
Packets dropped in hook forward : 0
Packets dropped in hook source  : 0
TCP flag errors detected        : 0
TCP seq/ack/win errors detected : 0
TCP header errors detected      : 0
UDP header errors detected      : 0
ICMP header errors detected     : 0
ICMP errors with partial info   : 0
ICMP errors without cause       : 86
ICMP replies without request    : 0
Packet replay errors            : 0
{admin}=>ids pattern stats
Pattern tracker statistics:
---------------------------
memory                             : 32768 bytes
maximum number of patterns         : 512
number of active patterns          : 512
number of recycled patterns        : 227
number of pattern searches         : 10430
number of new patterns             : 739
maximum number of hash collisions  : 4
% of hash entries with collisions  : 8.49
% of hash entries unused           : 60.74
{admin}=>
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Router error log - attempted intrusion?

Quote from: Oldjim
{admin}=>firewall debug stats
...
ICMP errors without cause       : 86

I think it confirms that the log entries are these, that there was no outgoing packet that could have resulted in one of those "destination unreachable" packets legitimately arriving.
My totally different router and logging has very little icmp, mostly incoming echo requests from 128.9.168.98 and the other couple of IP addresses related to ant.isi.edu.
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: Router error log - attempted intrusion?

Update
After disabling pings there wasn't much of a change but then we had a short power cut and the router rebooted.
Since then there have been virtually none (there was one from the Department of Health Quebec - explain that one)