cancel
Showing results for 
Search instead for 
Did you mean: 

Sudden Unexplained Firewall Changes, ICMP Atttacks and Router Insecurities

Cobalt19
Grafter
Posts: 32
Registered: 08-05-2013

Sudden Unexplained Firewall Changes, ICMP Atttacks and Router Insecurities

About a week ago I noticed something odd when perusing the Log of my Technicolor TG582n router - there were lines of information stating 'firewall rules have beeen changed', and yet I have not been interacting with the router to change anything. Having been worried by this I tested my system with GRC's Shields Up! and discovered that things had also changed here - whereas before Shields Up reported my system totally stealthed, this time it showed there was a Reverse DNS detected and reported back this message (IP number replaced by XXX's)...
The text below might uniquely identify you on the Internet
Your Internet connection's IP address is uniquely associated with the following "machine name":
xx.xxx.xxx.xx.dyn.plus.net
First question - why has this changed? before GRC found it to be totally stealthed?
Then when I tested All Common Ports using Shields Up! it reported back the following worrying picture (bear in mind all recent tests beforehand showed totally green 'stealthed ports)': -
(OK - I totally failed to upload the screenshot here but it showed lines of blue 'Closed ports' in blocks of about ten consecutive ports, e.g. Port 0-10. In all there were about 7 blocks across the 1065, i.e. about 70 'closed' ports. WHY is thsi happening? I just dooid this a few minutes ago.

The Router Log has many entries stating the following (own IP changed by me to xx'x):  FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 178.219.101.185 Dst ip: xx.xxx.xxx.xx Type: Destination Unreachable Code: Port Unreacheable.
What are these? Who is sending these and why?
I changed the Plusnet Broadband Firewall just after this doscovery a week ago from Low to High and it has not changed a thing. WHY?
Has someone hacked my Plusnet Firewall Settings? Has someone hacked my Router? How come I have no stealth suddenly when I had not chamged anything? Could Plusnet be doing this? I am  no expert at all this - but I am concerned about things changing which ShieldsUp seems to report back as much less secure all round.
Help from anyone appreciated.


3 REPLIES
Community Veteran
Posts: 5,057
Thanks: 426
Fixes: 16
Registered: 10-06-2010

Re: Sudden Unexplained Firewall Changes, ICMP Atttacks and Router Insecurities

1. About the reverse DNS. It should be fairly clear that the text "xx.xxx.xxx.xx.dyn.plus.net" contains no more information about you than your IP address itself. It can easily be determined that your ISP is Plusnet from your IP address without reverse DNS, because the IP address is from a block allocated to Plusnet (lookups can be done with a whois program or via websites). If you don't have a static IP address, your IP address change after your line drops, some IPs you get might have reverse DNS entries and some might not - which explains why that part of the test result might change - but it doesn't matter because the reverse dns entry doesn't contain any additional information.
2. FIREWALL icmp check log messages. All I am going to say about them this time is that they are common and most people / everyone will see similar log entries.
3. Ports not reported as "stealthed". Who knows, perhaps some ports were automatically configured via UPnP, perhaps you accidentally tested a VPN connection. You need to disconnect and reconnect your Internet connection from the router web interface after changing the Plusnet member centre firewall settings.
Gel
Seasoned Pro
Posts: 1,474
Thanks: 150
Fixes: 12
Registered: 02-08-2007
Cobalt19
Grafter
Posts: 32
Registered: 08-05-2013

Re: Sudden Unexplained Firewall Changes, ICMP Atttacks and Router Insecurities

Ejs- thanks for your information. I understand what you ate saying. It's odd though that no IP showed up before when I used ShieldsUp! So I still don't know why IP is now showing.
As it happens I did not disconnect and reconnect to internet after changing Plusnet firewall. I did it after leaving my post and the blue 'closed' ports disappeared and became stealthed. I have not been using VPN and do not have UPnP so I can at least eradicate those from the equation.

Gel - thanks for your link. I read it. I don't think this is the problem I have got though.
Thanks to both of you.