cancel
Showing results for 
Search instead for 
Did you mean: 

Why are Plusnet VISP portal servers trying to connect to me? RESOLVED

m063
Grafter
Posts: 166
Registered: 11-08-2007

Why are Plusnet VISP portal servers trying to connect to me? RESOLVED

Just turned logging on in my router and was surprised to find that Plusnet is firing TCP requests at me. Here's a small sample.  Anyone know why this is happening? I believe that inbound traffic contributes to broadband usage totals (am I right?), so not pleased that Plusnet should be generating (unsolicited) traffic. At least my router is operating correctly. Smiley
Jan  8 17:28:10 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7885 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0 
Jan  8 17:28:11 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7886 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:12 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7887 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:15 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7888 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:21 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7889 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:32 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7890 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:41 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.11 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x40 TTL=56 ID=10767 DF PROTO=TCP SPT=14300 DPT=15082 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:45 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.11 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x40 TTL=56 ID=10768 DF PROTO=TCP SPT=14300 DPT=15082 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:53 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.11 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x40 TTL=56 ID=10769 DF PROTO=TCP SPT=14300 DPT=15082 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:28:54 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7891 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:29:08 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.11 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x40 TTL=56 ID=10770 DF PROTO=TCP SPT=14300 DPT=15082 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:29:36 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.11 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x40 TTL=56 ID=10771 DF PROTO=TCP SPT=14300 DPT=15082 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:29:39 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7892 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:30:36 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.11 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x40 TTL=56 ID=10772 DF PROTO=TCP SPT=14300 DPT=15082 WINDOW=49368 RES=0x00 ACK PSH URGP=0
Jan  8 17:30:39 WRT54GL user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=212.159.10.5 DST=my.ip.addr.ess LEN=64 TOS=0x00 PREC=0x80 TTL=56 ID=7893 DF PROTO=TCP SPT=14300 DPT=7055 WINDOW=49368 RES=0x00 ACK PSH URGP=0
12 REPLIES
Community Veteran
Posts: 26,627
Thanks: 860
Fixes: 10
Registered: 10-04-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Looking up those IP addresses they are mail servers - but the port numbers don't look right for that.
Have you done anything with your mail configuration recently?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
m063
Grafter
Posts: 166
Registered: 11-08-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

No, haven't changed anything to do with mail for months.
PS I'm also seeing blocked requests from 212.159.14.12, 84.93.225.42 and others in those ranges.
Superuser
Superuser
Posts: 9,367
Thanks: 690
Fixes: 51
Registered: 06-04-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

The first of those is a Community site server, the second one of the Portal servers. Do you have firewall rules on the router that could be blocking even solicited requests on those ports? Does everything work correctly when you access Mail, Community and the Portal?
David
alanf
Aspiring Pro
Posts: 1,931
Thanks: 77
Fixes: 1
Registered: 17-10-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

What are your Plusnet Broadband Firewall settings? Setting an appropriate level in the Member Centre should block unwanted inward connection attempts before they are sent down the line and added to your broadband usage totals..
https://www.plus.net/support/security/firewalls/firewallfaq.shtml
Community Veteran
Posts: 1,607
Thanks: 63
Fixes: 2
Registered: 17-06-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Quote from: spraxyt
The first of those is a Community site server, the second one of the Portal servers. Do you have firewall rules on the router that could be blocking even solicited requests on those ports? Does everything work correctly when you access Mail, Community and the Portal?

But what would either of these servers be doing making requests back to a client?
Community Veteran
Posts: 26,627
Thanks: 860
Fixes: 10
Registered: 10-04-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

I'm wondering if they were late responses to normal requests.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
m063
Grafter
Posts: 166
Registered: 11-08-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Quote from: spraxyt
The first of those is a Community site server, the second one of the Portal servers. Do you have firewall rules on the router that could be blocking even solicited requests on those ports? Does everything work correctly when you access Mail, Community and the Portal?

No, the router firewall is in its default state, which is to block (drop) any unsolicited requests to any port. I'm not aware of any means of blocking solicited requests (ie responses), although I'm sure that could be done by linux command line wizardry (iptables etc). Mail, community &portal all work fine.
But I do wonder if it could be something to do with the portal...it is quite possible that I've left a portal browser session open...
I'll do some more experiments.
m063
Grafter
Posts: 166
Registered: 11-08-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Quote from: alanf
What are your Plusnet Broadband Firewall settings? Setting an appropriate level in the Member Centre should block unwanted inward connection attempts before they are sent down the line and added to your broadband usage totals..
https://www.plus.net/support/security/firewalls/firewallfaq.shtml

Plusnet broadband firewall is set to Low. But that blocks only frequently hacked ports less than 1024 so far as I know. The examples I posted are to ports 7055 and 15082, which wouldn't be blocked.
alanf
Aspiring Pro
Posts: 1,931
Thanks: 77
Fixes: 1
Registered: 17-10-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Is there any reason that you couldn't set the level to high?
https://www.plus.net/support/security/firewalls/broadbandfirewall.shtml
m063
Grafter
Posts: 166
Registered: 11-08-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Quote from: jelv
I'm wondering if they were late responses to normal requests.

I think it might be something like that.
I logged on to the portal this morning and then put my Windows laptop into hibernation at about 9am. Looking through the router logs I see a sequence of requests from 84.93.229.197, then 212.159.10.5, 212.159.10.1, 212.159.10.11, 212.159.10.13, 212.159.10.17, 212.159.10.69 in sequence, with between 10 and 13 requests from each one. This lasted until about 10am.
Then at around 14:15 I see sequeneces of requests from 212.159.10.7, 212.159.10.5, 212.159.10.3, 212.159.10.9 until 15:06
At 15:53, sequences of requests from 84.93.229.67, 84.93.229.69, 84.93.229.67, 84.93.229.229, 84.93.229.67, 84.93.229.69
at 17:15 I powered up the laptop, looked at this thread, and closed the portal browser session (didn't logoff portal first) . Log shows no blocked requests after 17:20
Sometime around 18:00 I logged back on to the portal. Blocked messages start again at 18:20.
So its something to do with accessing the portal. My portal login seems to expire frequently. Could this be a convoluted means of checking login status?
m063
Grafter
Posts: 166
Registered: 11-08-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

Quote from: alanf
Is there any reason that you couldn't set the level to high?

Setting it to high blocks the NTP protocol which stops a Windows/XP system and my routers updating their time.
In any case, I don't think Plusnet should be doing this and would like to know why it does. If it is sending the requests to everyone who logs on to the portal then there could be a significant impact on the network.
m063
Grafter
Posts: 166
Registered: 11-08-2007

Re: Why are Plusnet VISP portal servers trying to connect to me?

If anyone is interested, I found out what was causing this. It was nothing to do with the Plusnet portal.
It was because I have an IMAP account on my email client (Thunderbird) on a Windows Vista PC, which then hibernated without terminating the email client.
I have no idea why that caused the Plusnet IMAP server to continue trying to connect to me (to send some sort of acknowledgement as I read the log entry). It didn't do that when the PC was active. And in any case it was sending to what appeared to be a random port, which in general you wouldn't expect to be open. It always sent from port 14300 though.
So it looks like a bug. I would have thought that a well constructed IMAP server should recognise that the client had gone away.
So if anyone from Plusnet is reading this, maybe it could be put on a list of potential bugs.