Community thoughts on 'known' 3rd parties "scanning" your Plusnet Service....

pawhe955 · ‎31-07-2007

Hi all,

So I noticed in my Router Log files that a couple of (unknown to me) IP Addresses were regulalry trying to connect to my VPN service running on my Router, e.g.:

Feb 20 08:45:16 vpnserver1[837]: 185.200.118.67:33895 TLS: Initial packet from [AF_INET]185.200.118.67:33895 (via [AF_INET]<redacted-MY_PLUSNET_PUBLIC_IP>%ppp0), sid=12121212 12121212
Feb 20 08:46:16 vpnserver1[837]: 185.200.118.67:33895 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 20 08:46:16 vpnserver1[837]: 185.200.118.67:33895 TLS Error: TLS handshake failed
Feb 20 08:46:16 vpnserver1[837]: 185.200.118.67:33895 SIGUSR1[soft,tls-error] received, client-instance restarting

Now I didn't write the Asus Router Firmware(!), so I don't know exactly what's being logged - i.e. just a TCP connection to the VPN Service Port - or a full blown attempt to access that service (i.e. a username/password attempt).

But in my eyes, there's no reason why anyone should be contiually/regularly attemping any *unsolicited* connection to my (personal VPN) service. So I sent the following (hopefully polite enough) message to the Company ("adscore.com") to whom the most frequently logged IP Addresses (including the one in the above example) are registered, via their "Contact us" Website Form:

-----

I am seeing a lot of the following entries in my Router Log Files:
<SAME LOG FILE ENTRIES AS ABOVE - DELETED TO SAVE SPACE>
The IP Address 185.200.118.67 appears to be associated with yourselves/a system registered to yourself.
It appears to be attempting to make unsolicited connection attempts to my VPN server.
There is no legitimate reason why your system should be doing this.
Please stop your system from doing this immediately.
Thank you.

-----

The response I received back was:

-----

<redacted> <redacted@adscore.com> 21 February 2020 at 21:32
To: Me <email_address_I_provided>
We do daily scans to find open VPN servers in order to provide our service.
This is not illegal and does not cause you any harm.

Best regards,

<redacted>

Adscore Technologies DMCC

-----

I've touched on Pen-Testing in that past, and know that you should always seek advanced permission to scan and/or attempt compromising any organisation's public-facing systems/networks.

Their "service" is using up both the (last mile) ISP bandwidth that I pay for, and CPU resources on my Router (ok - neither to any significance, but that's not the point!). So just wondered about anyone's thought's on this situation...?? I know that at any point in time, there may be 1001 illegitimate botnets port scanning and testing anyone's public-facing IP - but whereas you can't really negotiate with the people behind those, an orgnisation that's purporting to be legitimate should surely want to continue to appear to be so - so I felt their response was a little.... terse..?

In terms of blocking these incoming connections from specific IPs - IIRC, there used to be a Plusnet Firewall function (at the exchange end of the connection?) - but that appears not to be the case any more (just a bundled McAfee solution that runs on PCs? not appropriate here). There appears to be no simple incoming WAN source-IP blacklist function on my router (RT-AC88U) - although I've just tried applying a "Network Services Filter" of Source IP:*.*.*.* | Port Range:1194 | Destination IP:185.200.118.* | Port Range:1024:65535 | Protocol:TCP - so we'll see if that blocks adscore.com's attempts. Any other "block specific source IP incoming to WAN at the router" ideas welcome....

Thanks (and well done for bothering to read this far...!)

Mook · ‎27-12-2019

Do you actually think your average hacker is going to ask your permission! Any and all devices on the internet will be scanned and probed with alarming regularity to see if there's a way in, or if the resource in question can be exploited in some way it's par for the course. This will of course get worse when IPv6 takes off, but that's another day.

Life's too short to bother about the scum at the other end of the wire, you should have more to do with your life whereas they evidently don't.

VileReynard · ‎01-09-2007

What is an "open VPN Server"?

Feel free to run a few scripts attacking their IP address "to protect your VPN".

"In The Beginning Was The Word, And The Word Was Aardvark."

7up · ‎01-08-2007

Trouble is @VileReynard running a few attack scrips from a PC against a large network wouldn't even make a dent in their CPU time.

There isn't really much anyone can do to stop this happening - Yes I agree it's wrong for a legitimate company to do this.. but then so do the anti virus companies - they run scans on IP addresses and ports. Unfortunately you just have to accept that if you're internet connected, someone will try to connect to you to see what they can learn about you.

The only way to stop that is to write your own firewall from scratch since you can't even be truly sure what those are up to these days - they might be relaying packets elsewhere too.

The only thing you can really do is to use the most secure password/phrase you can come up with - long, unusual characters, numbers...

I need a new signature... i'm bored of the old one!