cancel
Showing results for 
Search instead for 
Did you mean: 

Router Log Showing Security Problem?

God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Router Log Showing Security Problem?

A friend of mine runs a small business. I installed a Netgear router and set it to email me the log once a week. The router has been set to block sites on certain keywords, essentially porn sites and some social networks.
His business premises are closed at weekends yet the router showed a lot of links made over the weekend to a host of different countries. He is running Kaspersky and is up to date so (should) be virus and malware free, although the PC is probably left on at weekends there isn’t any ‘messenger’ software installed or anything else that would obviously make these type of contacts.
I have posted the part of the log concerned and x’d out some of his IP address, having looked at the log do any of you have a good idea what is happening here?
Cheers...
Fri, 2008-06-13 17:57:57 - Initialize LCP.
Fri, 2008-06-13 17:57:57 - LCP is allowed to come up.
Fri, 2008-06-13 17:58:03 - CHAP authentication success Fri, 2008-06-13 18:03:21 - TCP Packet - Source:85.197.216.15,22112 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:15:38 - TCP Packet - Source:67.86.215.253,50620 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:22:06 - TCP Packet - Source:91.177.136.156,56234 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:22:12 - TCP Packet - Source:91.177.136.156,56243 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:82.80.131.103,56308 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:77.101.224.113,3112 Destination:86.xxx.xx.xx,45682 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:81.224.116.93,61446 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:07:48 - TCP Packet - Source:124.100.144.125,50621 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:17:03 - TCP Packet - Source:86.136.234.236,6271 Destination:86.xxx.xx.xx,445 - [DOS] Fri, 2008-06-13 19:17:03 - TCP Packet - Source:60.242.138.223,13067 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:19:44 - TCP Packet - Source:209.59.79.112,53656 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 21:45:02 - TCP Packet - Source:189.18.187.27,4395 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 21:45:02 - TCP Packet - Source:78.147.15.98,54277 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 22:11:38 - TCP Packet - Source:122.167.3.164,50038 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:34 - TCP Packet - Source:65.26.40.146,33641 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:37 - TCP Packet - Source:80.2.14.251,55910 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:37 - TCP Packet - Source:80.2.14.251,56313 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 00:12:28 - TCP Packet - Source:193.239.244.130,3521 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 02:09:49 - TCP Packet - Source:87.119.160.82,53888 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:16 - TCP Packet - Source:24.130.172.41,1849 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:19 - TCP Packet - Source:121.15.220.104,12200 Destination:86.xxx.xx.xx,8080 - [DOS] Sat, 2008-06-14 10:57:19 - TCP Packet - Source:82.181.88.82,42498 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:24 - TCP Packet - Source:68.255.97.165,4495 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:17 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:20 - TCP Packet - Source:118.101.43.164,5448 Destination:86.xxx.xx.xx,45682 - [DOS] Sat, 2008-06-14 15:02:20 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:23 - TCP Packet - Source:60.50.239.17,11319 Destination:86.xxx.xx.xx,45682 - [DOS] Sat, 2008-06-14 15:02:24 - TCP Packet - Source:68.198.228.125,52593 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:27 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 18:25:12 - TCP Packet - Source:212.76.37.158,58874 Destination:86.xxx.xx.xx,41571 - [DOS]
7 REPLIES 7
Peter_Vaughan
Grafter
Posts: 14,469
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

You can ignore those reports as they are false.
First these are incoming connection attempts not outgoing and is normal 'internet noise' that everyone gets. The clue here is the source is external and the destination internal.
Second, DOS stands for Denial Of Service but you are not getting a DOS attack. The router is falsely reporting DOS after only seeing single packets whereas a DOS attack involves 1000s of packets every second to try and flood your connection to stop it working.
The Netgear router falsely reports single packets as DOS. Either ignore them or turn of the reporting of DOS in the router as it is meaningless and only causes confusion.
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

Hi Peter
Thanks for a quick and thorough response, much appreciated.
Regards
Peter
paulh
Rising Star
Posts: 1,283
Thanks: 10
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

AAMOI is that a dynamic or fixed IP ?
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

Just checked over the last few weeks logs and it changes so must be dynamic.
paulh
Rising Star
Posts: 1,283
Thanks: 10
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

Hmm wonder if it's p2p afterglow? (i noticed they were almost all to the same port)
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

I wondered about that as well but AFAIAA There isn't any P2p software installed, unless the router picked up an IP that had just been used for a P2P session. I will check for P2P software next time I am there.
paulh
Rising Star
Posts: 1,283
Thanks: 10
Registered: ‎30-07-2007

Re: Router Log Showing Security Problem?

I'm thinking of the latter -- picking up an IP -- rather than the user having p2p s/w.
I used to get this a lot in my ZA logs when I was using a regular ADSL modem and got a new IP at least daily.