Menu
What's new
By:
Filters Better Search

Are these intrusion attempts ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

pfm

Occasional Visitor
My RT-N66U logs are filled with these. Looks like two things are happening. One seems like an intrusion attempts where DST=75.x.x.x which is my WAN IP. Almost all src ip are from china.
And the other to 224.0.0.1 seems like a multicast thing from my modem (10.0.0.1).

First of all is my interpretation of these logs correct ? If so is it ok to block the multicast ? ISP is comcast. Anything else I need to check or worry about the intrusion attempts ?


Nov 13 19:45:08 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:47:14 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:49:19 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:49:29 kernel: DROP <4>DROP IN=eth0 OUT= MAC=e0:3f:49:6a:38:88:00:14:f1:e8:a9:e2:08:00 <1>SRC=222.89.64.178 DST=75.73.92.101 <1>LEN=299 TOS=0x00 PREC=0x20 TTL=47 ID=0 DF PROTO=UDP <1>SPT=53 DPT=61687 LEN=279
Nov 13 19:51:24 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:53:29 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:55:34 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:56:30 kernel: DROP <4>DROP IN=eth0 OUT= MAC=e0:3f:49:6a:38:88:00:14:f1:e8:a9:e2:08:00 <1>SRC=222.186.21.209 DST=75.73.92.101 <1>LEN=40 TOS=0x00 PREC=0x20 TTL=101 ID=256 PROTO=TCP <1>SPT=6000 DPT=8088 SEQ=931266560 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0
Nov 13 19:57:39 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 19:59:44 kernel: DROP <4>DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:ab:f0:11:ed:71:08:00 <1>SRC=10.0.0.1 DST=224.0.0.1 <1>LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Nov 13 20:00:10 kernel: DROP <4>DROP IN=eth0 OUT= MAC=e0:3f:49:6a:38:88:00:14:f1:e8:a9:e2:08:00 <1>SRC=95.211.168.135 DST=75.73.92.101 <1>LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=42776 PROTO=TCP <1>SPT=30598 DPT=80 SEQ=1866770201 ACK=0 WINDOW=3036 RES=0x00 SYN URGP=0
Nov 13 20:00:10 kernel: DROP <4>DROP IN=eth0 OUT= MAC=e0:3f:49:6a:38:88:00:14:f1:e8:a9:e2:08:00 <1>SRC=95.211.168.135 DST=75.73.92.101 <1>LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=42777 PROTO=TCP <1>SPT=30598 DPT=80 SEQ=1866770202 ACK=0 WINDOW=3036 RES=0x00 SYN URGP=0
Nov 13 20:00:55 kernel: DROP <4>DROP IN=eth0 OUT= MAC=e0:3f:49:6a:38:88:00:14:f1:e8:a9:e2:08:00 <1>SRC=23.24.131.164 DST=75.73.92.101 <1>LEN=44 TOS=0x00 PREC=0x20 TTL=49 ID=7544 PROTO=TCP <1>SPT=34242 DPT=3389 SEQ=3197230408 ACK=0 WINDOW=3072 RES=0x00 SYN URGP=0 OPT (020405B4)
Nov 13 20:00:55 kernel: DROP <4>DROP IN=eth0 OUT= MAC=e0:3f:49:6a:38:88:00:14:f1:e8:a9:e2:08:00 <1>SRC=23.24.131.164 DST=75.73.92.101 <1>LEN=44 TOS=0x00 PREC=0x20 TTL=45 ID=15204 PROTO=TCP <1>SPT=34243 DPT=3389 SEQ=3197164873 ACK=0 WINDOW=3072 RES=0x00 SYN URGP=0 OPT (020405B4)
 
On the WAN side - there's a lot of scanning by state entities, black hats looking for services to exploit, white hats doing metrics - not to scare you...

This is the internet as it is right now - that the router is dropping connection requests is a good thing...

Don't run services on the router that you don't need - keep firmware updated, and you'll likely be fine. Don't hook up a hard drive to a router on the WAN connection that you don't want anyone to have access to - just saying... you're counting on a Chinese Engineer in a Chinese office to protect your data there...

Routers are not NAS boxes. Just because that port is there, doesn't mean you should use it...

sfx
 
You must log in or register to reply here.

Similar threads

B
Skynet Outbound blocks
Replies
1
Views
451
BeachGuy
B
J
Skynet Skynet - Blocked outbounds coming from the router itself?
Replies
12
Views
892
JuanGF
J
D
[ASUS AX86U Merlin] Blink Sync Module does not connect (connects to iphone hotspot)
Replies
0
Views
894
dasusm
D
P
Skynet show inbound block on Digital TV Vlan300
Replies
4
Views
879
poudenes
P
J
AX86U constantly blocking repeated inbound connections
Replies
7
Views
1K
Tech9
Tech9

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,015 (members: 21, guests: 994)
Top