Kaspersky reporting network attacks behind an RT-N66U

[Vandergraff]

I have an RT-N66U running John's latest fork. All firewall settings are default. I have IPv6 enabled

Since I upgraded Kaspersky Internet Security to the 2015 version a couple of days ago on a PC sitting behind the router Kaspersky has reported it blocked 4 Network attacks.

The message I get is

The Network attack has been blocked
ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed

Any idea what is going on? Why is the RT-N66 not blocking this if its a valid message? I checked the system log of the RT-N66U and there is nothing showing up there that seems relevant.

 

[mstombs]

Never heard of port 0 before, but it is real apparently, but what use other than a DDOS?

http://www.lovemytool.com/blog/2013/08/the-strange-history-of-port-0-by-jim-macleod.html

The N66 can't block local lan traffic where lan ports behave as a switch. Was the block notice accompanied by an request to upgrade to professional version for more detail?

 

[Vandergraff]

I have a paid version of Kaspersky Internet Security. It just reports it blocked it and no action needed.

I am wondering why its getting blocked at the PC firewall not RT-N66?

If it was local what could be causing it?

 

[RMerlin]

Never heard of port 0 before, but it is real apparently, but what use other than a DDOS?

http://www.lovemytool.com/blog/2013/08/the-strange-history-of-port-0-by-jim-macleod.html

The N66 can't block local lan traffic where lan ports behave as a switch. Was the block notice accompanied by an request to upgrade to professional version for more detail?

If it's an ICMP packet as the log entry says, then I don't see why there would be a port in the first place. It should report a type instead. Sounds like a logging issue with Kasperski.

If what Kasperski really means is ICMP Type 0, then that's an Echo Reply (a ping reply if you prefer).

Bottom line is, there's a bug in Kasperski's logging report here, makes it hard to figure out what it really was blocking.

 

[Vandergraff]

I am submitting a Technical Support request to Kaspersky - will see what they say

 

[Vandergraff]

Sorry to revive an old thread - but I am still getting these reports and Kaspersky support isn't being much help.

I am try to run tcpdump on the router to see what is going on.

Followed the instructions here to set up tcmpdump https://swenotes.wordpress.com/2013/10/15/monitoring-asus-rt-n66u/

It was suggested on another forum that I run 'tcpdump -vvpi any host 200.0.160.73'

Here is what I got?

00:09:09.932418 IP6 , wrong link-layer encapsulationbad-hlen 0
00:09:39.235010 IP6 , wrong link-layer encapsulationbad-hlen 0
00:09:39.235036 IP6 , wrong link-layer encapsulationbad-hlen 0
00:10:39.138707 IP6 , wrong link-layer encapsulationbad-hlen 0
00:13:04.660961 IP6 , wrong link-layer encapsulationbad-hlen 0
00:14:18.331867 IP6 , wrong link-layer encapsulationbad-hlen 0
00:15:32.416723 IP6 , wrong link-layer encapsulationbad-hlen 0

It was then suggested I run 'tcpdump -pi any -w attack.dmp -s 0 host 200.0.160.73'

Making sure my working directory was on the USB drive (I ran cd /tmp/mnt/asusext2 where asusext2 is the name of the flash drive - is this right?)

Here is what I am getting

-----

ASUSWRT-Merlin RT-N66U_3.0.0.4 Wed Jan 13 00:35:25 UTC 2016
xxxxyyyzzz@RT-N66U-2D70:/tmp/home/root# cd /tmp/mnt/asusext2
xxxyyyzzz@RT-N66U-2D70:/tmp/mnt/asusext2# tcpdump -pi any -w attack.dmp -s 0 host 20
0.0.160.73
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
------------

I am not seeing any attack dmp file on asusext2 (after enabling the FTP server and using WinSCP). I can see asusext2 with entware folders on it.

Suggestions what I might be doing wrong

 

[Vandergraff]

Four more reports of attacks today - any suggestions on what I am doing wrong on tcpdump would be appreciated - thanks

Understand 'port 0' doesn't make any sense which is why I am hoping tcpdump might help clarify what KIS thinks its blocking to understand the issue?


29.05.2016 20.46.36;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 20:46:36;0
29.05.2016 20.20.05;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 20:20:05;0
29.05.2016 15.52.51;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 15:52:51;0
29.05.2016 13.57.25;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 13:57:25;0

 

[CiscoX]

Four more reports of attacks today - any suggestions on what I am doing wrong on tcpdump would be appreciated - thanks

Understand 'port 0' doesn't make any sense which is why I am hoping tcpdump might help clarify what KIS thinks its blocking to understand the issue?


29.05.2016 20.46.36;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 20:46:36;0
29.05.2016 20.20.05;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 20:20:05;0
29.05.2016 15.52.51;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 15:52:51;0
29.05.2016 13.57.25;The network attack has been blocked.;"ICMP from 200.0.160.73 to port 0
The attacking computer has not been blocked: its address is possibly spoofed.";ICMP;200.0.160.73;05/29/2016 13:57:25;0

Since Port was approached via ICMP Ping 0, it could be that someone is trying to determine the operating systems of the computers in a specific IP address range.

 

[Vandergraff]

Since Port was approached via ICMP Ping 0, it could be that someone is trying to determine the operating systems of the computers in a specific IP address range.

Thanks - others have suggested that as a possibility as well?

Others also suggested running tcpdump on the router to see what traffic is really coming through the router to the PC running Kaspersky Internet Security (KIS)

That is probably the key - once we know what coming through the router we'll better understand what going on.

See above on my attempts to run tcpdump - hopefully someone can clarify what I am doing wrong.

Thanks

 

[mstombs]

If its a message from your own PC or your local LAN, perhaps from a VPN connection, quite likely nothing will be seen on the router. Do you have any links to the Chilean bank that owns that IP address block?

 

[AndreiV]

The Network attack blocker in KIS is there to protect your network , what you are seeing is a ping from an app/program or possible malware running on another device on your network.

Your router isn't going to block this as unless you disallow pings.

 

[Vandergraff]

Thanks for your responses.

I don't have any connection to Chile or the Chilean bank with the IP address.

I trying to find out what (internal or external to my network) is causing these repeated network reports.

KIS have suggested it may be an automated scanner sending malformed packets to test what OS is running on the PC (similar to CiscoX above) however to check this theory (and then understand why it would be getting through the router) we need to capture some traffic

I have tried running Wireshark on my PC but it captures nothing associated with that IP address even when an attack is reported. As KIS maybe blocking it before Wireshark sees it I did try it with KIS off for short period to see if anything is captured - but nothing again associated with that IP. I don't like leaving KIS off (especially with attack reports and even though I am behind the router) so I only tried this for a couple of hours.

I have been able run tcpdump on the RT-N66 running John's latest fork - see post #6 above for results.

Anyone with experience with tcpdump on a router running the Merlin firmware got any ideas why I am not able to create *.dmp file? Maybe if I can do this I can see what traffic may be causing this?

Any other suggestions on tracking down what is going on here also welcome.

Thanks

 

[bbunge]

Could be a normal function of Asus firmware that checks for active devices, hourly I believe. Newer Merlin builds allow this to be turned off.

 

[Vandergraff]

Here is what I get when running entware-setup.sh per https://swenotes.wordpress.com/2013/10/15/monitoring-asus-rt-n66u/

Ideas? Suggestions?

Thanks

----------------
Info: This script will guide you through the Entware installation.
Info: Script modifies "entware" folder only on the chosen drive,
Info: no other data will be changed. Existing installation will be
Info: replaced with this one. Also some start scripts will be installed,
Info: the old ones will be saved on Entware partition with name
Info: like /tmp/mnt/sda1/jffs_scripts_backup.tgz

Info: Looking for available partitions...
[1] --> /tmp/mnt/asusext2
=> Please enter partition number or 0 to exit
[0-1]: 1
Info: /tmp/mnt/asusext2 selected.

* Warning: Found previous installation, saving...
Info: Creating /tmp/mnt/asusext2/entware folder...
Info: Creating /tmp/opt symlink...
Info: Creating /jffs scripts backup...
tar: /jffs/scripts/*: No such file or directory
tar: error exit delayed from previous errors
Info: Modifying start scripts...
/usr/sbin/entware-setup.sh: line 83: can't create /jffs/scripts/services-start: nonexistent directory
chmod: /jffs/scripts/services-start: No such file or directory
/usr/sbin/entware-setup.sh: line 101: can't create /jffs/scripts/services-stop: nonexistent directory
chmod: /jffs/scripts/services-stop: No such file or directory
/usr/sbin/entware-setup.sh: line 108: can't create /jffs/scripts/post-mount: nonexistent directory
sed: /jffs/scripts/post-mount: No such file or directory
chmod: /jffs/scripts/post-mount: No such file or directory
Info: Creating folders...
Info: Deploying opkg package manager...
Downloading /opt/bin/opkg... success!
Downloading /opt/etc/opkg.conf... success!
Downloading /opt/etc/profile... success!
Downloading /opt/etc/init.d/rc.func... success!
Downloading /opt/etc/init.d/rc.unslung... success!
Info: Basic packages installation...
Downloading »pkg.entware.net/binaries ··· kages.gz.
Updated list of available packages in /opt/var/opkg-lists/entware-ng.
Installing ldconfig (1.0.13-3) to root...
Downloading »pkg.entware.net/binaries ··· elsf.ipk.
Installing findutils (4.6.0-1) to root...
Downloading »pkg.entware.net/binaries ··· elsf.ipk.
Installing libc (1.0.13-3) to root...
Downloading »pkg.entware.net/binaries ··· elsf.ipk.
Installing libgcc (5.3.0-3) to root...
Downloading »pkg.entware.net/binaries ··· elsf.ipk.
Installing libssp (5.3.0-3) to root...
Downloading »pkg.entware.net/binaries ··· elsf.ipk.
Configuring ldconfig.
Configuring libgcc.
Configuring libc.
Configuring libssp.
Configuring findutils.

Congratulations! If there are no errors above then Entware-ng is successfully initialized.

Found a Bug? Please report at »github.com/Entware-ng/En ··· g/issues

Type 'opkg install ' to install necessary package.
------------------------

 

[mstombs]

...
I have been able run tcpdump on the RT-N66 running John's latest fork - see post #6 above for results.

Anyone with experience with tcpdump on a router running the Merlin firmware got any ideas why I am not able to create *.dmp file? Maybe if I can do this I can see what traffic may be causing this?

I have an old standalone tcpdump on my router (from Tomato days ), it runs your command above, but even though it doesn't capture anything it still creates the output file.

admin@RT-N66U:/tmp/mnt/usb4gb# ls -laF attack.dmp
-rw-rw-rw-    1 admin    root            24 May 31 09:15 attack.dmp

I also have Entware on an N66 - you don't seem to have scripts enabled in the web gui?

I do not believe there is any chance this is an attack from the internet - would have to be specially routed to you. It is either generated on your own PC/your own lan or a KIS bug. I am not surprised the router sees nothing, I am sure John's fork doesn't include recent Asus Network scan stuff.