Skynet Skynet noob question: Is this amount of inbound blocks normal?

[torstein]

I'm sure questions like these get asked all the time, but I got nervous from what I saw in Skynet, and couldn't find anything concrete when searching the forums.

I installed Skynet yesterday, and noticed that in just a few hours I had 1700 inbound blocks, I accidentally reset the key stat counter (no idea how I did that), so now it only shows 726 blocks since two hours ago (going from 0 since I reset it).

The great majority of the blocks are coming from the african country Seychelles (I'm located in Norway, and no relation to Seychelles) and my port number 55285 is really getting a run for its money with >2800 blocks since yesterday. What is this? What is going on?

1. What is port 55285 (duckduckgoing didn't really give any specific info that I could relate to)
2. Why is Seychelles of all countries hitting my router?
3. Why does AIprotect say no hits protected against, while Skynet is being bombarded?
4. Is this just the infamous "internet background noise", or am I actually getting attacked?

If all this is normal, then my sincerest apologies, I duckduckgoed it and found not much, I searched the forums for "am I being attacked / hacked" and similar keywords but found not much.

 

[chongnt]

Probably can go to System Log -> Connections tab and find out if any particular host in your network is using that port. Do you have torrent or anything running during that time?

 

[torstein]

The port 55285 is not mentioned in Sytems Log -> Connections.

 

[ColinTaylor]

Source ports are the outgoing ports used by the attacker's computer. They are typically in the ephemeral port range, as is the case here. Unfortunately it doesn't actually tell you anything useful other than in the case of port 55285 the attacker tried multiple times to hack you.

The Targeted ports information is slightly more useful. Your image appears to show in the first column that there were 49 attempts on port 23. Port 23 is Telnet. TBH if you're exposing Telnet to the internet you deserve everything you get! AFAIK there is no option to to expose Telnet to the internet in the firmware so this would seem to be a false positive. In other words, an attempt was made on port 23 which would have failed because there is nothing listening on that port.

So at the end of the day these stats seem to be pointless as they're not telling you anything useful.

 

[torstein]

1. Ah, okay so the 55285 is the attacker's port and not my port being hit? I see. It seems the 55285-guy gave up, because it's been stuck on 2908 hits for an hour now. But what does it mean that I'm getting hit 2908 times from the 55285-guy, is he actually hacking me or is Skynet blocking him? It's not very clear to a newbie. Is skynet protecting me from 55285-guy, or is it just telling me that he is connecting to me and doing whatever he wanted 2908 times?
   
   
   
   
   
2. I don't know what Telnet is, but a duckduckgo search says it has something to do with MS Windows. I'm on a mac (I do have Office installed though), and have not actively opened any ports really. So I guess I've done nothing wrong with port 23, and don't "deserve" everything coming my way? I'm a bit confused, I'm afraid.
   
   
3. Port 23 keeps getting hit as well, and has now 383 hits, the other ports are also getting hit: 2376, 2375, 22, 5060, 443, 80, 8080, 3389 and 389.
   
   
   
   
4. Seychelles on the other hand keeps hitting me, and is now >3000. What is that? Is it just port scanning and internet noise, or is some african hacker trying to penetrate my network?
   

 

[ColinTaylor]

1. After the guy using port 55285 stops his hack he can try again and the port number will be different. Like I said, it's an ephemeral port that's automatically created by a computer. Your PC will also be creating ephemeral port connections.

2. Telnet is just another network protocol, like SSH, FTP, HTTP, etc.

3. Port 23 is always the most popular target for hackers because it's the SSH port.

4. Seychelles always seems to be a popular location for hackers to rent their virtual servers. Presumably because they have a lax response to take-down notices.

 

[torstein]

1. Wait so I'm actually hacked by 55285-guy?
2. Do we know that for sure I'm hacked, or could the >2000 hits from 55285 just be something random?
3. Didn't Skynet or AIProtect do anything to stop the attack?
4. I have not setup anything on port 23, so why is it being used by someone outside? Did Skynet block it or is it just telling me that the port was used 383 times from someone else outside my network?

 

[ColinTaylor]

1. No.

It's just internet noise. Ignore it and move on with your life.

 

[torstein]

1. How do one distinguish between legitimate hacking attempts and internet noise in Skynet?
2. Does Skynet protect me from all of the things I've asked in this thread, or is it just blocking some of them and reporting on the rest that they've come through my defenses?
3. Kind of difficult to go on with my life, when someone using a server in Seychelles is hitting my router >3000 times since yesterday (probably longer for all I know) and someone with port 55285 is also hitting my >2900 times. It seems kind of coordinated and legitamte.
4. When a port is being hit in Skynet, should I block those ports, or are they already protected, and Skynet is just telling me someone tried to use it? ie port 23.
5. I'm new to all of this, so apologies if all of this is me just panicking and very normal and nothing to worry about, like you said, but I'd like to have my questions answered, for my own peace of mind, if you would be so kind.

 

[ColinTaylor]

I can't comment on what Skynet does because I don't use it.

The vast majority of these "hacking attempts" are not actual, targeted hacking as such. I apologise if I gave that impression, I probably should have said probing or scanning instead. It will just be automated port scanning bots that crawl their way across the internet looking for open ports. If they find an open port they will then examine it more closely. This is the same kind of port scanning that nmap can do. You can try it for yourself.


FYI: https://en.wikipedia.org/wiki/Ephemeral_port

 

[torstein]

Thanks! That made it more clearer. I thought I was hacked. Sorry for the panic.

1. What do you use instead of Skynet?
2. When port 23 is hit >383 times, its not necessarily the same person/server hitting it 383 times, it could be 383 different people /servers?
3. When 55285-guy hits me 2908 times, he could be scanning 2908 different ports and when he didnt find anything he gave up after 2908 attempts?
4. How do I close ports?
5. How do I know which are open?
6. If a port such as 22 for SSH is open, could it be hacked while in use, or is it just one connection (ie one computer) at a time per port?
7. What about when I don't use SSH (on port 22), is port 22 then open for attacks?
8. How do I close ports that are not in use?

 

[ColinTaylor]

1. I don't use anything other than the router's own built-in firewall which drops all unsolicited connection attempts by default. I don't use AiProtection.
2. Correct. In fact it's very likely to be from different sources.
3. Quite possibly.
4. You don't "close" ports, you just don't open them to the internet in the first place.
5. That's for you to be aware of what services you have decided to allow access to from the internet.
6. Multiple simultaneous connections can be made to an SSH server, just like multiple connections can be made to a web server.
7. See answers above.
8. See answers above.

 

[eightiescalling]

3. Kind of difficult to go on with my life, when someone using a server in Seychelles is hitting my router >3000 times since yesterday (probably longer for all I know) and someone with port 55285 is also hitting my >2900 times. It seems kind of coordinated and legitamte.

One other point - just because your router sees a number of attempts, or a spike, on the same port don't assume it's an attack on you.

Unless you are paying extra for a static IP your ISP will be running DHCP and handing out IP addresses as needed across their network. It is entirely possible, and likely with a properly configured router, that none of these attempts have got in to your network but the attempts continue because previously (possibly recently) they were successful on somebody else when they had the IP address your ISP has given you.

As @ColinTaylor mentioned, don't open ports (or more likely start services with internet access) if you don't need them. Unless you have something that breaks with it disabled, I'd also turn off uPnP to stop other things on your network (possibly legitimately) setting up a port.

 

[BreakingDad]

This may set your mind at ease, https://www.grc.com/shieldsup

Run a full a full service port scan, it will tell you what's open , closed and in full stealth. Hopefully it will tell you that you're in full stealth mode.

 

[Tech9]

I thought I was hacked.

Remember what I told you?

https://www.snbforums.com/threads/aiprotect-skynet.72086/#post-702439

Skynet may be useful in some specific cases, but what is does best is to freak you out making you believe you're under attack constantly.

 

[torstein]

This may set your mind at ease, https://www.grc.com/shieldsup

Run a full a full service port scan, it will tell you what's open , closed and in full stealth. Hopefully it will tell you that you're in full stealth mode.

Ooooooh fancy! Thanks I can't wait to explore that tool more when I come home tomorrow evening. I wonder if anyone else here has any experience with this?

Tech9 said:
Skynet may be useful in some specific cases, but what is does best is to freak you out making you believe you're under attack constantly.

Yup, I remember That's exactly what it did.

Skynet has a lot of great features that I'm not skilled enough to take advantage of, know why I should use them or where even to find IPs and IP ranges to block. I installed Skynet and left it running "stock" without any adjustments or configuring. I did so, because I thought Skynet was an additional automatic, intelligent, set-it-and-forget-it firewall on top of the default Asus firewall. I thought Skynet would give my ax86u more Firewall-"muscles" that automatically worked in the background, protecting me better than the Asus firewall would alone, without me having to do anything. I also figured it's good to have Skynet's malware-signatures.

However, I have learned that Skynet does none of that. It's "just" extra scripts to tweak the Asus firewall yourself and block IPs and known malware sites from community lists.

AiProtect together with NextDNS running on the ax86u with threat intelligence feeds + malware protections + google safebrowsing, probably covers most of what Skynet's malware-protection offers, no?

With my setup, I don't think Skynet provides anything of value to me and others like me. If I start blocking entire countries, I might actually break websites and services, and I'm not skilled enough to know which or why I should block ip ranges.

My apologies to Adamm, I feel like I'm badmouthing Skynet here, that's honestly not my intention. I am just not educated enough to use Skynet for its intended purpose, and I with my skill level is probably better off staying away from it for the time being. I'm not using it to its potential by just leaving it running "stock". I will most likely revisit it later.

 

[ColinTaylor]

Ooooooh fancy! Thanks I can't wait to explore that tool more when I come home tomorrow evening. I wonder if anyone else here has any experience with this?

Not really fancy at all. It's basic port scanner that's been around forever (well 1999). I thought everybody knew about it. There are plenty of alternatives that all do basically the same thing but just present it in a different way.

Do bear in mind that GRC's "All Service Ports" scan only scans the first 1056 ports. So it omits the other ~64000 ports which also contain commonly used ports like 1080, 1723, 3306, 3389, 8080, 8443, 32400. etc.

 

[BreakingDad]

....and block IPs and known malware sites from community lists

Which is why it is both good and bad, bad as in occasionally the community lists are false postives and block stuff that is safe. It's not really of issue because if you get one of these you can whitelist it. I've whitelisted roblox, battle net and quad 9 in the 6 months I have used it.

The full country blocking is also a useful tool. I block cn br ir ua ar iq tw th lv ru ro cl sa pk bg with no issues. Apart from that I pretty much leave it to do its thing.

 

[Tech9]

I've whitelisted roblox, battle net and quad 9 in the 6 months I have used it.

Can your wife or kids do this without your assistance? I have read about Quad9 blocked and if you use Quad9 DNS that means no Internet until you come back home. Very nice with all the work/learn from home thing. You already have few trusted malware/phishing protections. Another on top and community based becomes inconvenience for you only. You guys hurt yourselves with this script, turning Adamm's good intentions into router malware. When you block countries with Internet backbone servers you don't have full access to Internet anymore.

 

[Tech9]

With my setup, I don't think Skynet provides anything of value to me and others like me.

Over time you'll find AiProtection is also not exactly what Asus makes you think it is.