Unknown incoming traffic, packets every other second, day in day out

[aharu]

I was looking at a log from a RT-N66U and I can't see anything else than dropped incoming packets. Even though I know the firewall will show up various unexplained connection attempts, this doesn't look normal because it's just about every second, all the time, 24/7 and has been like this for days.

Every connection has 39301 as destination port and there are alot of different source IPs.

Here's a short blurb from the log, masked mac & ip.

Feb 17 23:19:24 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=177.182.xx.xx DST=xx.xxx.xxx.xx <1>LEN=95 TOS=0x00 PREC=0x00 TTL=112 ID=4728 PROTO=UDP <1>SPT=34249 DPT=39301 LEN=75 
Feb 17 23:19:34 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=175.136.xxx.xxx DST=xx.xxx.xxx.xx <1>LEN=131 TOS=0x00 PREC=0x00 TTL=114 ID=8527 PROTO=UDP <1>SPT=32441 DPT=39301 LEN=111 
Feb 17 23:19:54 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=184.18.xx.xxx DST=xx.xxx.xxx.xx <1>LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=16776 DF PROTO=TCP <1>SPT=54331 DPT=39301 SEQ=230598312 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402) 
Feb 17 23:19:57 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=184.18.xx.xxx DST=xx.xxx.xxx.xx <1>LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=17141 DF PROTO=TCP <1>SPT=54331 DPT=39301 SEQ=230598312 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402) 
Feb 17 23:20:03 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=184.18.xx.xxx DST=xx.xxx.xxx.xx <1>LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=17905 DF PROTO=TCP <1>SPT=54331 DPT=39301 SEQ=230598312 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) 
Feb 17 23:20:03 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=2.34.xxx.xxx DST=xx.xxx.xxx.xx <1>LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=31346 PROTO=UDP <1>SPT=12728 DPT=39301 LEN=111 
Feb 17 23:20:04 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=174.97.xxx.xxx DST=xx.xxx.xxx.xx <1>LEN=131 TOS=0x00 PREC=0x00 TTL=106 ID=44324 PROTO=UDP <1>SPT=57961 DPT=39301 LEN=111 
Feb 17 23:20:09 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=77.46.xxx.xx DST=xx.xxx.xxx.xx <1>LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=8732 DF PROTO=TCP <1>SPT=16627 DPT=39301 SEQ=2045335526 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405780103030201010402) 
Feb 17 23:20:10 kernel: DROP  <4>DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx <1>SRC=178.126.xx.xx DST=xx.xxx.xxx.xx <1>LEN=131 TOS=0x00 PREC=0x00 TTL=115 ID=33611 PROTO=UDP <1>SPT=42926 DPT=39301 LEN=111

This is everything you can see in the log, it is non-stop.

After torrenting, for how long can you expect to get incoming traffic because of this? All P2P software has been shut down since 5 days and I have not been checking out the log before that.

I guess there's nothing I can do, other than ask the service provider for a new IP? Or maybe it's no big deal?

 

[Nerre]

I had similar traffic for about a week if I recall correct. Not sure if it's normal, just seen it happen once yet. For me is was just one source though.

For the TCP packets the sending host should get rejects back so they should stop, the one I had was UDP packets and due to how they work the sending host will continue until it "gives up".

In my case I think it came from a short internet outage where I probably go a new IP address when it came back (and that address had probably been in use by someone using bittorrent).