Question Suspicious activity on router logs, constant port scanning and attacks

Toggle sidebar Toggle sidebar
Sinatra

Sinatra

Distinguished
Oct 4, 2015
101
1
18,685
I was experiencing major drops in my performance 2 weeks ago, contacted my ISP & they advised it was resolved.
One week ago, the connection suddenly dropped completely & this happened several times consistently for the following days - checked the security logs & found the following.
Please let me know what you think it might be as the ISP can't help me.

6Sep 14 12:53:38kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=57430 PROTO=TCP SPT=29211 DPT=56984 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=41404
7Sep 14 12:07:23kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=65.49.136.67 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55816 PROTO=TCP SPT=60724 DPT=34797 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=65462
8Sep 14 11:52:42kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=71.187.201.219 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=31988 PROTO=TCP SPT=42173 DPT=27002 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=6043
9Sep 14 11:02:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=113.197.177.216 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=28456 PROTO=TCP SPT=42296 DPT=25019 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=38816
10Sep 14 10:05:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=157.14.229.204 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=47547 PROTO=TCP SPT=42525 DPT=48455 WINDOW=0 RES=0x00 URGP=0
11Sep 14 09:53:15kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=29586 PROTO=TCP SPT=11487 DPT=16375 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=36848
12Sep 14 09:41:44kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=46.214.76.245 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16218 PROTO=TCP SPT=33936 DPT=28742 WINDOW=0 RES=0x00 URGP=0
13Sep 14 08:27:54kernalertattackkernel: UDP_FLOODING ATTACK:IN=ppp2 OUT= MAC= SRC=5.189.160.241 DST=myip LEN=440 TOS=0x00 PREC=0x00 TTL=57 ID=15247 PROTO=UDP SPT=5113 DPT=5063 LEN=420
14Sep 14 07:49:53kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=112.118.87.136 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1915 PROTO=TCP SPT=15208 DPT=54551 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=22641
15Sep 14 07:21:57kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=59.149.106.163 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10894 PROTO=TCP SPT=56295 DPT=50755 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=64421
16Sep 14 06:47:47kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=136.143.148.173 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=53185 PROTO=TCP SPT=65229 DPT=27124 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=26407
17Sep 14 06:33:10kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=86.98.62.46 DST= myip LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=20228 PROTO=TCP SPT=49971 DPT=53532 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=14270
18Sep 14 06:33:01kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.47.176 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=11087 PROTO=TCP SPT=29072 DPT=46834 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=57895

Nearly every single source IP is malicious as <Mod Edit >all getout, using online tools to search them up you'll find the same thing, people reporting them for mass port scanning and attempting to gain access. You might look at this and think it's a plain and obvious, apologies if this seems dragged out or dramatised.
I personally believe it's a botnet or something like that - i'm just interested to see how this operates and what it is tbh

Important details:
Reset router several times to factory default
Updated router software accordingly and in-line with most recent updates
Thoroughly checked all connected devices to the network for malware
Router is a Zyxel VMG8825-T50
These scans have been consistent for days now, every few minutes another scan/attack is activated
 
Last edited by a moderator:
kanewolf

kanewolf

Titan
Moderator
May 29, 2013
38,112
3,582
156,790
Sinatra said:
I was experiencing major drops in my performance 2 weeks ago, contacted my ISP & they advised it was resolved.
One week ago, the connection suddenly dropped completely & this happened several times consistently for the following days - checked the security logs & found the following.
Please let me know what you think it might be as the ISP can't help me.

6Sep 14 12:53:38kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=57430 PROTO=TCP SPT=29211 DPT=56984 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=41404
7Sep 14 12:07:23kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=65.49.136.67 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55816 PROTO=TCP SPT=60724 DPT=34797 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=65462
8Sep 14 11:52:42kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=71.187.201.219 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=31988 PROTO=TCP SPT=42173 DPT=27002 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=6043
9Sep 14 11:02:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=113.197.177.216 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=28456 PROTO=TCP SPT=42296 DPT=25019 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=38816
10Sep 14 10:05:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=157.14.229.204 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=47547 PROTO=TCP SPT=42525 DPT=48455 WINDOW=0 RES=0x00 URGP=0
11Sep 14 09:53:15kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=29586 PROTO=TCP SPT=11487 DPT=16375 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=36848
12Sep 14 09:41:44kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=46.214.76.245 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16218 PROTO=TCP SPT=33936 DPT=28742 WINDOW=0 RES=0x00 URGP=0
13Sep 14 08:27:54kernalertattackkernel: UDP_FLOODING ATTACK:IN=ppp2 OUT= MAC= SRC=5.189.160.241 DST=myip LEN=440 TOS=0x00 PREC=0x00 TTL=57 ID=15247 PROTO=UDP SPT=5113 DPT=5063 LEN=420
14Sep 14 07:49:53kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=112.118.87.136 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1915 PROTO=TCP SPT=15208 DPT=54551 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=22641
15Sep 14 07:21:57kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=59.149.106.163 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10894 PROTO=TCP SPT=56295 DPT=50755 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=64421
16Sep 14 06:47:47kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=136.143.148.173 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=53185 PROTO=TCP SPT=65229 DPT=27124 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=26407
17Sep 14 06:33:10kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=86.98.62.46 DST= myip LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=20228 PROTO=TCP SPT=49971 DPT=53532 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=14270
18Sep 14 06:33:01kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.47.176 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=11087 PROTO=TCP SPT=29072 DPT=46834 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=57895

Nearly every single source IP is malicious as <Mod Edit >all getout, using online tools to search them up you'll find the same thing, people reporting them for mass port scanning and attempting to gain access. You might look at this and think it's a plain and obvious, apologies if this seems dragged out or dramatised.
I personally believe it's a botnet or something like that - i'm just interested to see how this operates and what it is tbh

Important details:
Reset router several times to factory default
Updated router software accordingly and in-line with most recent updates
Thoroughly checked all connected devices to the network for malware
Router is a Zyxel VMG8825-T50
These scans have been consistent for days now, every few minutes another scan/attack is activated
Click to expand...
Is there a question ? It would be against the rules of this board to discuss techniques used in online attacks.
 
punkncat

punkncat

Polypheme
Ambassador
Apr 3, 2018
12,241
3,315
62,890
I cannot say I have ever had that level of activity one on top of another, but if you watch for it, this happens all the time. Black hats are constantly looking for ways in so they can steal or worse. Use strong passwords for everything. Only visit above board sites. Keep a good AV/firewall solution in use.
 
  • Like
Reactions: Sinatra
Sinatra

Sinatra

Distinguished
Oct 4, 2015
101
1
18,685
punkncat said:
I cannot say I have ever had that level of activity one on top of another, but if you watch for it, this happens all the time. Black hats are constantly looking for ways in so they can steal or worse. Use strong passwords for everything. Only visit above board sites. Keep a good AV/firewall solution in use.
Click to expand...
Everything you've mentioned I already have/am doing to the greatest extent possible, my ISP can't figure out what a port scan means - I have no hope of getting this fixed other than here. Also, this activity is NON-STOP every day, every hour. CONSTANT scanning followed by the one or two POD/similar attack on my ip. Every single source ip is malicious however.
Because i've reset the router & updated the firmware accordingly - yet the problem still persists, does this mean that the issue rests within a device connected to the network?
 
B

bill001g

Titan
Aug 9, 2012
29,135
3,048
128,640
This is one of those things that sometime it might be better if the router did not produce any messages.

Even if the router did not detect this nothing can get to your inside machine purely because of the NAT function. Since router does not know which machine to send it to it will just discard the traffic.

This is not like a actual denial of service attack where they attempt to exceed you internet capacity. You are getting a couple of packets a minute at best. That will not cause any kind of performance issue unless of course there is a bug in the router firmware where there is a lot of overhead to produce these messages. You might be able to just turn the firewall function off in the router so it does not produce these messages.

Nothing is going to get into your network anyway.

There is absolutly nothing you can do to stop or prevent this. Your ISP also can do nothing. I suspect you just happen to see these messages for the first time when you started to look for your performance issue and blamed this. Your problem is likely something more common like a some issue with the wiring coming to your house.
 
  • Like
Reactions: Sinatra
Sinatra

Sinatra

Distinguished
Oct 4, 2015
101
1
18,685
bill001g said:
This is one of those things that sometime it might be better if the router did not produce any messages.

Even if the router did not detect this nothing can get to your inside machine purely because of the NAT function. Since router does not know which machine to send it to it will just discard the traffic.

This is not like a actual denial of service attack where they attempt to exceed you internet capacity. You are getting a couple of packets a minute at best. That will not cause any kind of performance issue unless of course there is a bug in the router firmware where there is a lot of overhead to produce these messages. You might be able to just turn the firewall function off in the router so it does not produce these messages.

Nothing is going to get into your network anyway.

There is absolutly nothing you can do to stop or prevent this. Your ISP also can do nothing. I suspect you just happen to see these messages for the first time when you started to look for your performance issue and blamed this. Your problem is likely something more common like a some issue with the wiring coming to your house.
Click to expand...
This does make a lot of sense, however I still can't figure out why ALL the source IP's are marked as malicious.
 
failboat

failboat

Splendid
Feb 19, 2010
1,905
51
21,390
Always good to make sure you're dropping all inbounds and don't for any reason try and host something yourself with out a lot of research. Nearly all routers do this by default. Some rare cases are out there where it's not. Some isp combos leave a backdoor for tech support. Stealthing your ports is good too. For some insane reason a lot of routers don't come stealthed out of the box. Under your fw rules you want inbounds setup as "drop". If it's on deny it tells the other party it was denied vs timing out. It won't change the fact that random botnets will try and attack you constantly.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom