• Happy holidays, folks! Thanks to each and every one of you for being part of the Tom's Hardware community!

Question Suspicious activity on router logs, constant port scanning and attacks

Sinatra

Distinguished
Oct 4, 2015
101
1
18,685
I was experiencing major drops in my performance 2 weeks ago, contacted my ISP & they advised it was resolved.
One week ago, the connection suddenly dropped completely & this happened several times consistently for the following days - checked the security logs & found the following.
Please let me know what you think it might be as the ISP can't help me.

6Sep 14 12:53:38kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=57430 PROTO=TCP SPT=29211 DPT=56984 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=41404
7Sep 14 12:07:23kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=65.49.136.67 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55816 PROTO=TCP SPT=60724 DPT=34797 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=65462
8Sep 14 11:52:42kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=71.187.201.219 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=31988 PROTO=TCP SPT=42173 DPT=27002 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=6043
9Sep 14 11:02:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=113.197.177.216 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=28456 PROTO=TCP SPT=42296 DPT=25019 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=38816
10Sep 14 10:05:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=157.14.229.204 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=47547 PROTO=TCP SPT=42525 DPT=48455 WINDOW=0 RES=0x00 URGP=0
11Sep 14 09:53:15kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=29586 PROTO=TCP SPT=11487 DPT=16375 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=36848
12Sep 14 09:41:44kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=46.214.76.245 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16218 PROTO=TCP SPT=33936 DPT=28742 WINDOW=0 RES=0x00 URGP=0
13Sep 14 08:27:54kernalertattackkernel: UDP_FLOODING ATTACK:IN=ppp2 OUT= MAC= SRC=5.189.160.241 DST=myip LEN=440 TOS=0x00 PREC=0x00 TTL=57 ID=15247 PROTO=UDP SPT=5113 DPT=5063 LEN=420
14Sep 14 07:49:53kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=112.118.87.136 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1915 PROTO=TCP SPT=15208 DPT=54551 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=22641
15Sep 14 07:21:57kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=59.149.106.163 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10894 PROTO=TCP SPT=56295 DPT=50755 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=64421
16Sep 14 06:47:47kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=136.143.148.173 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=53185 PROTO=TCP SPT=65229 DPT=27124 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=26407
17Sep 14 06:33:10kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=86.98.62.46 DST= myip LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=20228 PROTO=TCP SPT=49971 DPT=53532 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=14270
18Sep 14 06:33:01kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.47.176 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=11087 PROTO=TCP SPT=29072 DPT=46834 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=57895

Nearly every single source IP is malicious as <Mod Edit >all getout, using online tools to search them up you'll find the same thing, people reporting them for mass port scanning and attempting to gain access. You might look at this and think it's a plain and obvious, apologies if this seems dragged out or dramatised.
I personally believe it's a botnet or something like that - i'm just interested to see how this operates and what it is tbh

Important details:
Reset router several times to factory default
Updated router software accordingly and in-line with most recent updates
Thoroughly checked all connected devices to the network for malware
Router is a Zyxel VMG8825-T50
These scans have been consistent for days now, every few minutes another scan/attack is activated
 
Last edited by a moderator:
I was experiencing major drops in my performance 2 weeks ago, contacted my ISP & they advised it was resolved.
One week ago, the connection suddenly dropped completely & this happened several times consistently for the following days - checked the security logs & found the following.
Please let me know what you think it might be as the ISP can't help me.

6Sep 14 12:53:38kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=57430 PROTO=TCP SPT=29211 DPT=56984 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=41404
7Sep 14 12:07:23kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=65.49.136.67 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55816 PROTO=TCP SPT=60724 DPT=34797 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=65462
8Sep 14 11:52:42kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=71.187.201.219 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=31988 PROTO=TCP SPT=42173 DPT=27002 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=6043
9Sep 14 11:02:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=113.197.177.216 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=28456 PROTO=TCP SPT=42296 DPT=25019 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=38816
10Sep 14 10:05:39kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=157.14.229.204 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=47547 PROTO=TCP SPT=42525 DPT=48455 WINDOW=0 RES=0x00 URGP=0
11Sep 14 09:53:15kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.182.68 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=29586 PROTO=TCP SPT=11487 DPT=16375 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=36848
12Sep 14 09:41:44kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=46.214.76.245 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16218 PROTO=TCP SPT=33936 DPT=28742 WINDOW=0 RES=0x00 URGP=0
13Sep 14 08:27:54kernalertattackkernel: UDP_FLOODING ATTACK:IN=ppp2 OUT= MAC= SRC=5.189.160.241 DST=myip LEN=440 TOS=0x00 PREC=0x00 TTL=57 ID=15247 PROTO=UDP SPT=5113 DPT=5063 LEN=420
14Sep 14 07:49:53kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=112.118.87.136 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1915 PROTO=TCP SPT=15208 DPT=54551 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=22641
15Sep 14 07:21:57kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=59.149.106.163 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10894 PROTO=TCP SPT=56295 DPT=50755 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=64421
16Sep 14 06:47:47kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=136.143.148.173 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=53185 PROTO=TCP SPT=65229 DPT=27124 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=26407
17Sep 14 06:33:10kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=86.98.62.46 DST= myip LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=20228 PROTO=TCP SPT=49971 DPT=53532 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=14270
18Sep 14 06:33:01kernalertattackkernel: TCP PORT SCAN ATTACK:IN=ppp2 OUT= MAC= SRC=223.16.47.176 DST=myip LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=11087 PROTO=TCP SPT=29072 DPT=46834 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=57895

Nearly every single source IP is malicious as <Mod Edit >all getout, using online tools to search them up you'll find the same thing, people reporting them for mass port scanning and attempting to gain access. You might look at this and think it's a plain and obvious, apologies if this seems dragged out or dramatised.
I personally believe it's a botnet or something like that - i'm just interested to see how this operates and what it is tbh

Important details:
Reset router several times to factory default
Updated router software accordingly and in-line with most recent updates
Thoroughly checked all connected devices to the network for malware
Router is a Zyxel VMG8825-T50
These scans have been consistent for days now, every few minutes another scan/attack is activated
Is there a question ? It would be against the rules of this board to discuss techniques used in online attacks.
 
I cannot say I have ever had that level of activity one on top of another, but if you watch for it, this happens all the time. Black hats are constantly looking for ways in so they can steal or worse. Use strong passwords for everything. Only visit above board sites. Keep a good AV/firewall solution in use.
 
  • Like
Reactions: Sinatra
I cannot say I have ever had that level of activity one on top of another, but if you watch for it, this happens all the time. Black hats are constantly looking for ways in so they can steal or worse. Use strong passwords for everything. Only visit above board sites. Keep a good AV/firewall solution in use.
Everything you've mentioned I already have/am doing to the greatest extent possible, my ISP can't figure out what a port scan means - I have no hope of getting this fixed other than here. Also, this activity is NON-STOP every day, every hour. CONSTANT scanning followed by the one or two POD/similar attack on my ip. Every single source ip is malicious however.
Because i've reset the router & updated the firmware accordingly - yet the problem still persists, does this mean that the issue rests within a device connected to the network?
 
This is one of those things that sometime it might be better if the router did not produce any messages.

Even if the router did not detect this nothing can get to your inside machine purely because of the NAT function. Since router does not know which machine to send it to it will just discard the traffic.

This is not like a actual denial of service attack where they attempt to exceed you internet capacity. You are getting a couple of packets a minute at best. That will not cause any kind of performance issue unless of course there is a bug in the router firmware where there is a lot of overhead to produce these messages. You might be able to just turn the firewall function off in the router so it does not produce these messages.

Nothing is going to get into your network anyway.

There is absolutly nothing you can do to stop or prevent this. Your ISP also can do nothing. I suspect you just happen to see these messages for the first time when you started to look for your performance issue and blamed this. Your problem is likely something more common like a some issue with the wiring coming to your house.
 
  • Like
Reactions: Sinatra
This is one of those things that sometime it might be better if the router did not produce any messages.

Even if the router did not detect this nothing can get to your inside machine purely because of the NAT function. Since router does not know which machine to send it to it will just discard the traffic.

This is not like a actual denial of service attack where they attempt to exceed you internet capacity. You are getting a couple of packets a minute at best. That will not cause any kind of performance issue unless of course there is a bug in the router firmware where there is a lot of overhead to produce these messages. You might be able to just turn the firewall function off in the router so it does not produce these messages.

Nothing is going to get into your network anyway.

There is absolutly nothing you can do to stop or prevent this. Your ISP also can do nothing. I suspect you just happen to see these messages for the first time when you started to look for your performance issue and blamed this. Your problem is likely something more common like a some issue with the wiring coming to your house.
This does make a lot of sense, however I still can't figure out why ALL the source IP's are marked as malicious.
 
Always good to make sure you're dropping all inbounds and don't for any reason try and host something yourself with out a lot of research. Nearly all routers do this by default. Some rare cases are out there where it's not. Some isp combos leave a backdoor for tech support. Stealthing your ports is good too. For some insane reason a lot of routers don't come stealthed out of the box. Under your fw rules you want inbounds setup as "drop". If it's on deny it tells the other party it was denied vs timing out. It won't change the fact that random botnets will try and attack you constantly.