News: This forum is now permanently frozen.
Pages: [1]
Topic: Am I under attack?  (Read 1771 times)
« on: September 17, 2013, 03:59:49 »
Masterofrpm *
Posts: 6

I have noticed a considerable amount of blocked connection attempts in my firewall logs. There used to be numerous attempts for port 53 but have since made a dedicated rule to clean things up to take care of the other issues as I know I currently do not have a public DNS server. I am curious if ANY of the traffic you see in these logs are legit at all. The only service currently available is on port 4040. There is also VPN services using PPTP though devices were disconnected for troubleshooting purposes. Most of the traffic has been to port 10874 TCP/UDP and I can not find any service that uses this port within my network and there are no resources I can find that describe a use for this port/protocol. Once this is resolve I am sure I will finally restore my previous access speeds. Any help is highly appreciated.


* Random.gif (66.53 KB, 547x570 - viewed 348 times.)

* 10874.gif (95.02 KB, 548x807 - viewed 333 times.)
« Reply #1 on: September 17, 2013, 04:36:44 »
Fred Grayson *****
Posts: 994

Has your IP address changed recently? If so you could have inherited an address that was recently being used for some type of file sharing service and you are now getting the traffic that someone else was getting when they had your address.

--
Google is your friend and Bob's your uncle.
« Reply #2 on: September 18, 2013, 03:12:46 »
Lee Sharp *****
Posts: 517

Without reading any further than the subject, Yes.  Always.

Now, in this case....

Start in your firewall state table.  See if you have one user connecting to a lot of those IPs on a random port.  It could be a bit torrent client.  If his system is "listening" on 10874, other users will try an connect to it, but without a NAT entry, it will fail.

Another thing I have done is blocked off some rather troublesome sections of the world with ISPs that apparently support port scanning.  These are complete AS numbers.  My block rules...

       *    58.17.30.0/23    *    *    *    Block China - ShangHai Shelian commpany     
      *    59.69.128.0/19    *    *    *    Block China - Nanyang Institute of Technology     
      *    61.164.145.0/24    *    *    *    Block China - Wenzhou Telecom Co.,ltd     
      *    81.196.20.0/23    *    *    *    Block Romania - RCS & RDS S.A.     
      *    82.213.64.0/19    *    *    *    Block Italy - MIPIACE.COM SPA     
      *    111.0.0.0/10    *    *    *    Block China - China Mobile Communications Corporation     
      *    125.23.218.0/24    *    *    *    Block India - Bharti Tele-Ventures Limited     
      *    183.129.128.0/17    *    *    *    Block China - Zhejiang Telecom     
      *    200.105.224.0/20    *    *    *    Block Ecuadore - PUNTONET S.A.     
      *    203.99.130.0/23    *    *    *    Block Indonisa - PT. Varnion Technology Semesta     
      *    210.83.84.64/26    *    *    *    Block China - China Unicom CncNet     
      *    222.96.0.0/19    *    *    *    Block Korea - Korea Telcom
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines