- Dec 17, 2013
- 13
- 0
- 10,510
I keep seeing "[DOS] logs" written next to the logged entries, with one of them having "[PORT logs]".
The entries in the firewall log have a format of
UDP packet - Source [IP address], port # Destination [IP address], port #
and ends by identifying itself as either [DOS] logs or [PORT logs]
I am wondering why [DOS] and [PORT] are listed and what they could possibly mean (whether it was blocked or the transaction did happen, it doesn't say), and what the Source and Destination describe in the entry.
What's intriguing is that I did port number lookup, and most destination port numbers listed in the log entries are either out of range or doesn't exist. To be more specific, I have noticed that some of these entries repeat itself several times in a single second, as in the same entries with the same source/destination IP & port numbers are repeating multiple times in 1 second frame, usually 3-5 times.
After changing the firewall security level, I have noticed that the amount of visible entries have reduced (could be coincidence, need more time to know for sure), and the few newer entries seem to have a subnet IP for destination (instead of random IP address or port number). I've read around that those might belong to DHCP, but it still has [DOS] written next to it.
Just to note FYI, I ran virus/malware scan in safemode- it come out clean.
I would post some of the port numbers but was not sure if that's a good idea security-wise, so as of now I'll leave it here. I understand firewall logs may be different for all routers, but I do need some help understanding what this may mean.
The entries in the firewall log have a format of
UDP packet - Source [IP address], port # Destination [IP address], port #
and ends by identifying itself as either [DOS] logs or [PORT logs]
I am wondering why [DOS] and [PORT] are listed and what they could possibly mean (whether it was blocked or the transaction did happen, it doesn't say), and what the Source and Destination describe in the entry.
What's intriguing is that I did port number lookup, and most destination port numbers listed in the log entries are either out of range or doesn't exist. To be more specific, I have noticed that some of these entries repeat itself several times in a single second, as in the same entries with the same source/destination IP & port numbers are repeating multiple times in 1 second frame, usually 3-5 times.
After changing the firewall security level, I have noticed that the amount of visible entries have reduced (could be coincidence, need more time to know for sure), and the few newer entries seem to have a subnet IP for destination (instead of random IP address or port number). I've read around that those might belong to DHCP, but it still has [DOS] written next to it.
Just to note FYI, I ran virus/malware scan in safemode- it come out clean.
I would post some of the port numbers but was not sure if that's a good idea security-wise, so as of now I'll leave it here. I understand firewall logs may be different for all routers, but I do need some help understanding what this may mean.
Facebook
Twitter
Instagram