Repeated incoming connections from odd sources

raptir · Jul 11, 2015

Hoping someone can provide some insight here. I'm running a Verizon Quantum Gateway and have it setup to reject all incoming connections but allow all outgoing connections (default). Until today I was allowing it to respond to ping requests but while looking into this I disabled that functionality.

I always see a handful of connection attempts blocked in my firewall log, and I was told that's fairly normal. What seems abnormal to me is that I seem to have some amount of targeted attempts here. This morning, I have been getting repeated connection attempts from two IP addresses in Poland, every two minutes. Here is a sample from my router's log:

notice<173> Blocked IN=eth0 OUT= MAC=c8:a7:0a:82:bd:c9:2c:21:72:1b:6f:c1:08:00 SRC=212.91.20.90 DST=[myip] LEN=97 TOS=00 PREC=0x00 TTL=56 ID=53869 DF PROTO=TCP SPT=443 DPT=54535 SEQ=143504554 ACK=4209430672 WINDOW=18434 ACK PSH URGP=0 MARK=0

The attempts have been from 212.91.20.90 and 212.91.20.97. Looking back through my logs I can see a few more attempts from similar addresses (212.91.20.92, for example) overnight last night. All are showing as blocked. It's only concerning me since I'm now at 12 attempts over the last half hour from *.90 and *.97.

Is this some type of targeted attack? And is there anything I can do about it?

Ralston18 · Jul 11, 2015

Doubt that it is a personal attack, probably just targeted to some range of public IPs used by Verizon. Could be some reason that they keep trying your IP but most likely they are just hoping to eventually catch you/your IP with the firewall down, an open port, or some such vulnerability.

The source addresses may be being spoofed...

You can do a couple of things:

Find out what your assigned public IP is via "What is my IP" type website.

Once you know your IP, then turn off your router for a few hours if you can. When you restart the router check to see if you have the same Public IP. If so, and if the connection attempts continue, call Verizon to see if they can issue a different Public IP. May or may not be outside of the IP address range being targeted. If you are using and paying for a static IP then a new IP is probably not viable.

Otherwise keep your defenses up and keep watching the logs.

Hope someone else can offer more suggestions to help.

raptir · Jul 11, 2015

Thanks for the reply. I called Verizon and they are unwilling/unable to issue a new IP address. They suggested I pay for some advanced support because issuing a new IP address falls outside of standard Verizon support. I'll try leaving it unplugged overnight or while I'm at work and see if I can get a new IP, but if you think this can occur without being a personally targeted attack I may not worry too much about it.

The attempts stopped after about an hour. Interestingly, after I released/renewed my DHCP lease to see if that would trigger a new IP (it didn't) I got another wave from a different ip (208.100.47.161) for about twenty minutes.

I have my router blocking all incoming connections. Interestingly the firewall log was configured to only show blocked incoming connections, not allowed, so I changed that setting. I have not seen any allowed incoming connections (I checked "allowed outgoing connections" and quickly regretted that when my log flooded with every website I visited) but I'll keep an eye on it.

Is there anything else I need to do to protect myself against a potential attack?

raptir · Jul 11, 2015

Okay, so I managed to get myself assigned a new IP by just leaving the modem unplugged all day. But when I plugged in back in, the following appeared in the log (five very similar instances):

notice<173> Accepted IN=eth0 OUT= MAC=c8:a7:0a:82:bd:c9:2c:21:72:1b:6f:c1:08:00 SRC=206.46.209.250 DST=[myip] LEN=52 TOS=00 PREC=0x00 TTL=56 ID=27880 DF PROTO=TCP SPT=55038 DPT=4567 SEQ=1174190475 ACK=3960292345 WINDOW=32942 ACK URGP=0 MARK=0

Bolded the part that's concerning me. Why was this incoming connection accepted even though I have my modem set to reject all incoming connections?

raptir · Jul 12, 2015

Okay, so I did a little more research and it seems as though that accepted connection is a "backdoor" for Verizon, so it's likely not an issue.

I am seeing more repeated connections though, so I guess it is a random attack and not anything targeted.

notice<173> Blocked IN=eth0 OUT= MAC=c8:a7:0a:82:bd:c9:2c:21:72:1b:6f:c1:08:00 SRC=212.91.20.92 DST=[myip] LEN=71 TOS=00 PREC=0x00 TTL=57 ID=28500 DF PROTO=TCP SPT=443 DPT=64319 SEQ=2008050264 ACK=1504097962 WINDOW=17688 ACK PSH URGP=0 MARK=0

Ralston18 · Jul 13, 2015

I did a "Who is" on 206.46.209.250 and it came up as a Verizon IP.

You could keep an eye on outgoing connections - just to see if some piece of software is "phoning home" and "home" (whereever) is trying to phone back once they detect a live IP.

You can use the Resource Monitor on your computer by typing "perfmon /res" in the Start box's search window. Watch to see if there are any unexplained programs sending or receiving in the network activity tab.

By the way - are you using IPv6? The long MAC address shown in your log suggests that. Can you match the MAC to any of your devices?

Still some things I do not understand so just sort of probing a bit to see what more can be learned.

raptir · Jul 13, 2015

Glad to hear that that appears to be a legit verizon connection.

I'll try to log my outgoing connections but it quickly becomes cluttered and hard to follow. Maybe if I try it while my computer is just idling it will be easier, but I also have a Nexus Player and Sonos that are always connected. I'll see what I can do though. Also, these incoming connections occur even when my laptop is off. So I guess maybe it could be something installed on my Nexus Player that's prompting them.

I'm not really sure if I'm using IPv6. I know my phone does on T-Mobile but I thought everything on my home network would still be IPv4. Would that be set on the router? Or by each device? Also, for an incoming connection what should the MAC address be? Would it be my router's MAC?

Ralston18 · Jul 13, 2015

Use your browser to go to http://test-ipv6.com (there are other similar sites) - that will provide details regarding your IPv4 and IPv6 connectivity if available and you have it.

Run ipconfig /all and compare the MACs with those of your router and ethernet cards/adapters.

When I check my router (Linksys 1900AC) IPv6 MAC is different from what is shown in ipconfig's DHCPv6 Client DUID.

Have not noted any utility commands that reveal my router's IPv6 DUID per se. So far can only see ithe DUID in the router's admin pages.

My Outgoing logs show the source device's IP address (internal 192.168.1.xxx) and MAC address.

Incoming logs do not include source MAC...

Outgoing logs do clutter up fast. Always have programs and apps trying to connect back to their "home site" as soon as they are started.

However, if attempts are being made to reach your laptop while off that, to me, indicates just some trolling for open IP's where the router says "welcome" versus "there is no legitimate reason for you to be allowed to connect into my network" and blocks the attempt accordingly.

Have a trusted friend ping your public IP a few times and see what your router logs.... Could help you see more about what goes on and how your router responds to outside inquiries.

raptir · Jul 13, 2015

Alright, so a little more progress. I did the IPv6 test you linked to and it said I was running everything IPv4. But, the router's MAC does match the first several digits of the MAC address shown in the logs. So my assumption is it's being truncated when I look at it in my router settings.

I looked at my logs again and I think that the repeated connections do correspond with my computer being on. What was throwing me off is that it seems to only be occurring the first time that I boot my computer each day (so it would be weird times when I turn my laptop on, then go make coffee or something before I come back and use it). I scanned with Malwarebytes and Windows Defender (Win 8 version, so actually an antivirus) and neither found anything. I looked through my installed applications... and thought of one that could be it. I have the GOG Galaxy Client installed. GOG does have US servers, but they're based in Poland so I could definitely see some of the connections coming from there still. I'm wondering if since the client is in beta if it is "phoning home" with usage statistics each morning and getting some response back. I've uninstalled the client and I'll see what happens tomorrow. If it still occurs, I'll turn off my wifi (so no devices can connect) and see if I still get these incoming connections.

raptir · Jul 14, 2015

Alright, so it seems to be GOG Galaxy. I uninstalled it last night and did not get any Poland connections today. I'm still getting a single daily connection from 74.82.47.21 but I'm not as worried about that.

Glad it was a program I trust but now I'm questioning how much I should trust the site.

Ralston18 · Jul 14, 2015

A "Who is" check of 74.82.47.21 came back as "Hurricane Electric".

Does that make sense.....? Maybe some utility related app you installed. Or just something sneaky hoping you will be fooled into letting it in.

To be honest I do not really trust any sites because the bad guys hope for typo's, spoofs, and set-up other misleading schemes.

The good thing is that you can watch your logs and investigate anything questionable or otherwise out of the ordinary. Keep the defenses up and always be wary.

Way too many things out there that are really just invasive versus providing some "benefit"......

Search

Repeated incoming connections from odd sources

raptir

Honorable

Ralston18

Titan

raptir

Honorable

raptir

Honorable

raptir

Honorable

Ralston18

Titan

raptir

Honorable

Ralston18

Titan

raptir

Honorable

raptir

Honorable

Ralston18

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page