Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Mr Skrunts]

Been looking through my Modem Log and found quite a lot of Dos Attacks
Obviously they all have date and time etc, I changed the IP numbers below.

They also had numbers after the IP, which I think are the port numbers attacked.

[DoS attack: ACK Scan] from source: 212.56.37.62:443 Wednesday, August 31,2016 15:18:37 
(Actual log (couple of numbers in IP  changed))

[DoS attack: ACK Scan] from source: 123.123.123.123 (random IP)
[DoS attack: RST Scan] from source: 123.123.123.123

Ports?
80
443
5049
5222
5223
8080
8890

Not knowing much about the above and checking that the Dos (denial of service / rather than Disk operating system)  I then see there were 2 types of scan  ACK and RST, an then port numbers.

So all these sites have tried to gain access to my info?

Should I be worries about the type of scan?
Are any of the ports more vulnerable than others?

Is there a program than logs in more detail what happening via my modem?

TIA 

[Kevin Wood]

Those are all ports that are likely to be open to reveal services to the internet. They are just scanning for a response on them to see if it's worth going further. For example, a web server sits on port 80. If they got a response indicating a real server is sitting on that port, they might then try to see if they can exploit a weakness to get into it.

Since you'll no doubt be blocking these ports unless you run any servers behind the connection, you probably don't need to be too concerned.

[Mr Skrunts]

Cheers kevin, Not concerned too much as it looks like the odems doing what it should. 

[Gaffers]

Nothing to worry about.  Just about every IP is scanned on a regular basis to find flaws that can be exploited.  There is even a crawler (like what google uses to build it's database) that is being used to populate the world's IoT (Internet of Things such as IP cameras, baby monitors etc) which goes around the internet a lot. 

There are things you can do but as Kevin said as long as the usual suspects like port 80, 8080, 443 and 23 are nor forwarded to internal IPs on your network then it's find just to leave your modem in standard mode.  Once you start port forwarding you need to start thinking of other controls such as a DMZ with a software based firewall (easy to do with a a couple of raspberry pis)  It's on my to do list.  Another measure would be to implement the Security Onion or collect logs and upload them to a free SEIM like Logtrust, either option would give you visibility of what's happening on your network but the Onion s the more expensive option due to the hardware requirements but it would give you more info.  Again, it's on the to do list

[Diamond Black Geezer]

Apparently my comp genius mate reckons if you want to get an even better picture of what's going on 'Wireshark' is a better program to use. However as above, seems there's nothing much to worry about. in his view. 

[Kevin Wood]

Apparently my comp genius mate reckons if you want to get an even better picture of what's going on 'Wireshark' is a better program to use. However as above, seems there's nothing much to worry about. in his view. 

Wireshark is a great tool for showing what's going on on your network, but you'll be blocking these attacks at the broadband router, so won't be able to see anything behind it.

[Gaffers]

Wireshark is for capturing packets inside your network, not for monitoring what's scanning your modem and not getting in.  Wireshark is one of the several tools in the Security Onion which also has Snort which is a preventative tool rather than just a detective one.

[aaronjb]

For sh.. poops and giggles, you can do the following:

Install Linux on a machine.
Stick it on the internet.
See how long it takes to be compromised.

If you're particularly smart (there are lots of these people in IT, sadly), stick it on the internet with an easy to guess root password like 'root', 'default', 'admin' etc.  If you do that it'll take days if not hours before it's part of a ChinRusEan bot net.

(If you really did do that then maybe a remote host is better than something sitting on your own network like an AWS instance or a Droplet)