Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3

Author Topic: Have You Checked Your Firewall Logs Lately ?.  (Read 11559 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #15 on: November 02, 2016, 11:59:45 AM »

All quiet for me too, that's a billion 7800 configured to log 'informational' , and zen ISP.

The log shows just two 'kernel intrusion' message, like Eric's, one on 26th and 27th of October.

I wonder if some ISPs might be taking network-side action to contain the Mirai threat?   I know that Zen routinely block certain other ports, but not normally  23 or 25, I think that would break too many legitimate uses. ???
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #16 on: November 02, 2016, 12:04:41 PM »

Zen only block the ports between 135-139 on UDP and TCP
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #17 on: November 02, 2016, 01:15:09 PM »

Sorry if I caused confusion.

No you didnt cause any :)   I'd started to make a post then got distracted by a phone call and hadnt finished the post. 
I was attempting to say I dont see anything in my logs and wondered if I'd set up logging incorrectly.

Quote
I wonder if some ISPs might be taking network-side action to contain the Mirai threat?

Valid suggestion now you mention it Plusnet do filter what they suspect to be ports used by worms and trojans, but as suggested they too would hardly likely block valid ports such as 23,25 etc

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #18 on: November 02, 2016, 10:51:41 PM »

I am getting about 600 hits an hour mainly on port 23 few on 22 and some other random ones. :o
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #19 on: November 02, 2016, 11:20:02 PM »

Today I have had just one probe from Hong Kong and six probes from Colombia (seven in total), all "trying" for TCP port 23.

Here follows my security log, in total, for today. I've just replaced my current IPv4 address with W.X.Y.Z --

Code: [Select]
Nov  2 16:01:40 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=218.255.138.90 DST=W.X.Y.Z LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=45417 PROTO=TCP SPT=7020 DPT=23 WINDOW=47287 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:47 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:48 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:56 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:57 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:57 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:59 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
« Last Edit: November 03, 2016, 12:16:28 AM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #20 on: November 03, 2016, 12:12:31 AM »

Clearly, some folks seem to be targeted more than others.   I wonder why.

If it's not random, and if it's not attributable to ISPs blocking the attacks, might the villains be targeting ISP address ranges that they consider most vulnerable?  For example, ISPs that ship their routers with uPNP enabled by default, or with remote access enabled by default?

Just a thought. ???
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #21 on: November 03, 2016, 01:10:51 AM »

might the villains be targeting ISP address ranges that they consider most vulnerable?  For example, ISPs that ship their routers with uPNP enabled by default, or with remote access enabled by default?


Strong possibility.

They would stand more chance of hitting a target via certain ISPs more than others.  Its a fact of life that generally speaking those on the likes of TT, BT are less knowledgeable about technical issues than say someone on Zen, AAISP.  I would imagine 'dynamic pools' would be a good target.

I know many years ago when I was on BTinternet I used to get bombarded with scans, then after I went with PN (static IP) I hardly saw any.

Saying that though tickmike is on static IP, so there goes that theory.. 

I wouldnt be too surprised if the increase is something to do with Mirai which mostly uses port 23.  The source is now freely available so as well as the bots,  I bet the script kiddies are having a field day playing.

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #22 on: November 03, 2016, 01:12:29 AM »

Incidentally there's now a Mirai nematode. The legality of it is up for debate, but hey its been done before with Welchia and others.
 
Interesting discussion in the comments section about getting the ISP's to run it. Plusnet do and have monitored before and no-one complained about they way they did it (see here).  As one guy in there says

Quote
go for it - Currently getting 40K queries per minute on one server and that's getting a bit tiresome.

http://forums.theregister.co.uk/forum/1/2016/10/31/this_antiworm_patch_bot_could_silence_epic_mirai_ddos_attack_army/
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #23 on: November 03, 2016, 01:13:40 AM »

@tickmike

Quote
I have a set of 8 fixed IP's From my Kcom isp.

Just curiosity, why do you need 8 statics? ARe you running servers?
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #24 on: November 03, 2016, 10:39:11 AM »

@tickmike

Just curiosity, why do you need 8 statics? ARe you running servers?

Yes  ;D

Latest count 14000 to 15000 hits a day.  :-\  , is it a 'Smoothwall' log thing that it shows more hits that a modem/router firewall would  :hmm:

I put a post on the 'Smoothwall' firewall forum and the guy who first detected 'Mirai' answered and said in the USA they are seeing  500-600 IP Blocks per day for MIRAI , our current count it 3500+ previous to that, we were managing 6000+ blocked MIRAI IPs .
He also put ..
Remember that it is possible for these things to get into wifi connected equipment and spread via wifi to other systems also on wifi... they only know that they are hunting over a network protocol... they don't care if it is wired or radio or even light driven..
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #25 on: November 03, 2016, 02:11:52 PM »

Incidentally there's now a Mirai nematode. The legality of it is up for debate...

Wonder if I'm the only one who'd never heard of the word 'nematode' before?   :-[

Interesting though.   I'd have thought the legality concerns could be overcome by inserting appropriate weasel words into some of the arduous T&Cs that we all have to accept, but hardly ever read, and rarely understand.  The T&C could be that of the ISPs, or maybe some good samaritan like Google (no giggling), who could then take the action?
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #26 on: November 03, 2016, 03:20:23 PM »

Gardeners use nematodes for killing slugs, but I guess that isn't what we're talking about here. :)
Logged
  Eric

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #27 on: November 03, 2016, 05:00:38 PM »

From a fairly inaccurate sample, I'm seeing ~30k of these per day aimed at a potential target window 64 IPv4 dest-addresses wide. Based on a 30 s traffic capture early in the morning. Things might well be hotter in the middle of the day though, so this could be an underestimate for all I know.

Nothing at all on IPv6, that is, aimed at my IPv6 /64 for this LAN. (I have a /48, but I didn't monitor the whole of that.)

If anyone is interested, I'll put the whole traffic capture up (from a .pcap).
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #28 on: November 03, 2016, 05:33:27 PM »

It might be interesting to do a traffic capture on my 3G iPad NIC which has an Andrews & Arnold / Three SIM in it, because at that rate the junk traffic is going to be costing me a whole ~£0.75 -£1.50 per month.

And it will be eating my battery, wasting CPU time and eating up RAM too, especially if there's no software firewall on the iPad. (Don't really want connect ack response packets going back out, nor useless TCP connection objects being created until all the RAM is eaten up. I have to pay for upstream too, so useless outbound packets are doubly bad.)

If there were a configurable firewall in Apple iOS then I could at least immediately drop inbound TCP dest_port=23 and so not even create any firewall session object, in order to cut the RAM consumption to zero.
Logged

vic0239

  • Reg Member
  • ***
  • Posts: 519
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #29 on: November 03, 2016, 06:07:24 PM »

Based on a 30 s traffic capture early in the morning.
Are you capturing this on the Firebrick? I'm struggling to fathom out how to enable.  :help:
Logged
Lothian Broadband 900/900 + AAISP VDSL, Vigor2865Vac, MikroTik rb260gsp, ZyXel NWA50AX WiFi AP.
Pages: 1 [2] 3