1. Home
  2. Networking Firewalls
  3. firewall floods with...

firewall floods with...

good day everyone. recently i noticed a increase in my firewall logs - mostly with connections that are being dropped or filtered out through the firewall. the majority of the failed connections seem to be coming from RIPE and APNIC (did a search on arin whois) as for the port numbers they vary some but there seems to be a pattern.

are the port numbers related to normal applications accessing the internet (aim, browser, etc..) or should i be concerned at all? basically i want to know why these connections are being made; although they are being blocked.

thank you everyone for all and any information you can provide to me about this matter. have a great day.

**firewall log of about 30 recent failed connections** // destination ip removed

Source IP: 71.162.68.166 Destination IP: *** my ip address *** Protocol: TCP Source Port: 1776 Destination Port: 445 TCP Flags: 02 ( syn )

Source IP: 84.29.220.115 Destination IP: *** my ip address *** Protocol: TCP Source Port: 4260 Destination Port: 4899 TCP Flags: 02 ( syn )

Source IP: 220.131.34.147 Destination IP: *** my ip address *** Protocol: UDP Source Port: 26454 Destination Port: 50106

Source IP: 213.40.135.119 Destination IP: *** my ip address *** Protocol: UDP Source Port: 15767 Destination Port: 50004

Source IP: 219.68.146.143 Destination IP: *** my ip address *** Protocol: UDP Source Port: 30741 Destination Port: 1026

Source IP: 70.128.101.146 Destination IP: *** my ip address *** Protocol: TCP Source Port: 2335 Destination Port: 50962 TCP Flags: 02 ( syn )

Source IP: 204.16.208.102 Destination IP: *** my ip address *** Protocol: UDP Source Port: 38482 Destination Port: 1027

Source IP: 204.16.208.102 Destination IP: *** my ip address *** Protocol: UDP Source Port: 38482 Destination Port: 1026

Source IP: 211.162.149.167 Destination IP: *** my ip address *** Protocol: UDP Source Port: 53405 Destination Port: 50106

Source IP: 84.63.118.202 Destination IP: *** my ip address *** Protocol: UDP Source Port: 12648 Destination Port: 50004

Source IP: 221.198.79.1 Destination IP: *** my ip address *** Protocol: UDP Source Port: 17898 Destination Port: 50004

Source IP: 204.16.208.114 Destination IP: *** my ip address *** Protocol: UDP Source Port: 38567 Destination Port: 1027

Source IP: 204.16.208.114 Destination IP: *** my ip address *** Protocol: UDP Source Port: 38567 Destination Port: 1026

Source IP: 70.128.101.146 Destination IP: *** my ip address *** Protocol: TCP Source Port: 1844 Destination Port: 50962 TCP Flags: 02 ( syn )

Source IP: 218.18.211.34 Destination IP: *** my ip address *** Protocol: UDP Source Port: 17432 Destination Port: 50004

Source IP: 194.152.21.82 Destination IP: *** my ip address *** Protocol: UDP Source Port: 44967 Destination Port: 50004

Source IP: 71.246.77.111 Destination IP: *** my ip address *** Protocol: TCP Source Port: 3158 Destination Port: 445 TCP Flags: 02 ( syn )

Source IP: 61.183.15.41 Destination IP: *** my ip address *** Protocol: TCP Source Port: 59257 Destination Port: 3128 TCP Flags: 02 ( syn )

Source IP: 70.128.101.146 Destination IP: *** my ip address *** Protocol: TCP Source Port: 1343 Destination Port: 50962 TCP Flags: 02 ( syn )

Source IP: 71.246.77.111 Destination IP: *** my ip address *** Protocol: TCP Source Port: 1694 Destination Port: 445 TCP Flags: 02 ( syn )

Source IP: 222.14.118.46 Destination IP: *** my ip address *** Protocol: UDP Source Port: 32829 Destination Port: 50004

Source IP: 221.6.67.146 Destination IP: *** my ip address *** Protocol: UDP Source Port: 9037 Destination Port: 50004

Source IP: 221.223.242.199 Destination IP: *** my ip address *** Protocol: UDP Source Port: 17434 Destination Port: 50409

Source IP: 70.128.101.146 Destination IP: *** my ip address *** Protocol: UDP Source Port: 44159 Destination Port: 50962

Source IP: 71.246.77.111 Destination IP: *** my ip address *** Protocol: TCP Source Port: 3139 Destination Port: 445 TCP Flags: 02 ( syn )

Source IP: 71.246.77.111 Destination IP: *** my ip address *** Protocol: TCP Source Port: 3139 Destination Port: 445 TCP Flags: 02 ( syn )

Source IP: 129.170.143.102 Destination IP: *** my ip address *** Protocol: UDP Source Port: 17626 Destination Port: 50004

Source IP: 66.160.159.30 Destination IP: *** my ip address *** Protocol: UDP Source Port: 40030 Destination Port: 1027

Source IP: 66.160.159.30 Destination IP: *** my ip address *** Protocol: UDP Source Port: 40030 Destination Port: 1026

Source IP: 218.18.211.34 Destination IP: *** my ip address *** Protocol: UDP Source Port: 17432 Destination Port: 50004

Source IP: 222.136.87.191 Destination IP: *** my ip address *** Protocol: UDP Source Port: 19902 Destination Port: 50004

Source IP: 80.56.28.241 Destination IP: *** my ip address *** Protocol: UDP Source Port: 14379 Destination Port: 50004

A search of the source IP addresses resulted in the following results -

71.162.68.166 - Verizon Internet Services Inc. (VIS) 84.29.220.115 - RIPE Network Coordination Centre (RIPE) 220.131.34.147 - Asia Pacific Network Information Centre (APNIC) 213.40.135.119 - RIPE 219.68.146.143 - APNIC 70.128.101.146 - SBC Internet Services (SBC) 204.16.208.102 - Fast Colocation Services (FCS) 211.162.149.167 - APNIC 84.63.118.202 - RIPE 221.198.79.1 - APNIC 204.16.208.114 - FCS 70.128.101.146 - SBC 218.18.211.34 - APNIC 194.152.21.82 - RIPE 71.246.77.111 - VIS 61.183.15.41 - APNIC 70.128.101.146 - SBC 71.246.77.111 - VIS 222.14.118.46 - APNIC 221.6.67.146 - APNIC 221.223.242.199 - APNIC
Reply to
goooglethis
Loading thread data ...

Yeah, basically an 'ignore' pattern.

445 is SMB/MS-DS, typically the Sasser worm and co. 1026/1027 is typical for certain RPC services on Windows 2000+XP, like the task manager service which has been remotely vulnerable for some time. So this is worm traffic searching for exploitable systems. 3128 is ALG service on Windows, 50000+ the typical mapped NAT port range. Are you using ICS or is this just some totally stupid scan attempt?

Why are they blocked? At least the 4899 is either totally clueless or even some load balancer response on your request, it should be rejected with a TCP-RST.

Reply to
Sebastian Gottschalk

That about sums it all. The FW is blocking the unsolicited inbound traffic coming to it. It's everyday normal traffic that's being blocked. The FW is doing its job, at least that part of it if this is a personal FW/host based packet filter.

You should forget about it as it's much to do about nothing.

Duane :)

Reply to
Duane Arnold
445-- microsoft-ds service. The other I do not know. Maybe games of some sort.

Your source estimation is terrible All you have discovered is who registered it, not the owner of the ip

Eg whois 221.223.242.199 % [whois.apnic.net node-2] % Whois data copyright terms

formatting link
inetnum: 221.216.0.0 - 221.223.255.255 netname: CNCGROUP-BJ descr: CNCGROUP Beijing province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-BJ mnt-routes: MAINT-CNCGROUP-RR changed: snipped-for-privacy@apnic.net 20031119 status: ALLOCATED PORTABLE changed: snipped-for-privacy@apnic.net 20060124 source: APNIC

role: CNCGroup Hostmaster e-mail: snipped-for-privacy@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: snipped-for-privacy@cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC

pers>good day everyone. recently i noticed a increase in my firewall logs -

Reply to
Unruh

I recently installed a new firewall on my laptop. In the course of checking for potential leaks when traveling, I bypassed my router and connected it directly to the DSL modem. The firewall was logging a connection attempt on the average of about every 5 seconds, for the several minutes I watched. That's apparently normal these days.

Reply to
zzy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.