Random IP trying to access internal network?

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
Should I be concern that there are random IP address trying to access my internet network? Port 500 is used for my VPN Server on my Synology. Port 16854 is used for my torrent app (torrent app is not on).

I try to make effort trying to block IP address that I see too often but its just too much. Plus even when I change my external IP address, same thing is still coming in

2020-07-25, 15:31:10 ALLOW UDP 185.142.239.16:500 -> 192.168.0.2:500 on eth1
2020-07-25, 16:14:23 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 16:14:25 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:45 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:47 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:49 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:51 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:59:59 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
2020-07-25, 18:00:01 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
 

gilcrest

Arch-Supremacy Member
Joined
Feb 1, 2007
Messages
12,924
Reaction score
3,242
At least its not a Russian IP; does it slow down your internet or gives a scenario of unable to connect to the router admin page?
 

chaiscool

Supremacy Member
Joined
Mar 25, 2018
Messages
6,868
Reaction score
1,995
Maybe your IoT part of botnet network haha. What do you use to see and block the traffic ? Sometime the application itself can be causing it.
 
Last edited:

BradenHeat

Supremacy Member
Joined
Apr 4, 2005
Messages
5,337
Reaction score
621
Should I be concern that there are random IP address trying to access my internet network? Port 500 is used for my VPN Server on my Synology. Port 16854 is used for my torrent app (torrent app is not on).

I try to make effort trying to block IP address that I see too often but its just too much. Plus even when I change my external IP address, same thing is still coming in

2020-07-25, 15:31:10 ALLOW UDP 185.142.239.16:500 -> 192.168.0.2:500 on eth1
2020-07-25, 16:14:23 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 16:14:25 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:45 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:47 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:49 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:51 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:59:59 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
2020-07-25, 18:00:01 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1


my UDM threw similar ones, but ive noticed that when I switched my DNS to others. Might it be that ?
 

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
At least its not a Russian IP; does it slow down your internet or gives a scenario of unable to connect to the router admin page?
No sign of speed decrease or at least not in a significant way :) . Router admin page seems fine.
 

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
Maybe your IoT part of botnet network haha. What do you use to see and block the traffic ? Sometime the application itself can be causing it.
I just use my router to block certain IP address. At this moment, I don't really care so much especially when its scanning for my torrent port (16854 and 6881) but I care more on my VPN port (4500, 1701 and 500). I try to block them if I see them trying to access more than 3 times.

- Charles
 

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
my UDM threw similar ones, but ive noticed that when I switched my DNS to others. Might it be that ?
I run my own DNS. But question is, should i be concern? I think its relatively common for people to try to scan my port but as long they don't get into my network without authorization, that should be fine right?
 

chaiscool

Supremacy Member
Joined
Mar 25, 2018
Messages
6,868
Reaction score
1,995
You still be vulnerable to those brute force / amplification “pass after multiple deny” types of attacks. If really concern can try dedicated firewall to block blacklisted and foreign (Russia etc) IP.

Downside of hosting your own dns is losing resiliency / redundancy / protection etc. Handling being attack by having your own dns server is common concern
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
Are you using UPNP? If you do, disable it. You might be allowing devices inside your network to open ports on their free will due to UPNP.

If you are concern, which I think you should if you have a NAS that can be access remotely or several IOTs. Run a firewall like pfsense, OPNsense, etc. Every IP in and out will be logged. It will even link you to the online resources and security database to define the location and reputation level of the DNS/IP accessing to/from your network. And you get to decide whether to block/suppress it or kill states.

I recommend just simply running pfblockerNG on pfsense. Block all the unnecessary/notorious stuff through GeoIPs and IP/DNS filter as first line of defense. Save you the initial trouble of filtering it one by one on your own.

An example of how much has been blocked by the firewall in just 2 days after the last reload.
5RpOHDd.png
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,107
Reaction score
2,878
To disable UPNP seems also quite problematic for consumers.

Peer-to-peer applications, game servers, and many VoIP programs, seem to rely on upnp.

How do you sort this out if you need to use various VOIP programs, say for work, now that it is common to work from home?
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
To disable UPNP seems also quite problematic for consumers.

Peer-to-peer applications, game servers, and many VoIP programs, seem to rely on upnp.

How do you sort this out if you need to use various VOIP programs, say for work, now that it is common to work from home?

Yes, i agree. UPNP is convenient for consumers out there. But there is no easy way out if you want security.

For my case, I will still manually port forward the common ports at the firewall for programs. Load pfblockerNG's IP/DNS filter, do up a whitelist, download the blocklist from the different category you wish to block. Then pre-load the IDS/IPS security list on SNORT (by Cisco) based on the selected security level. Lastly, run the common programs and go through the firewall again. Unblock any causing it not to work or detected as false positive.

In recent years, the block list in pfblockerNG and SNORT getting more and more refined, due to the widespread of community support, the % of false positive is also pretty low.

Snort list:
hwjCvBR.png


pfblockerNG feed lists:
QcPY2Z7.png
 
Last edited:

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
Are you using UPNP? If you do, disable it. You might be allowing devices inside your network to open ports on their free will due to UPNP.

If you are concern, which I think you should if you have a NAS that can be access remotely or several IOTs. Run a firewall like pfsense, OPNsense, etc. Every IP in and out will be logged. It will even link you to the online resources and security database to define the location and reputation level of the DNS/IP accessing to/from your network. And you get to decide whether to block/suppress it or kill states.

I recommend just simply running pfblockerNG on pfsense. Block all the unnecessary/notorious stuff through GeoIPs and IP/DNS filter as first line of defense. Save you the initial trouble of filtering it one by one on your own.

An example of how much has been blocked by the firewall in just 2 days after the last reload.
5RpOHDd.png
I have UPNP disabled so that limit the accessible port from external.
 

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
Just give you guys an example.

2020-07-28, 14:40:24 ALLOW UDP 146.88.240.4:58856 -> 192.168.0.2:500 on eth1
2020-07-28, 14:40:24 BLOCK UDP 146.88.240.4:58856 -> 192.168.10.15:500 on eth1

This IP address 146.88.240.4 is scanning my port on a daily basis and non stop although I block the access. Even when I change my external IP address, it will still come and hunt me. So I am not sure if there is anything within my network that is causing this. My outgoing table log shows nothing on this particular IP address.

A quick WHOIS search on this IP address reveal the following information:

NetHandle: NET-146-88-240-0-1
OrgID: ARBORN
Parent: NET-146-0-0-0-0
NetName: ARBORN
NetRange: 146.88.240.0 - 146.88.255.255
NetType: assignment
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment: https://www.arbor-observatory.com/
RegDate: 2016-10-27
Updated: 2019-06-24
AbuseHandle: ASERT-ARIN
Source: ARIN

Going to the https://www.arbor-observatory.com/ and the main page says

Why am I receiving connection attempts from this machine?
The Threat Intelligence division at NETSCOUT|Arbor (prev. Arbor Networks) has an Internet safety initiative which identifies services that can potentially be abused by attackers. Internet scanning is often viewed as a malicious activity but can also be used by crawlers and other large-scale scanners to drive traffic, obtain useful statistics, and in our case gather knowledge that will go towards making the Internet a safer place.

Arbor has worked for almost 20 years to help secure the Internet. Scanning is one of the methods we utilize to gain a better understanding of the internet. The collected data is used for research that allows us to identify infected hosts, potentially abusable hosts, and other malicious actors. We ask that you would allow us to continue scanning your address space as our ability to gain insights is directly proportional to our visibility.
Some of our research can be found here:
https://asert.arbornetworks.com/
https://www.netscout.com/global-threat-intelligence

Not sure if its legit... So what do you guys think?
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
43,939
Reaction score
6,156
RE

Just give you guys an example.

2020-07-28, 14:40:24 ALLOW UDP 146.88.240.4:58856 -> 192.168.0.2:500 on eth1
2020-07-28, 14:40:24 BLOCK UDP 146.88.240.4:58856 -> 192.168.10.15:500 on eth1

This IP address 146.88.240.4 is scanning my port on a daily basis and non stop although I block the access. Even when I change my external IP address, it will still come and hunt me. So I am not sure if there is anything within my network that is causing this. My outgoing table log shows nothing on this particular IP address.

A quick WHOIS search on this IP address reveal the following information:

NetHandle: NET-146-88-240-0-1
OrgID: ARBORN
Parent: NET-146-0-0-0-0
NetName: ARBORN
NetRange: 146.88.240.0 - 146.88.255.255
NetType: assignment
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment: https://www.arbor-observatory.com/
RegDate: 2016-10-27
Updated: 2019-06-24
AbuseHandle: ASERT-ARIN
Source: ARIN

Going to the https://www.arbor-observatory.com/ and the main page says



Not sure if its legit... So what do you guys think?

Ha.....ha.....ha......maybe the CIA, Russian, CCP or even our MIW IBs after you leh

:D
 

Ghostrider333

Member
Joined
Aug 12, 2009
Messages
344
Reaction score
0
Simple thing is to just whitelist a known ip range for the incoming traffic to your VPN port (4500, 1701 and 500) and all others will be dropped. There will always be "noise" from scanners on the web whenever you open up ports to the WAN facing side. You simply cannot block them all! LOL
 

Roy313

Junior Member
Joined
Jul 2, 2020
Messages
9
Reaction score
0
I think it'd be best if you contact your ISP, whether this can result in harm or not. While they don't do it often, your ISP can change your IP address if there's a serious case for it.
 

chaddeus

Supremacy Member
Joined
Jan 1, 2000
Messages
7,759
Reaction score
0
I think it'd be best if you contact your ISP, whether this can result in harm or not. While they don't do it often, your ISP can change your IP address if there's a serious case for it.
My ISP assign a dynamic IP so will change from time to time certain IP seems to keep following me regardless of my ip address.
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top