HWZ Forums

Login Register FAQ Mark Forums Read

Random IP trying to access internal network?

Like Tree4Likes
Reply
 
LinkBack Thread Tools
Old 25-07-2020, 07:10 PM   #1
Supremacy Member
 
chaddeus's Avatar
 
Join Date: Jan 2000
Posts: 7,752
Random IP trying to access internal network?

Should I be concern that there are random IP address trying to access my internet network? Port 500 is used for my VPN Server on my Synology. Port 16854 is used for my torrent app (torrent app is not on).

I try to make effort trying to block IP address that I see too often but its just too much. Plus even when I change my external IP address, same thing is still coming in

2020-07-25, 15:31:10 ALLOW UDP 185.142.239.16:500 -> 192.168.0.2:500 on eth1
2020-07-25, 16:14:23 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 16:14:25 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:45 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:47 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:49 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:51 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:59:59 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
2020-07-25, 18:00:01 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
chaddeus is offline   Reply With Quote
Old 25-07-2020, 09:47 PM   #2
Senior Member
 
gilcrest's Avatar
 
Join Date: Feb 2007
Posts: 2,280
At least its not a Russian IP; does it slow down your internet or gives a scenario of unable to connect to the router admin page?
gilcrest is offline   Reply With Quote
Old 25-07-2020, 10:12 PM   #3
Senior Member
 
Join Date: Mar 2018
Posts: 1,627
Maybe your IoT part of botnet network haha. What do you use to see and block the traffic ? Sometime the application itself can be causing it.

Last edited by chaiscool; 25-07-2020 at 10:17 PM..
chaiscool is offline   Reply With Quote
Old 25-07-2020, 11:01 PM   #4
Master Member
 
Join Date: Apr 2005
Posts: 3,664
Should I be concern that there are random IP address trying to access my internet network? Port 500 is used for my VPN Server on my Synology. Port 16854 is used for my torrent app (torrent app is not on).

I try to make effort trying to block IP address that I see too often but its just too much. Plus even when I change my external IP address, same thing is still coming in

2020-07-25, 15:31:10 ALLOW UDP 185.142.239.16:500 -> 192.168.0.2:500 on eth1
2020-07-25, 16:14:23 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 16:14:25 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:45 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:47 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:49 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:51 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:59:59 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
2020-07-25, 18:00:01 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1

my UDM threw similar ones, but ive noticed that when I switched my DNS to others. Might it be that ?
__________________
Hardwork + open mindness to learn, with abit help from Goddesses Dike-justice & Tyche-luck
BradenHeat is offline   Reply With Quote
Old 26-07-2020, 12:19 AM   #5
Supremacy Member
 
chaddeus's Avatar
 
Join Date: Jan 2000
Posts: 7,752
At least its not a Russian IP; does it slow down your internet or gives a scenario of unable to connect to the router admin page?
No sign of speed decrease or at least not in a significant way . Router admin page seems fine.
chaddeus is offline   Reply With Quote
Old 26-07-2020, 12:23 AM   #6
Supremacy Member
 
chaddeus's Avatar
 
Join Date: Jan 2000
Posts: 7,752
Maybe your IoT part of botnet network haha. What do you use to see and block the traffic ? Sometime the application itself can be causing it.
I just use my router to block certain IP address. At this moment, I don't really care so much especially when its scanning for my torrent port (16854 and 6881) but I care more on my VPN port (4500, 1701 and 500). I try to block them if I see them trying to access more than 3 times.

- Charles
chaddeus is offline   Reply With Quote
Old 26-07-2020, 12:26 AM   #7
Supremacy Member
 
chaddeus's Avatar
 
Join Date: Jan 2000
Posts: 7,752
my UDM threw similar ones, but ive noticed that when I switched my DNS to others. Might it be that ?
I run my own DNS. But question is, should i be concern? I think its relatively common for people to try to scan my port but as long they don't get into my network without authorization, that should be fine right?
chaddeus is offline   Reply With Quote
Old 26-07-2020, 06:14 PM   #8
Senior Member
 
Join Date: Mar 2018
Posts: 1,627
You still be vulnerable to those brute force / amplification “pass after multiple deny” types of attacks. If really concern can try dedicated firewall to block blacklisted and foreign (Russia etc) IP.

Downside of hosting your own dns is losing resiliency / redundancy / protection etc. Handling being attack by having your own dns server is common concern

Last edited by chaiscool; 26-07-2020 at 06:23 PM..
chaiscool is offline   Reply With Quote
Old 26-07-2020, 06:24 PM   #9
Senior Member
 
Join Date: Jun 2000
Posts: 976
Bad stuff:
https://bgp.he.net/ip/45.236.31.62#_rbl
https://bgp.he.net/ip/186.108.82.18#_rbl

Try changing VPN port and tor port.
BradenHeat likes this.
zoneguard is offline   Reply With Quote
Old 26-07-2020, 07:05 PM   #10
Master Member
 
TanKianW's Avatar
 
Join Date: Apr 2005
Posts: 3,245
Are you using UPNP? If you do, disable it. You might be allowing devices inside your network to open ports on their free will due to UPNP.

If you are concern, which I think you should if you have a NAS that can be access remotely or several IOTs. Run a firewall like pfsense, OPNsense, etc. Every IP in and out will be logged. It will even link you to the online resources and security database to define the location and reputation level of the DNS/IP accessing to/from your network. And you get to decide whether to block/suppress it or kill states.

I recommend just simply running pfblockerNG on pfsense. Block all the unnecessary/notorious stuff through GeoIPs and IP/DNS filter as first line of defense. Save you the initial trouble of filtering it one by one on your own.

An example of how much has been blocked by the firewall in just 2 days after the last reload.
BradenHeat likes this.
__________________
春有百花秋有月,夏有凉风冬有雪;若无闲事挂心头,便是人间好时节。

Last edited by TanKianW; 26-07-2020 at 07:27 PM..
TanKianW is offline   Reply With Quote
Old 26-07-2020, 07:54 PM   #11
Supremacy Member
 
Join Date: Sep 2018
Posts: 5,644
To disable UPNP seems also quite problematic for consumers.

Peer-to-peer applications, game servers, and many VoIP programs, seem to rely on upnp.

How do you sort this out if you need to use various VOIP programs, say for work, now that it is common to work from home?
xiaofan is offline   Reply With Quote
Old 26-07-2020, 08:53 PM   #12
Master Member
 
TanKianW's Avatar
 
Join Date: Apr 2005
Posts: 3,245
To disable UPNP seems also quite problematic for consumers.

Peer-to-peer applications, game servers, and many VoIP programs, seem to rely on upnp.

How do you sort this out if you need to use various VOIP programs, say for work, now that it is common to work from home?
Yes, i agree. UPNP is convenient for consumers out there. But there is no easy way out if you want security.

For my case, I will still manually port forward the common ports at the firewall for programs. Load pfblockerNG's IP/DNS filter, do up a whitelist, download the blocklist from the different category you wish to block. Then pre-load the IDS/IPS security list on SNORT (by Cisco) based on the selected security level. Lastly, run the common programs and go through the firewall again. Unblock any causing it not to work or detected as false positive.

In recent years, the block list in pfblockerNG and SNORT getting more and more refined, due to the widespread of community support, the % of false positive is also pretty low.

Snort list:


pfblockerNG feed lists:
BradenHeat and loganrunning like this.
__________________
春有百花秋有月,夏有凉风冬有雪;若无闲事挂心头,便是人间好时节。

Last edited by TanKianW; 26-07-2020 at 09:02 PM..
TanKianW is offline   Reply With Quote
Old 29-07-2020, 05:29 PM   #13
Supremacy Member
 
chaddeus's Avatar
 
Join Date: Jan 2000
Posts: 7,752
Are you using UPNP? If you do, disable it. You might be allowing devices inside your network to open ports on their free will due to UPNP.

If you are concern, which I think you should if you have a NAS that can be access remotely or several IOTs. Run a firewall like pfsense, OPNsense, etc. Every IP in and out will be logged. It will even link you to the online resources and security database to define the location and reputation level of the DNS/IP accessing to/from your network. And you get to decide whether to block/suppress it or kill states.

I recommend just simply running pfblockerNG on pfsense. Block all the unnecessary/notorious stuff through GeoIPs and IP/DNS filter as first line of defense. Save you the initial trouble of filtering it one by one on your own.

An example of how much has been blocked by the firewall in just 2 days after the last reload.
I have UPNP disabled so that limit the accessible port from external.
chaddeus is offline   Reply With Quote
Old 29-07-2020, 05:38 PM   #14
Supremacy Member
 
chaddeus's Avatar
 
Join Date: Jan 2000
Posts: 7,752
Just give you guys an example.

2020-07-28, 14:40:24 ALLOW UDP 146.88.240.4:58856 -> 192.168.0.2:500 on eth1
2020-07-28, 14:40:24 BLOCK UDP 146.88.240.4:58856 -> 192.168.10.15:500 on eth1

This IP address 146.88.240.4 is scanning my port on a daily basis and non stop although I block the access. Even when I change my external IP address, it will still come and hunt me. So I am not sure if there is anything within my network that is causing this. My outgoing table log shows nothing on this particular IP address.

A quick WHOIS search on this IP address reveal the following information:

NetHandle: NET-146-88-240-0-1
OrgID: ARBORN
Parent: NET-146-0-0-0-0
NetName: ARBORN
NetRange: 146.88.240.0 - 146.88.255.255
NetType: assignment
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment: https://www.arbor-observatory.com/
RegDate: 2016-10-27
Updated: 2019-06-24
AbuseHandle: ASERT-ARIN
Source: ARIN

Going to the https://www.arbor-observatory.com/ and the main page says

Why am I receiving connection attempts from this machine?
The Threat Intelligence division at NETSCOUT|Arbor (prev. Arbor Networks) has an Internet safety initiative which identifies services that can potentially be abused by attackers. Internet scanning is often viewed as a malicious activity but can also be used by crawlers and other large-scale scanners to drive traffic, obtain useful statistics, and in our case gather knowledge that will go towards making the Internet a safer place.

Arbor has worked for almost 20 years to help secure the Internet. Scanning is one of the methods we utilize to gain a better understanding of the internet. The collected data is used for research that allows us to identify infected hosts, potentially abusable hosts, and other malicious actors. We ask that you would allow us to continue scanning your address space as our ability to gain insights is directly proportional to our visibility.
Some of our research can be found here:
https://asert.arbornetworks.com/
https://www.netscout.com/global-threat-intelligence
Not sure if its legit... So what do you guys think?

Last edited by chaddeus; 29-07-2020 at 05:41 PM..
chaddeus is offline   Reply With Quote
Old 29-07-2020, 05:52 PM   #15
Arch-Supremacy Member
 
Join Date: May 2005
Posts: 23,923
RE

Just give you guys an example.

2020-07-28, 14:40:24 ALLOW UDP 146.88.240.4:58856 -> 192.168.0.2:500 on eth1
2020-07-28, 14:40:24 BLOCK UDP 146.88.240.4:58856 -> 192.168.10.15:500 on eth1

This IP address 146.88.240.4 is scanning my port on a daily basis and non stop although I block the access. Even when I change my external IP address, it will still come and hunt me. So I am not sure if there is anything within my network that is causing this. My outgoing table log shows nothing on this particular IP address.

A quick WHOIS search on this IP address reveal the following information:

NetHandle: NET-146-88-240-0-1
OrgID: ARBORN
Parent: NET-146-0-0-0-0
NetName: ARBORN
NetRange: 146.88.240.0 - 146.88.255.255
NetType: assignment
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment: https://www.arbor-observatory.com/
RegDate: 2016-10-27
Updated: 2019-06-24
AbuseHandle: ASERT-ARIN
Source: ARIN

Going to the https://www.arbor-observatory.com/ and the main page says



Not sure if its legit... So what do you guys think?
Ha.....ha.....ha......maybe the CIA, Russian, CCP or even our MIW IBs after you leh

Apparatus is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On