Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Strange traffic in router logs - what it it?

Posted on 2003-11-10
4
Medium Priority
?
536 Views
Last Modified: 2013-11-29
In the last week I have been getting a large number of log files mailed to me from my NAT router.  The traffic has been odd in that it appears to originate from a number of sources, all attempting TCP connections to a high port.  I will see serveral source IPs trying to connect to the same port over and over.  Then I will see a different set of IPs trying to connect to a new different high port number.  This traffic is occuring 24 hours and on the weekend when nobody is on the internal network.

I am not particularly worried about it, but am very curious as what is generating the traffic.  Attached is a sample log (one of many!)

Sun, 2003-11-09 13:16:19 - TCP packet dropped - Source:65.54.194.118
,80[HTTP] WAN - Destination:203.213.5.14,40923 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:131.215.182.180
,3519 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:131.215.182.180
,3520 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:12.234.34.173
,2795 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:12.234.34.173
,2796 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:131.215.182.180
,3524 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:131.215.182.180
,3525 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:12.234.34.173
,2826 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:12.234.34.173
,2827 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:21 - TCP packet dropped - Source:12.234.34.173
,2864 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:21 - TCP packet dropped - Source:12.234.34.173
,2865 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:24 - TCP packet dropped - Source:131.215.182.180
,3533 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:24 - TCP packet dropped - Source:131.215.182.180
,3534 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:45:55 - TCP packet dropped - Source:141.152.68.116
,2926 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:45:55 - TCP packet dropped - Source:141.152.68.116
,2927 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:02 - TCP packet dropped - Source:131.215.182.180
,2929 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2929 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2930 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2931 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:12 - TCP packet dropped - Source:131.215.182.180
,2935 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2932 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2933 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2934 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
0
Comment
Question by:GeoffWhite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 150 total points
ID: 9720095
Haven't seen any info on 41104 or 41052

the source addresses correspond to
12-234-34-173.client.attbi.com
charter-182-180.caltech.edu
pool-141-152-68-116.roa.east.verizon.net

The first and last are ISP's who almost never respond to you.
The address at caltech is a winner, if you can get to the right people, universities will usually help.

so we look up caltech:
Domain Name: CALTECH.EDU

Registrant:
   California Institute of Technology
   Information Technology Services 014-81
   Pasadena, CA 91125
   UNITED STATES

Contacts:

   Administrative Contact:
   Robert S. Logan
   California Institute of Technology
   ITS: Mail Stop 014-81
   Pasadena, CA 91125
   UNITED STATES
   (626) 395-4631
   bob@caltech.edu


   Technical Contact:

   Network Operations Center
   California Institute of Technology
   1200 E. California Blvd
   Pasadena, CA 91125
   UNITED STATES
   (626) 395-4602
   noc@caltech.edu


Name Servers:
   MERCUTIO.NI.CALTECH.EDU 131.215.254.99
   NSX.LBL.GOV
   TYBALT.CALTECH.EDU 131.215.139.100
   TEPID.NI.CALTECH.EDU 131.215.254.100

Domain record activated:    06-Jan-1986
Domain record last updated: 01-Nov-2000

so send your logs to bob and the noc and ask WTF are you guys doing over there?


 


You can look up attack trends on http://isc.sans.org/trends.html

You can contribute your logs to the stats, see the site for instructions

ports  40844-41110 are unassigned

(per http://www.iana.org/assignments/port-numbers)
0
 

Author Comment

by:GeoffWhite
ID: 9720381
I have looked up the addresses before asking here.  Problem is the behavior does not always last for long from a single source.  It's almost like there is a tag team going on.  There are any number of sources in the logs.  The destination port varies greatly, but is always in the high undefined port ranges.  

I am begining to think there might be a box behind the router with some DDOS gear that is attempting to join up with its friends.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 150 total points
ID: 9726173
port scan time

Ping Pack Pro from ipswitch is pretty easy to use. you can scan for those ports pretty fast

Good thing to do periodically anyway to look for rougue servers.

I would write to caltech, they may already have figured it out or can devote more resources to doing so.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9738544
What did you learn?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question