Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

Strange traffic in router logs - what it it?

In the last week I have been getting a large number of log files mailed to me from my NAT router.  The traffic has been odd in that it appears to originate from a number of sources, all attempting TCP connections to a high port.  I will see serveral source IPs trying to connect to the same port over and over.  Then I will see a different set of IPs trying to connect to a new different high port number.  This traffic is occuring 24 hours and on the weekend when nobody is on the internal network.

I am not particularly worried about it, but am very curious as what is generating the traffic.  Attached is a sample log (one of many!)

Sun, 2003-11-09 13:16:19 - TCP packet dropped - Source:65.54.194.118
,80[HTTP] WAN - Destination:203.213.5.14,40923 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:131.215.182.180
,3519 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:131.215.182.180
,3520 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:12.234.34.173
,2795 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:12.234.34.173
,2796 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:131.215.182.180
,3524 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:131.215.182.180
,3525 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:12.234.34.173
,2826 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:12.234.34.173
,2827 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:21 - TCP packet dropped - Source:12.234.34.173
,2864 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:21 - TCP packet dropped - Source:12.234.34.173
,2865 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:24 - TCP packet dropped - Source:131.215.182.180
,3533 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:24 - TCP packet dropped - Source:131.215.182.180
,3534 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:45:55 - TCP packet dropped - Source:141.152.68.116
,2926 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:45:55 - TCP packet dropped - Source:141.152.68.116
,2927 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:02 - TCP packet dropped - Source:131.215.182.180
,2929 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2929 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2930 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2931 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:12 - TCP packet dropped - Source:131.215.182.180
,2935 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2932 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2933 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2934 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
0
GeoffWhite
Asked:
GeoffWhite
  • 3
2 Solutions
 
chicagoanCommented:
Haven't seen any info on 41104 or 41052

the source addresses correspond to
12-234-34-173.client.attbi.com
charter-182-180.caltech.edu
pool-141-152-68-116.roa.east.verizon.net

The first and last are ISP's who almost never respond to you.
The address at caltech is a winner, if you can get to the right people, universities will usually help.

so we look up caltech:
Domain Name: CALTECH.EDU

Registrant:
   California Institute of Technology
   Information Technology Services 014-81
   Pasadena, CA 91125
   UNITED STATES

Contacts:

   Administrative Contact:
   Robert S. Logan
   California Institute of Technology
   ITS: Mail Stop 014-81
   Pasadena, CA 91125
   UNITED STATES
   (626) 395-4631
   bob@caltech.edu


   Technical Contact:

   Network Operations Center
   California Institute of Technology
   1200 E. California Blvd
   Pasadena, CA 91125
   UNITED STATES
   (626) 395-4602
   noc@caltech.edu


Name Servers:
   MERCUTIO.NI.CALTECH.EDU 131.215.254.99
   NSX.LBL.GOV
   TYBALT.CALTECH.EDU 131.215.139.100
   TEPID.NI.CALTECH.EDU 131.215.254.100

Domain record activated:    06-Jan-1986
Domain record last updated: 01-Nov-2000

so send your logs to bob and the noc and ask WTF are you guys doing over there?


 


You can look up attack trends on http://isc.sans.org/trends.html

You can contribute your logs to the stats, see the site for instructions

ports  40844-41110 are unassigned

(per http://www.iana.org/assignments/port-numbers)
0
 
GeoffWhiteAuthor Commented:
I have looked up the addresses before asking here.  Problem is the behavior does not always last for long from a single source.  It's almost like there is a tag team going on.  There are any number of sources in the logs.  The destination port varies greatly, but is always in the high undefined port ranges.  

I am begining to think there might be a box behind the router with some DDOS gear that is attempting to join up with its friends.
0
 
chicagoanCommented:
port scan time

Ping Pack Pro from ipswitch is pretty easy to use. you can scan for those ports pretty fast

Good thing to do periodically anyway to look for rougue servers.

I would write to caltech, they may already have figured it out or can devote more resources to doing so.
0
 
chicagoanCommented:
What did you learn?
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now