Solved

Strange traffic in router logs - what it it?

Posted on 2003-11-10
4
462 Views
Last Modified: 2013-11-29
In the last week I have been getting a large number of log files mailed to me from my NAT router.  The traffic has been odd in that it appears to originate from a number of sources, all attempting TCP connections to a high port.  I will see serveral source IPs trying to connect to the same port over and over.  Then I will see a different set of IPs trying to connect to a new different high port number.  This traffic is occuring 24 hours and on the weekend when nobody is on the internal network.

I am not particularly worried about it, but am very curious as what is generating the traffic.  Attached is a sample log (one of many!)

Sun, 2003-11-09 13:16:19 - TCP packet dropped - Source:65.54.194.118
,80[HTTP] WAN - Destination:203.213.5.14,40923 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:131.215.182.180
,3519 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:131.215.182.180
,3520 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:12.234.34.173
,2795 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:16:39 - TCP packet dropped - Source:12.234.34.173
,2796 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:131.215.182.180
,3524 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:131.215.182.180
,3525 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:12.234.34.173
,2826 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:00 - TCP packet dropped - Source:12.234.34.173
,2827 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:21 - TCP packet dropped - Source:12.234.34.173
,2864 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:21 - TCP packet dropped - Source:12.234.34.173
,2865 WAN - Destination:203.213.5.14,41052 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:24 - TCP packet dropped - Source:131.215.182.180
,3533 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 13:17:24 - TCP packet dropped - Source:131.215.182.180
,3534 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:45:55 - TCP packet dropped - Source:141.152.68.116
,2926 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:45:55 - TCP packet dropped - Source:141.152.68.116
,2927 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:02 - TCP packet dropped - Source:131.215.182.180
,2929 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2929 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2930 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:05 - TCP packet dropped - Source:141.152.68.116
,2931 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:12 - TCP packet dropped - Source:131.215.182.180
,2935 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2932 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2933 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
Sun, 2003-11-09 16:46:15 - TCP packet dropped - Source:141.152.68.116
,2934 WAN - Destination:203.213.5.14,41104 LAN - [Inbound Default rule match]
0
Comment
Question by:GeoffWhite
  • 3
4 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 50 total points
ID: 9720095
Haven't seen any info on 41104 or 41052

the source addresses correspond to
12-234-34-173.client.attbi.com
charter-182-180.caltech.edu
pool-141-152-68-116.roa.east.verizon.net

The first and last are ISP's who almost never respond to you.
The address at caltech is a winner, if you can get to the right people, universities will usually help.

so we look up caltech:
Domain Name: CALTECH.EDU

Registrant:
   California Institute of Technology
   Information Technology Services 014-81
   Pasadena, CA 91125
   UNITED STATES

Contacts:

   Administrative Contact:
   Robert S. Logan
   California Institute of Technology
   ITS: Mail Stop 014-81
   Pasadena, CA 91125
   UNITED STATES
   (626) 395-4631
   bob@caltech.edu


   Technical Contact:

   Network Operations Center
   California Institute of Technology
   1200 E. California Blvd
   Pasadena, CA 91125
   UNITED STATES
   (626) 395-4602
   noc@caltech.edu


Name Servers:
   MERCUTIO.NI.CALTECH.EDU 131.215.254.99
   NSX.LBL.GOV
   TYBALT.CALTECH.EDU 131.215.139.100
   TEPID.NI.CALTECH.EDU 131.215.254.100

Domain record activated:    06-Jan-1986
Domain record last updated: 01-Nov-2000

so send your logs to bob and the noc and ask WTF are you guys doing over there?


 


You can look up attack trends on http://isc.sans.org/trends.html

You can contribute your logs to the stats, see the site for instructions

ports  40844-41110 are unassigned

(per http://www.iana.org/assignments/port-numbers)
0
 

Author Comment

by:GeoffWhite
ID: 9720381
I have looked up the addresses before asking here.  Problem is the behavior does not always last for long from a single source.  It's almost like there is a tag team going on.  There are any number of sources in the logs.  The destination port varies greatly, but is always in the high undefined port ranges.  

I am begining to think there might be a box behind the router with some DDOS gear that is attempting to join up with its friends.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 50 total points
ID: 9726173
port scan time

Ping Pack Pro from ipswitch is pretty easy to use. you can scan for those ports pretty fast

Good thing to do periodically anyway to look for rougue servers.

I would write to caltech, they may already have figured it out or can devote more resources to doing so.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9738544
What did you learn?
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now