cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

suspicious activity-random incoming connections in status log,

dooper
4: Newbie

Hi all ,

 

I have a Vox 3 router on FTTC service. For the last few weeks ive noted glitches when using streaming apps on my tv such as BBC iplayer, itv catchup etc etc.

 

I'd be watching a programme and suddenly it would stop, appear to be buffeering, then blank. It would usually pickup again maybe 10-15 seconds later.

 

It had the mark of a dropped connection. Eventually i decided to investigate and logging into the router, i noted that the line had been up for quite a long time and there was no evidence of droppage.

 

In the log though there are multiple ongoing entries of connection attempts apparently blocked by the firewall.

 

example IPs include ;

101.78.3.247

92.63.197.94

192.241.211.141

141.98.11.32

167.248.133.130

 

and others. When i look up these IPs they seem to be everywhere..

 

So whats going on? could a device on my network soliciting these requests? why? how?

 

My current plan is to power off the router and hope to pick up a new IP and see what happens next.

 

The dialogue that comes with these blocked requests is as in this example.

 

[1324390.688056] DROP wan in: IN=pppoe-wan OUT= MAC= src=167.248.133.130 DST=90.243.79.154 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=45186 PROTO=TCP SPT=28457 DPT=623 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

 

any ideas?

 

I am certain these incoming requests are what is causing streaming to glitch

 

PS 

 

interspersed with these incoming attempts are several lines of..

 

failed to send packet: Network is unreachable
data

 

 

 

15 REPLIES 15


@dooper wrote:

If i do whois lookups on some of these IPs then the next question i ask is why are potential port scans being launched from seeming legitimate organization's?

 


As above, some applications and websites do legitimately use port scanners.

 


@dooper wrote:

If this is a widespread issue, why does vodafone seek to block them at their end rather than allowing them to flow on its network and then leaving it to customers routers to block?

Because it's like the game 'whac a mole,' you might as well ask VF to block the whole internet across their network. That is why you have a firewall to prevent attacks.

 


@dooper wrote:

Going back to my streaming hiccups on iplayer and similar, the smart tv is the only item that is hard wired to the router because i thought it would ensure consistent throughput. There is very little demand on bandwidth other than when streaming but then in the past ive streamed on an ADSL line with no issues

 

In the log im not seeing any DSL downtime and there is a very good synch capacity.


That's a positive at least, so the line is more than likely fine. Would you mind doing a speedtest on Ookla?


routerattack.png

The above is the result of running Skynet for just a couple of hours (and those are only the top 10 IPs that have attempted to probe the network here.  Am I worried?  Not in the slightest, these probes are all things that even the most basic firewall should catch!

Think of the firewall on your router as the bouncer outside a club where no one can get in without an invitation, and only you can issue those invitations.  I could take the analogy further, but I hope you get the drift.

Jayach
16: Advanced member
16: Advanced member

You could also try posting the DSL stats, so we can see if there is anything untoward in there.

DSL Status Information

DSL Mode
ITU-T G.993.2_Annex_B (VDSL2)

DSL Uptime
2 days, 11 hours, 13 minutes and 9 seconds

Line Coding
DMT

Status
Connected

Number of Cuts
0

Link Power State
L0

Line Quality

  Downstream Upstream
Current Rate79998 kbps20000 kbps
Maximum Rate82146 kbps27372 kbps
Signal-to-Noise Ratio4.3 dB10.4 dB
AttenuationDS1 9.1 dB, DS2 22.0 dB, DS3 34.4 dBUS0 2.0 dB, US1 15.1 dB, US2 24.5 dB
Power12.8 dBm4.3 dBm
CRC Errors in last 3553 minute(s)0574
K (number of bytes in DMT frame)00
R (number of bytes in RS code word)80
S (RS code word size in DMT frame)0.06800.3819
D (interleaver depth)81
Delay0 ms0 ms
  Downstream Upstream
Super Frames034895389
Super Frame Errors0574
RS Words39042177922233154974
RS Correctable Errors718120
RS Uncorrectable Errors00
  Downstream Upstream
HEC Errors00
OCD Errors00
LCD Errors00
Total Cells27324820640
Data Cells2889357930
Bit Errors00
  Downstream Upstream
Total ES0431
Total SES08
Total UAS2727

Cynric
16: Advanced member
16: Advanced member

.@dooper we all get strange attempts to connect. As long as they don't pass your firewall it's not a problem.

Should you ever feel inclined (or bored) you can look them up, like this;

https://www.abuseipdb.com/check/192.241.211.141

Where you can get reports like this;

This IP address has been reported a total of 384 times from 97 distinct sources. 192.241.211.141 was first reported on November 18th 2021, and the most recent report was 6 hours ago.

Jayach
16: Advanced member
16: Advanced member

@dooper wrote:

If this is a widespread issue, why does vodafone seek to block them at their end rather than allowing them to flow on its network and then leaving it to customers routers to block?

Vodafone have no idea if packets destined for your IP are legitimate or not. Can you imagine the outcry if they started blocking anything they thought might be suspicious. They would (rightly) be accused of acting like "The Great Firewall of China".

network123
5: Helper

When you are referring to the blocks in your log, those are dropped connections by port scanners. Your firewall is doing a good job by ignoring them and shouldn’t be affecting your streaming. Port scanners look for open ports to probe and exploit. If you’re worried about this type of thing, switch off UPnP as that’ll create port forwarding rules automatically, leaving holes in your firewall but may cause issues with devices that need port forwarding.

 

Try going onto ‘Expert Mode’ and see your DSL status. How many drops are you having?