cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

suspicious activity-random incoming connections in status log,

dooper
4: Newbie

Hi all ,

 

I have a Vox 3 router on FTTC service. For the last few weeks ive noted glitches when using streaming apps on my tv such as BBC iplayer, itv catchup etc etc.

 

I'd be watching a programme and suddenly it would stop, appear to be buffeering, then blank. It would usually pickup again maybe 10-15 seconds later.

 

It had the mark of a dropped connection. Eventually i decided to investigate and logging into the router, i noted that the line had been up for quite a long time and there was no evidence of droppage.

 

In the log though there are multiple ongoing entries of connection attempts apparently blocked by the firewall.

 

example IPs include ;

101.78.3.247

92.63.197.94

192.241.211.141

141.98.11.32

167.248.133.130

 

and others. When i look up these IPs they seem to be everywhere..

 

So whats going on? could a device on my network soliciting these requests? why? how?

 

My current plan is to power off the router and hope to pick up a new IP and see what happens next.

 

The dialogue that comes with these blocked requests is as in this example.

 

[1324390.688056] DROP wan in: IN=pppoe-wan OUT= MAC= src=167.248.133.130 DST=90.243.79.154 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=45186 PROTO=TCP SPT=28457 DPT=623 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

 

any ideas?

 

I am certain these incoming requests are what is causing streaming to glitch

 

PS 

 

interspersed with these incoming attempts are several lines of..

 

failed to send packet: Network is unreachable
data

 

 

 

15 REPLIES 15

Jayach
16: Advanced member
16: Advanced member

The dropped packets are perfectly normal, it happens all the time and as they have been ignored by the firewall they will cause no problems,

I've checked my log and I'm also getting the "failed to send packet: Network is unreachable", but I have no problems streaming (only music though, I don't use any video streaming services)

Really not sure where they are coming from, but as I also have them they are probably not the cause.

Could it just be a Wi-Fi problem?

Do you also have the apparent failed incoming request attempts from random IPs blocked by the firewall ?? I powered my router off overnight and powered it on again this morning and have picked up another IP address for my router and guess what? the same thing is happening. So either

 

a) this is suspicious

b)its normal

c) a device on my LAN is soliciting these requests and may have issues

CrimsonLiar
16: Advanced member
16: Advanced member

A major function of the router firewall is to look at what IP addresses your network initiates communication with, and then reject data coming from sites that you've not initiated communication with.

Is this normal?  Unfortunately yes, and in order not to scare people, the router is probably underreporting!  There are only 4 1/4 billion IP addresses out there, they'll almost all get probed potentially nefariously, multiple times every day!  Bad people exist out there on the internet.

If a device were initiating communication, then you'd probably not be seeing the issue show up in the log!

*It's not a Vodafone issue, it's an Internet issue!

Jayach
16: Advanced member
16: Advanced member

@dooper wrote:

Do you also have the apparent failed incoming request attempts from random IPs blocked by the firewall ??


Yes, loads. As the others have said it is perfectly normal, if they had been solicited by a device on your network they would not have been dropped.

I think @network123 is asking if your router is reporting line drops. They are registered as "No of Cuts", but from what you say it doesn't sound likely. 

@dooper wrote:

Eventually i decided to investigate and logging into the router, i noted that the line had been up for quite a long time and there was no evidence of droppage.

 


@Jayach admittedly I did read the post half-asleep this morning lol!

 

Assuming this is probably a Wi-Fi issue instead then or just down to latency (and possibly speed if streaming simultaneously).

Jayach
16: Advanced member
16: Advanced member

Yes I think it is probably Wi-Fi.

@dooper I wonder if it may be worth setting up a Broadband Quality Monitor, it may show if you are having connectivity problems. Then again it may just raise more questions/worries.

https://www.thinkbroadband.com/broadband/monitoring/quality

 

Well i left my router off overnight and picked up a new router IP address in the morning and the same things are happening so i guess it must be "normal".

 

If i do whois lookups on some of these IPs then the next question i ask is why are potential port scans being launched from seeming legitimate organization's?

 

If this is a widespread issue, why does vodafone seek to block them at their end rather than allowing them to flow on its network and then leaving it to customers routers to block?

 

Going back to my streaming hiccups on iplayer and similar, the smart tv is the only item that is hard wired to the router because i thought it would ensure consistent throughput. There is very little demand on bandwidth other than when streaming but then in the past ive streamed on an ADSL line with no issues

 

In the log im not seeing any DSL downtime and there is a very good synch capacity.

 

I'm also seeing lots of messages like this;

 

Failed to send DHCPV6 message to ff02::1:2 (Permission denied)

 

 

 

 

CrimsonLiar
16: Advanced member
16: Advanced member

So, having an Asus router I normally have the Trend Micro AiProtection enabled, but if I disable that and instead run Skynet, then in about 24 hours I can show what kind of nefarious attacks hit a router in an average day.

 

In the words of the great and wise Douglas Adams, Don't Panic!

Jayach
16: Advanced member
16: Advanced member

@dooper wrote:

If i do whois lookups on some of these IPs then the next question i ask is why are potential port scans being launched from seeming legitimate organization's?

 

I'm also seeing lots of messages like this;

Failed to send DHCPV6 message to ff02::1:2 (Permission denied)


Port scans are not always from bad actors, it can be search engine spiders and suchlike.

The IPv6 fails are because there is no IPv6 on Vodafone's network. (Yet)