The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
I recently switched on the email notification facility on my Netgear DGN2000 which send an email when it detects an attack.
I almost wish I hadn't switched it on because the results are scaring the bejeezus out of me..
An extract from the email looks like this (destination address changed):
Sometimes there are only a few lines but sometimes there are loads.
Is this normal traffic? or am I being targeted?
Any comment/help appreciated.
JTD
I almost wish I hadn't switched it on because the results are scaring the bejeezus out of me..
An extract from the email looks like this (destination address changed):
Thu, 2011-09-01 21:18:04 - TCP Packet - Source:82.196.2.42,37357 Destination:123.123.123.123,443 - [HTTPS rule match]
Thu, 2011-09-01 21:47:25 - TCP Packet - Source:89.235.6.106,26010 Destination:123.123.123.123,443 - [HTTPS rule match]
Fri, 2011-09-02 04:40:49 - TCP Packet - Source:208.67.200.196,54371 Destination:123.123.123.123,80 - [HTTP rule match]
Fri, 2011-09-02 05:14:31 - TCP Packet - Source:184.95.34.90,4620 Destination:123.123.123.123, 8088 - [DOS]
Fri, 2011-09-02 05:30:38 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,73 - [DOS]
Fri, 2011-09-02 05:30:39 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 05:30:39 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,6588 - [DOS]
Fri, 2011-09-02 05:30:39 - Send E-mail Success!
Fri, 2011-09-02 10:25:32 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 10:25:33 - Send E-mail Success!
Fri, 2011-09-02 13:25:53 - TCP Packet - Source:219.94.198.229,28597 Destination:123.123.123.123,80 - [HTTP rule match]
Fri, 2011-09-02 15:22:06 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,8088 - [DOS]
Fri, 2011-09-02 15:22:07 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,8008 - [DOS]
Fri, 2011-09-02 15:22:07 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,73 - [DOS]
Fri, 2011-09-02 15:22:07 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 15:22:07 - Send E-mail Success!
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,8008 - [DOS]
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,73 - [DOS]
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,6588 - [DOS]
Fri, 2011-09-02 18:38:09 - Send E-mail Success!
Sometimes there are only a few lines but sometimes there are loads.
Is this normal traffic? or am I being targeted?
Any comment/help appreciated.
JTD
Thanks for the comments Hmmm...
The default user and password have been changed and are fairly strong. Plus it doesn't respond to pings.
I've done 'research' on the IP's and like you say there have been a lot of complaints about the China one but there doesn't appear to much you can do abot it.
I did think there should be a blacklist function on the router but I can't seem to find one.
I'm sure none of the attacks have been successful but I was a bit surprised by the amount of traffic if it is just coming from random sweeps and probes.
I'll lower my 'worried level' to cautious.
cheers
JTD
The default user and password have been changed and are fairly strong. Plus it doesn't respond to pings.
I've done 'research' on the IP's and like you say there have been a lot of complaints about the China one but there doesn't appear to much you can do abot it.
I did think there should be a blacklist function on the router but I can't seem to find one.
I'm sure none of the attacks have been successful but I was a bit surprised by the amount of traffic if it is just coming from random sweeps and probes.
I'll lower my 'worried level' to cautious.
cheers
JTD
Hi JTD,
It can look worrying when you see that type of traffic.
Hopefully it's normal '(!) ping sweeps, scans & probes' going on and nothing out of the ordinary.
The 221.192 (China) address has quite a few misuse reports against it!
I can remember back in the day when I was using a modem rather than a router - the PC firewall then had to work overtime stopping this sort or traffic, now the router's NAT firewall stops it before it reaches the PC.
What I can recommend is that you make sure you've changed the default router userid and password.
In the last few months I've seen two (both Netgear) successful malicious attacks where the DNS settings in the router are changed remotely.
At first this looks like your local PC (or MAC!) is infected as Google searches etc. are hijacked and it sends you to all sorts of dodgy sites. But it's actually the router that's 'infected' with this set of malicious DNS entries!
EDIT:
It also looks as if you have some options to 'blacklist' incoming IP addresses - so this might be something to look at if you keep seeing the same 'people'.
It can look worrying when you see that type of traffic.
Hopefully it's normal '(!) ping sweeps, scans & probes' going on and nothing out of the ordinary.
The 221.192 (China) address has quite a few misuse reports against it!
I can remember back in the day when I was using a modem rather than a router - the PC firewall then had to work overtime stopping this sort or traffic, now the router's NAT firewall stops it before it reaches the PC.
What I can recommend is that you make sure you've changed the default router userid and password.
In the last few months I've seen two (both Netgear) successful malicious attacks where the DNS settings in the router are changed remotely.
At first this looks like your local PC (or MAC!) is infected as Google searches etc. are hijacked and it sends you to all sorts of dodgy sites. But it's actually the router that's 'infected' with this set of malicious DNS entries!
[s]Hmmm...[/s]EDIT:
It also looks as if you have some options to 'blacklist' incoming IP addresses - so this might be something to look at if you keep seeing the same 'people'.
I recently switched on the email notification facility on my Netgear DGN2000 which send an email when it detects an attack.
I almost wish I hadn't switched it on because the results are scaring the bejeezus out of me..
An extract from the email looks like this (destination address changed):
Sometimes there are only a few lines but sometimes there are loads.
Is this normal traffic? or am I being targeted?
Any comment/help appreciated.
JTD
I almost wish I hadn't switched it on because the results are scaring the bejeezus out of me..
An extract from the email looks like this (destination address changed):
Thu, 2011-09-01 21:18:04 - TCP Packet - Source:82.196.2.42,37357 Destination:123.123.123.123,443 - [HTTPS rule match]
Thu, 2011-09-01 21:47:25 - TCP Packet - Source:89.235.6.106,26010 Destination:123.123.123.123,443 - [HTTPS rule match]
Fri, 2011-09-02 04:40:49 - TCP Packet - Source:208.67.200.196,54371 Destination:123.123.123.123,80 - [HTTP rule match]
Fri, 2011-09-02 05:14:31 - TCP Packet - Source:184.95.34.90,4620 Destination:123.123.123.123, 8088 - [DOS]
Fri, 2011-09-02 05:30:38 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,73 - [DOS]
Fri, 2011-09-02 05:30:39 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 05:30:39 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,6588 - [DOS]
Fri, 2011-09-02 05:30:39 - Send E-mail Success!
Fri, 2011-09-02 10:25:32 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 10:25:33 - Send E-mail Success!
Fri, 2011-09-02 13:25:53 - TCP Packet - Source:219.94.198.229,28597 Destination:123.123.123.123,80 - [HTTP rule match]
Fri, 2011-09-02 15:22:06 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,8088 - [DOS]
Fri, 2011-09-02 15:22:07 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,8008 - [DOS]
Fri, 2011-09-02 15:22:07 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,73 - [DOS]
Fri, 2011-09-02 15:22:07 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 15:22:07 - Send E-mail Success!
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,8008 - [DOS]
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,73 - [DOS]
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,7212 - [DOS]
Fri, 2011-09-02 18:38:09 - TCP Packet - Source:221.192.199.49,12200 Destination:123.123.123.123,6588 - [DOS]
Fri, 2011-09-02 18:38:09 - Send E-mail Success!
Sometimes there are only a few lines but sometimes there are loads.
Is this normal traffic? or am I being targeted?
Any comment/help appreciated.
JTD