This is a discussion on Under attack ... or not ? Trying to understand. - Routers ; Hi, Since a few days I notice excessive access attempts to my home network, which is simply a router, a few PCs (mostly just my laptop running) and a Buffalo Terastation server. I noticed this accidentally, I forgot why I ...
Since a few days I notice excessive access attempts to my home network,
which is simply a router, a few PCs (mostly just my laptop running) and a
Buffalo Terastation server. I noticed this accidentally, I forgot why I
checked the router's log.
My SMC networks router logs entries like this:
2008/07/20 15:15:26 : Blocked access attempt from XXX.21.16.27
(obscured IP, don't want bad people to link their break-in attempts (their
IP) to this post for help. XXX is hundred seventy two btw
At a certain point I noticed hundreds per minute coming in, really crazy.
When I checked IPs, I noticed they came from Singapore, China etc.
The fact that I see them as blocked is good I guess, but obviously I am
scared that also some of them get through, maybe not even logged as such.
My laptop has a software firewall as well and I must say I have not seen any
incoming attempts there.
I'm keeping an eye on my Buffalo nat server's "user access status" and only
my laptop's IP is listed there.
So I'm relatively confident that I'm safe yet not entirely sure of course
and I must say I don't completely understand the situation.
The way I understand routers, a request from a LAN system must go to the WAN
(external IP) in order for the router to allow incoming packets from that
external IP to get through, and get routed to the correct machine in the
So I have this older Topcom router still lying around and I tried the
following. I put it in the first line of defense, behind my cable modem,
before my SMC router.
I tested stealth-y-ness via www.grc.com and I was given an all OK.
Not long after I started to get all these blocked access attempts again on
my SMC router (log).
THAT freaked me out ... why were all these login attempts getting through
the first router !!!!!
Again, the way I understand routers is that if the request comes from within
(LAN), packets are let through from WAN to LAN (port and IP appropriately
changed by the router). Obvious questions started to torment my mind:
So why was router 1 letting them through and not router 2 ?
Is my PC infected with malware and ARE there in fact requests coming from my
However, that doesn't make sense then as router 2 is still blocking them ?
Or are there also packets getting through ?
Not to my laptop because my software firewall doesn't see them ... so is
there access possible to my TeraServer ??
How do I check that ? The server log sees only one IP (my LAN IP) logged
Since yesterday night suddenly everything stopped. Still using the same
setup. I'm not sure if router 1 is blocking out a lot of the attempts now
(its log is crap and hard to make sense from). I do see the same login
attempts failing from time to time, but the frequency is now low, once every
hour for instance.
Another thing that puzzled me is that I powered down my modem a full night
(Fri to Sat) and I was assigned a new IP the next morning (I assumed that
would put things to an end) however the login frenzy started quasi
immediately after I had powered up router and laptop.
Again, the latter made me think that maybe it's malware on my laptop because
the break in attempts are/were following me to my new IP. I have scanned my
PC several times by now with the latest signatures (Kaspersky) and nothing
has been found so far. I also used Ewido to check for malware (nothing).
This is getting lengthy but I'm trying to give all the facts, if not
interesting, then at least therapeutic for me, to get it off my chest :-))
One LAST thing. I closed Trillian (which I use to combine MSM and ICQ)
because I figured they could possibly be used to obtain my IP as well.
Suppose someone's out there targeting me and checking my IP via ICQ each
Not long after the attacks did indeed stop, yet I still have the same IP,
powering down the modem last night did not yield to a new IP unfortunately.
I have not yet dared restarting Trillian, though I should, to ascertain it's
importance or not.
First I want some feedback, ideas, am I under attack and or am I worried for