Router security log....?

[AnotherMuggle]

I just checked the security log for our new wireless router and there are a lot of records for "TCP FIN Scan" and "IP Spoofing".

Are these attempts at accessing the network?

Anything to worry about?

[Floppyman]

Are these coming from external sources or from clients on your network?

[AnotherMuggle]

The IP Spoofing is inbound from the WAN and the TCP Fin Scan is going outbound from my sisters IP address.

I have switched back to the wired router and it is also logging similar behaviour.

Here is a small section of my security log on the hard-wired router:
strangePackets.txt

[AnotherMuggle]

Does anyone have any suggestions on this. I am a little stuck for who I can talk to.

NTL claim it's nothing to do with them and Belkin don't seem keen to help either

[telegramsam]

Is this JUST a home network? Do you have a VPN connection or anything like that? UDP is typically a VPN or remote connection protocol.

First thing I would suggest is to close any ports on that router. By default, ports should be closed from the factory, so start with a reset.

[AnotherMuggle]

Quote:

Originally Posted by telegramsam Is this JUST a home network? Do you have a VPN connection or anything like that? UDP is typically a VPN or remote connection protocol. First thing I would suggest is to close any ports on that router. By default, ports should be closed from the factory, so start with a reset.

Thanks for getting back to me. I am having the same issues with 2 different routers: 1 hardwired (set up to use a VPN for my mums work) and 1 that is a wireless router. They are both logging these things in the Firewall.

[telegramsam]

Ok--I missed the VPN thing;
UDP is VPN protocol-which is normal.

Keep Malware and virus scanners running. I don't think you really have anything to worry about.

[AnotherMuggle]

I have done a little more research and it looks like the address for the "TCP FIN Scan" is for the website www.bebo.com, which my sister regularly uses. This log is always from her IP address, but I don't understand why it is being caught by the firewall.

The IP address that is being logged as "IP Spoofing" is going to our ISP. Again I can't understand why this would be caught in the firewall.

Here is a log file from the other router (which is currently in use - no VPN):
security.txt

Thanks for your help telegramsam

[telegramsam]

IP Spoofing is a term that is generally used to describe how 2 or more computers share a single WAN IP. But it's also a pretty well known hacking tool.

So I'm not exactly sure what to think about this.

Where is the 127.0.0.1 IP coming from? That's structured like an inside IP...but it appears that your IP scheme is 192.168....

Run an ipconfig on all of your machines so you know what their inside addresses are.

[AnotherMuggle]

I have set the routers DHCP so that it can only dish out 2 addresses, one for each machine on the network...192.168.2.2 and 192.168.2.3.

I have no idea where the 127.0.0.1 address is coming from. I have done DNS lookup on it and all it says is that it's an internet assigned address.

[ktkendall]

127.0.0.1 is an internal IP adress that I believe is used by windows and or any PC with TCP/IP protocol installed, for things like testing to see if the IP stack is working properly. I know I've used it to ping and it's somehow kind of like pinging yourself and shows that at least your IP stack and NIC card are working properly from your PC's internal perspective. I am pretty certain it is not an internet assigned IP address, it is reserved for the IP stack, much like 10.x.x.x and 192.168.x.x are reserved private addresses and will never be found out on the internet. You can prove this by unplugging your network connection and you should still be able to ping 127.0.0.1.

[AnotherMuggle]

Quote:

Originally Posted by ktkendall 127.0.0.1 is an internal IP adress that I believe is used by windows for things like testing to see if the IP stack is working properly. I know I've used it to ping and it's somehow kind of like pinging yourself and shows that at least your IP stack and NIC card are working properly from your PC's internal perspective. I am pretty certain it is not an internet assigned IP address, it is reserved for the IP stack, much like 10.x.x.x and 192.168.x.x are reserved private addresses and will never be found out on the internet.

My appologies, http://www.arin.net/whois/ says "Internet Assigned Numbers Authority", my mistake.

I just checked again and the firewall is still logging TCP FIN Scan and IP Spoofing, and it seems to be for various different IP addresses.

[ktkendall]

Looking at the log file you posted it looks like the ones with 127.0.0.1 might be your router rejecting requests coming in on the wan port, or inother words it looks to me like it might be the routers' internal hardware firewall doing it's job and protecting you from those unwanted wan requests.

[AnotherMuggle]

Latest Update:
The firewall is now logging "Smurf" attacks.

I am a little concerned about all these things that are getting logged. Can anyone suggest what I should do to get to the bottom of this? I have phoned my ISP and they have said it is not something they can help with.

[glc]

Let the firewall do its job and stop worrying. This is like obsessing about CPU temperatures.

[AnotherMuggle]

Quote:

Originally Posted by glc Let the firewall do its job and stop worrying. This is like obsessing about CPU temperatures.

OK glc, I trust your judgement and will leave it at that, but, I'm keen to be using the internet in the safest way possible. I've heard so many nightmare stories that I'm probably a little over cautious.

Thanks, Tom.

[glc]

If you want another line of defense, then install a good 3rd party software firewall such as Zone Alarm. Note that this will cause file and print sharing headaches. The XP SP2 firewall is an excellent firewall for blocking incoming if you carefully configure the exception list, but does not monitor outgoing.