D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: DirtyDawg on February 13, 2010, 02:44:32 AM
-
[INFO] Sat Feb 13 04:34:44 2010 Blocked incoming ICMP error message (ICMP type 11) from xx.xxx.xx.xx to xx.xxx.xxx.xx as there is no TCP connection active between xx.xxx.xxx.xx:xxxxx and xxx.xx.xxx.xx:xx
I took the ip addresses out for obvious reasons, but what the heck is going on here? Can someone give me some help stopping this? This type of thing is beginning to happen multiple times a day and I'm not familiar enough with the settings for this type of router to fix this. Hopefully it is a setting and one of you can give me some info as to how to straighten this out. I called my ISP the other day kind of blaming them for this crap before I even looked in the logs of the 655. Is there anyway to stop this short of getting another router? Thanks.
-
Have you even looked at what this ICMP type 11 is? If you had just used Google, you would have found out that this is:
Type 11 Time Exceeded Used in traceroute, probes
So probably your IP is being probed, but since you left out all the IP details it is impossible to say whether there's probing from inside your LAN or from the WAN side.
Anyway, the error itself is absolutely not something to worry about and you should be thankful you're router is functioning like it should!
-
Hey, I appreciate your input. Is it really normal for the service to stop everytime this happens? Every time (well maybe 75% of the time) I see my service go out (and the modem lights are blinking in such a way that it indicates service has been interrupted), I look in the log and I see that message in the log that I put in my original post. I took a look at the unfamiliar ip address and it turned out to be from China (according to WHOIS), so you're probably right about the probing, but should it interrupt my service? I don't think it should, should it?
:) I don't always think about googling. Thanks for the reminder that google is my friend :).
Any further input?
-
ICMP can be enabled if it is required by your ISP (although I do not know why) or you just want the router to be pingable.
Advanced > Advanced Network > WAN Ping
-
Network load can bring down any router or service simply by overflowing the device's memory
-
Absolutely not. No I don't want the router answering ping requests, not from outside of the LAN anyway. Any kind of security equipment, such as a router, would need to silently ignore that, I would think. In fact, there is this site dedicated to helping inidviduals (and individuals machines) silent while they are online. www.grc.com is that site, and I have been going there for years to make sure that my machine (including any routers, or software firewalls...etc.) is running silently and I'm not broadcasting to any potiential hackers that my system is vulnerable. Thanks for your input.
ICMP can be enabled if it is required by your ISP (although I do not know why) or you just want the router to be pingable.
Advanced > Advanced Network > WAN Ping
-
They would first have to know that there was a vulnerable system somewhere wouldn't they? That is exactly why I don't broadcast any ip addresses that are associated with my machine/and/or ISP. I've went to a certain site called www.grc.com for years to make sure my security is set up right, be it router or software. It has served me very well going there. Thanks for your input.
Network load can bring down any router or service simply by overflowing the device's memory
-
They would first have to know that there was a vulnerable system somewhere wouldn't they? That is exactly why I don't broadcast any ip addresses that are associated with my machine/and/or ISP. I've went to a certain site called www.grc.com for years to make sure my security is set up right, be it router or software. It has served me very well going there. Thanks for your input.
Which is quite easy when your client is infected.
And they can trace your IP anyway, unless you use proxy servers. GRC is a good site for the general public, but the tips are no remedy against a die hard hacker.
-
They would first have to know that there was a vulnerable system somewhere wouldn't they? That is exactly why I don't broadcast any ip addresses that are associated with my machine/and/or ISP. I've went to a certain site called www.grc.com for years to make sure my security is set up right, be it router or software. It has served me very well going there. Thanks for your input.
You broadcast your IP anywhere you go on the WWW and anytime you download a file, check email, etc.
You broadcast your IP through every hop of the route to whatever you do on the WWW.
ICMP ping through the router is just the router replying not your PC's.
-
Thanks for the input. I kind of figured that it was the router either answering/or NOT, as all of the household systems are behind the routers firewall, and each system has its own LAN IP address. I also, in the back of my head anyway, know that the Internet ip address assigned by the isp is broadcasted pretty much everywhere I go on the WWW. However, this is the first time that I've been able to associate ISP service being interrupted and remain that way for quite a long period, and someone trying to gain access to my ISP's IP address. I've been online for many many years, had multiple "different" routers...etc., and my service has never been interrupted in this manner before. I guess there is nothing I can do about it? Is that right? Maybe report the foreign IP address to my provider?
You broadcast your IP anywhere you go on the WWW and anytime you download a file, check email, etc.
You broadcast your IP through every hop of the route to whatever you do on the WWW.
ICMP ping through the router is just the router replying not your PC's.
-
There's a first time for everything. Past experience has no value towards he future...
You can report it, but that's like bringing water to the sea...
-
;D Good point. I'd like to know what they have to say about it though. I'll just tell them that the constant interruptions of service is linked to that and if they ask for the IP addresses, then I'll fork em over.
Thanks for your input.
There's a first time for everything. Past experience has no value towards he future...
You can report it, but that's like bringing water to the sea...
-
Ok, talked to my ISP and they checked their logs in association with my modem (which is connected obviously to their system) and they don't show any interruption of service going to the modem at all. It hasn't reset or anything of that sort. So the router must be cutting service between itself and the modem preventing internet service. At the same time though, I still have access on the LAN side. Isn't that a little odd? Well to me it is. When this problem occurs, I can see on the router status page that there is NO IP ADDRESS (the internet side) no default gateway...nothing in relation to my ISP in the router page at all. But I can still do things via the LAN. Does this mean that the router maintains the "internet side" IP address in memory somewhere without it being shown on the router "Status" page? Otherwise how could there be any activity on the LAN side? Isn't that dependent on the router having an IP address from my ISP? I'm a little confused here. ??? :-\
-
What firmware are you using on the router?
-
Firmware Version is 1.21 - Hardware Version is A4 just in case you need that as well. I sure hope you're not thinking of telling me I need to upgrade. I would of course if it is necessary, but am a little leary from all of the problems described on this forum from some of those that have upgraded.
Thanks for your input.
What firmware are you using on the router?
-
Ok, this is a little scarry here. None of my devices on my LAN have an address even close to the 192.168.100.11. They all range from 192.168.0.199 - 192.168.0.253. Also that below was logged when all of my systems were sleeping, and I was asleep as well, so the WAN inerface cable WAS NOT disconnected (well not physically anyway). So would the log read like that if the router was having trouble indentifying whether anything was plugged into it or not? Also, could this possibly be a hacking attempt picked up by the router? Some input here would be great, thanks.
Edit: I forgot to mention all of the addresses on my LAN are reserved addresses that NEVER expire.
[INFO] Sun Feb 14 21:37:58 2010 Dropped packet from 192.168.100.11 to 255.255.255.255 (IP protocol 17) as unable to create new session
[INFO] Sun Feb 14 21:37:58 2010 WAN interface speed measurement aborted as they did not converge
[INFO] Sun Feb 14 21:37:25 2010 Estimating speed of WAN interface
[INFO] Sun Feb 14 21:37:24 2010 Obtained IP Address using DHCP. IP address is 192.168.100.11
[INFO] Sun Feb 14 21:37:22 2010 Bringing up WAN using DHCP
[INFO] Sun Feb 14 21:37:22 2010 WAN interface cable has been connected
[INFO] Sun Feb 14 21:37:20 2010 WAN interface cable has been disconnected
-
Unsecured wireless? Please more info on your settings.
-
My wireless settings are secure. How do you upload an image here anyway? If I knew how to do that I could upload the settings page here.
Well in case there is no way to send the settings page here. Wireless is set to WPA-Personal - WPA MODE - wpa2only cypher type is aes....I also have a huge SHARED PASSKEY set up. It is as secure as it's going to be I think. If you need any other info, please let me know. Thanks for your input.
Unsecured wireless? Please more info on your settings.
-
Then there's nothing to worry about.
-
Ok then, thanks. So nothing in the log strikes you as a little weird/surprising?
-
As long as it says dropped or blocked....yes you are safe
-
disable the wireless and see if those entries continue.
-
Thanks for your input Lycan. As you can see below, I disconnected the wireless but I still get them.
[INFO] Wed Feb 17 13:01:19 2010 Allowed configuration authentication by IP address 192.168.0.199
[INFO] Wed Feb 17 13:01:05 2010 Blocked incoming TCP connection request from 221.195.73.86:12200 to 68.102.210.73:1080
[INFO] Wed Feb 17 13:00:56 2010 Blocked incoming TCP connection request from 221.195.73.86:12200 to 68.102.210.73:8000
[INFO] Wed Feb 17 12:59:45 2010 Log viewed by IP address 192.168.0.199
[INFO] Wed Feb 17 12:59:31 2010 Stored configuration to non-volatile memory
[INFO] Wed Feb 17 12:59:30 2010 Wireless link is down
[INFO] Wed Feb 17 12:59:30 2010 Wireless shut down
[INFO] Wed Feb 17 12:59:30 2010 Disconnect all stations
disable the wireless and see if those entries continue.
-
Wow, I just found out what is needed to stop those attempted hacking entries (if that's in fact what they are). The only way I could stop them is disable UPnP???? Isn't this option REQUIRED to be enabled in order to use the Media Extender?
Thanks for any input.
-
C*R*A*P*!!!! They're back. So scratch that theory :'(.
Wow, I just found out what is needed to stop those attempted hacking entries (if that's in fact what they are). The only way I could stop them is disable UPnP???? Isn't this option REQUIRED to be enabled in order to use the Media Extender?
Thanks for any input.
-
The only way to stop the hacker entries is to stop the hackers themselves.
That 221 address comes from China.
Go ahead and eave the UPnP enabled.
-
Yes, I have many ip addresses originating from China of people trying to hack into my network. They have nothing better to do I guess? ;D I'm just glad that this is a solid router capable of keeping them out. Thanks for your input.
The only way to stop the hacker entries is to stop the hackers themselves.
That 221 address comes from China.
Go ahead and eave the UPnP enabled.
-
http://www.neowin.net/news/two-chinese-schools-identified-over-the-attacks-that-targeted-google
Interesting read.... FYI....
-
Yes, I heard a little bit about this on ABC World News about a week ago. I thought the military side of things on that report was kind of interesting.
http://www.neowin.net/news/two-chinese-schools-identified-over-the-attacks-that-targeted-google
Interesting read.... FYI....
-
Ok, in case someone else had the entry in the log pertaining to "WAN Interface cable has been disconnected" and they couldn't figure out what was going on, I stumbled upon a possible fix and wanted to share it. After I forced the WAN Port Speed to 1000Mbps, I no longer have problems with disconnects, nor do I see that entry in my log anymore. Of course your network system needs to have that speed capability first before changing it, but if your network system does, then this might be a fix for you.
I did a Google search on "WAN Interface cable has been disconnected" and found this fix (for me).
Ok, this is a little scarry here. None of my devices on my LAN have an address even close to the 192.168.100.11. They all range from 192.168.0.199 - 192.168.0.253. Also that below was logged when all of my systems were sleeping, and I was asleep as well, so the WAN inerface cable WAS NOT disconnected (well not physically anyway). So would the log read like that if the router was having trouble indentifying whether anything was plugged into it or not? Also, could this possibly be a hacking attempt picked up by the router? Some input here would be great, thanks.
Edit: I forgot to mention all of the addresses on my LAN are reserved addresses that NEVER expire.
[INFO] Sun Feb 14 21:37:58 2010 Dropped packet from 192.168.100.11 to 255.255.255.255 (IP protocol 17) as unable to create new session
[INFO] Sun Feb 14 21:37:58 2010 WAN interface speed measurement aborted as they did not converge
[INFO] Sun Feb 14 21:37:25 2010 Estimating speed of WAN interface
[INFO] Sun Feb 14 21:37:24 2010 Obtained IP Address using DHCP. IP address is 192.168.100.11
[INFO] Sun Feb 14 21:37:22 2010 Bringing up WAN using DHCP
[INFO] Sun Feb 14 21:37:22 2010 WAN interface cable has been connected
[INFO] Sun Feb 14 21:37:20 2010 WAN interface cable has been disconnected