D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-615 => Topic started by: stubbie on January 21, 2011, 01:15:37 AM

Title: Xmas port scan attack from WAN
Post by: stubbie on January 21, 2011, 01:15:37 AM

I'm on my 3rd Virgin media 615 today, the last one arrived yesterday and I opened the box to fine a rev d with old bios installed, throw hands in air and all that and then proceeded to upgrade to 4.13 which I have found to be stable and work ok, the other two grow to have the wireless failure issue, I could moan here about VM but hey there's no point so I have come here for advise

after I found the last one wireless going down, daily trips from the kids down to me to ask why the internet isn't working etc etc I started to investigate, I found the 4.13 and gened up a bit, looked at the 3rd party code and came back to Dlinks own code, anyway I have seen in the last few days hundreds of similar port scans

Jan 21 05:55:42    Xmas port scan attack from WAN (ip:79.98.8.14) detected.
Jan 21 05:55:23    Xmas port scan attack from WAN (ip:208.71.159.145) detected.
Jan 21 05:54:55    Xmas port scan attack from WAN (ip:208.71.159.145) detected.
Jan 21 05:54:30    Xmas port scan attack from WAN (ip:79.98.8.14) detected.
Jan 21 08:02:52    Xmas port scan attack from WAN (ip:208.71.159.145) detected.

Now is the the router being a little sensitive to harmless software companys scans
to see if products installed etc or are they something to worry about

now I know whats going on if its the latter, and I don't think anyones got in yet but I would like to ban
these ip's and to be honest I'm not sure of the best way

also I noted a UDP active session that not a part of my subnet too mine being a standard 192.168.0.*
and the other being 192.168.4.*

so anyway I thought I would ask for some security help as if you don't ask and all that :)

is the a security help page that anyone can recommend that could maybe help me discover
how to help myself here

anyway thanks for reading this and for any info / help that anyone can offer

Title: Re: Xmas port scan attack from WAN
Post by: stubbie on January 23, 2011, 07:12:53 AM

anyone ?

Title: Re: Xmas port scan attack from WAN
Post by: Jasu on January 23, 2011, 09:44:41 AM

When I was running my Dir-615 with D-Link firmware I got about 50-100 Xmas-scan reports per day. Scanning with Nmap's Xmas-scan however did not trigger Dir-615 to log any Xmas-scans. I think the router is just too sensitive and falsely reporting some single connection attempts as Xmas-scan.

I have noted that at least the use of uTorrent causes some IP-spoofing cases to be logged. As in your case, the "attacks" are coming from 192.168.0.0/16 address block, usually from addresses that I don't use. And yes, the IP-spoofing connections originate from WAN.

I think you have nothing to worry about.