Topic: Port Scan From China (Read 10370 times)

MintBubbleSpawn · « **on:** May 06, 2011, 03:31:41 PM »

Over 600 scan attemps in 1 day from these IP's. in all of the reports,the 4500's firewall has blocked the TCP connection attempt.The Ip's listed are the one's in question.I googled them, and others are saying its a port scan attempt from china?

I am wondering if there is a setting on 4500 that I can put these IP's into that will prevent them even trying,and filling up my log list daily?

221.192.199.43 , 221.194.46.176 , 221.1.220.185

LookIntoMyEyees · « **Reply #1 on:** May 06, 2011, 08:03:31 PM »

You may, by utilizing the Inbound filter on the DGL 4500 you can deny those ports access to the rotuer. But what I would suggest is just enable Anti Spoof checking which is located in the Advance > Firewall on the DGL 4500 interface. Make sure those ports are not connections an application or site is requesting, before blocking them. But if you know they are bad and want persist with completely ignoring those ports than just login into the routers interface go to Advance > Inbound Filter and fill it out. I will post a picture for you in a few min on how to do this.

Click On The Image To Enlarge:

Remember to hit Add on the bottom left and if promoted select save and reboot.

Edits:
I have done some research on those Ip address and they are attacking peoples port from an IP address originating in China (Based on many people and sites). Better block those and get rid of them for good. I was able to locate there web server and websites, contact information Etc. So why would a company like them be attacking random users? Anyways next time try using this website that monitors Ip addresses who fall in the Block List. http://www.magic-net.info/black-list-checker.dnslookup? All three of those Ip are in this block list and many other sites.

--
Chris

Hard Harry · « **Reply #2 on:** May 06, 2011, 11:41:41 PM »

Correct me if I am wrong, but doesn't a inbound filter just filter them (IE block them traffic access). Wouldn't that block still show in the log? If there already being blocked, and you goal is to now have them show in your logs, then if they are coming in as "Info" entries you can just turn off Info type entrys from being recorded.

As for being able to stop them from even trying? In short, no. Ironically enough, even though the Chinese governmental will imprision you for swearing in a email, they could give grass mud horses behind about illegal traffic coming from their country. Heck, they even sponsor it. Don't get me started on China.

FurryNutz · « **Reply #3 on:** May 07, 2011, 09:41:00 AM »

I would also use a global addressing for filtering to ensure your blocking any and all addresses for 221:
221.0.0.0 to 221.255.255.255.
You'd only need one rule entry for 221 for china.

LookIntoMyEyees · « **Reply #4 on:** May 07, 2011, 01:18:47 PM »

Quote from: FurryNutz on May 07, 2011, 09:41:00 AM

I would also use a global addressing for filtering to ensure your blocking any and all addresses for 221:
221.0.0.0 to 221.255.255.255.
You'd only need one rule entry for 221 for china.

FurryNutz what you are advising him to do is block over 1000++ websites that are on that IP address range, they most probably are Chinese websites anyways but I/we don't know that, If he does not need them than it is fine. When blocking I think its better to be specific on blocking what you want than blocking a whole address range. But cool of you to worry about his safety, I never thought of that type of blocking.

--
Chris

MintBubbleSpawn · « **Reply #5 on:** May 07, 2011, 02:06:27 PM »

Thanks for all the info guys... I have the block set in the inbound filter rules, like in the picture posted. I have contacted my ISP and the ISP in China about this issue.Thanks again for the insight

LookIntoMyEyees · « **Reply #6 on:** May 07, 2011, 02:15:47 PM »

Quote from: MintBubbleSpawn on May 07, 2011, 02:06:27 PM

Thanks for all the info guys... I have the block set in the inbound filter rules, like in the picture posted. I have contacted my ISP and the ISP in China about this issue.Thanks again for the insight

May you please let me know what your ISP responds is on this matter and what are there take?

Quote from: Hard Harry on May 06, 2011, 11:41:41 PM

Correct me if I am wrong, but doesn't a inbound filter just filter them (IE block them traffic access). Wouldn't that block still show in the log? If there already being blocked, and you goal is to now have them show in your logs, then if they are coming in as "Info" entries you can just turn off Info type entrys from being recorded.

Yes, I think it will now show up for every attack they send to him. But if they attack him again the goal of the router will be to block them at all cause. So I guess in a way he is in better protection than having the router automatically block them for him. See this is why logs are important, I disable all my logs so I would never know if I am being attacked

--
Chris

Hard Harry · « **Reply #7 on:** May 07, 2011, 10:14:29 PM »

Your not being attacked personally. They are just bots stationed out of china, or rerouted through there. Its like telemarketeers. They are calling you, but there not really calling "YOU"

Also, unless you have a buisness account, I would be very surprised if your ISP did anything. Its not enough to be considered a DoS attack, and its legitimate traffic, just with illegitimate intent. Good point about blocking them though,. If there intent is to gain entry into your network, or atleast probe it, best to block them. Then again, the act of blocking a port sets it as closed, which may alert them more then a listening port.

FurryNutz · « **Reply #8 on:** May 09, 2011, 07:33:03 AM »

Yes I agree is good to be specific however its also good to be global sometimes too. That IP address range is probably only grouped to that (221.) or ISP in china and thus whom ever is sending out those packets could probably use more than just one specific address and what was seen by the router. Thus why blocking the entire 221.###.###.###.### IP range could be used in this case as that 221 range is only probably used in china.
http://whois.domaintools.com/221.0.0.0
Unless he needs to go to some webs sites in china, then using a global filter would be recommended.

Quote from: LookIntoMyEyees on May 07, 2011, 01:18:47 PM

FurryNutz what you are advising him to do is block over 1000++ websites that are on that IP address range, they most probably are Chinese websites anyways but I/we don't know that, If he does not need them than it is fine. When blocking I think its better to be specific on blocking what you want than blocking a whole address range. But cool of you to worry about his safety, I never thought of that type of blocking.

--
Chris

Hard Harry · « **Reply #9 on:** May 09, 2011, 09:34:18 AM »

Yea, did a quick domain search, and the only english sites in that subnet aren't very important and they are between 221.133.33.0 and 221.133.40.0. Couple hotels, some software sites, thats about it. Take a look. I just wouldn't suggest going to any of those sites. Heh

LookIntoMyEyees · « **Reply #10 on:** May 09, 2011, 01:47:00 PM »

Nice find, I will check them out, I doubt they can harm me.

--
Chris

D-Link Forums

News:

Author Topic: Port Scan From China (Read 10370 times)

MintBubbleSpawn

Port Scan From China

LookIntoMyEyees

Re: Port Scan From China

Hard Harry

Re: Port Scan From China

FurryNutz

Re: Port Scan From China

LookIntoMyEyees

Re: Port Scan From China

MintBubbleSpawn

Re: Port Scan From China

LookIntoMyEyees

Re: Port Scan From China

Hard Harry

Re: Port Scan From China

FurryNutz

Re: Port Scan From China

Hard Harry

Re: Port Scan From China

LookIntoMyEyees

Re: Port Scan From China