#1  
Old July 25th, 2007, 06:53 AM
netgearlogreader netgearlogreader is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jul 2007
Posts: 4
netgearlogreader is on a distinguished road
Default Strange messages in netgear log file

Hello,

I was hoping to get some help regarding some very strange messages I've been getting in my log file, such as:

Quote:
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 23:47:06
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 23:46:43
[DOS attack: ACK Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 23:46:22
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 23:46:13
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 23:45:31
[LAN access from remote] from xx.xx.xx.xx : PORT to (local IP) : (local port) Tuesday, Jul 24,2007 21:48:59
[Service blocked: ICMP_echo_req] from source xx.xx.xx.xx, Tuesday, Jul 24,2007 21:41:29
[DOS attack: RST Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 21:28:03
[DOS attack: RST Scan] attack packets in last 20 sec from ip [xx.xx.xx.xx], Tuesday, Jul 24,2007 21:26:03
[LAN access from remote] from xx.xx.xx.xx : PORT to (local IP) : (local AIM port) Tuesday, Jul 24,2007 21:02:55
[UPnP event: Public_UPNP_C3] from source (local IP), Tuesday, Jul 24,2007 21:02:55
[LAN access from remote] from xx.xx.xx.xx : PORT to (local IP) : (local port) Tuesday, Jul 24,2007 20:47:31
[LAN access from remote] from xx.xx.xx.xx : PORT to (local IP) : (local port) Tuesday, Jul 24,2007 20:43:46
Obviously, I've masked all of the external IPs (xx.xx.xx.xx) and external ports (PORT), and the (local IP) : (local port) is assigned by the router's DHCP server.

There are hundreds of these lines in the log, from about 12 hours. Any ideas as to what these might be? Could they be some sort of false positives, but if so, why would they be happening randomly during times when no internet usage was occurring from my end?

Any help is greatly appreciated. Thanks...
Reply With Quote
  #2  
Old July 25th, 2007, 07:21 AM
Mars Mug's Avatar
Mars Mug Mars Mug is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: Stevenage UK
Posts: 12,614
Mars Mug is on a distinguished road
Default Re: Strange messages in netgear log file

If you use a P2P program occasionally then that could be the cause of the messages, after you have stopped using the program, in which case you could consider them false positives.
__________________
I don't work for Netgear.

My name is Andy.
Reply With Quote
  #3  
Old July 25th, 2007, 07:43 AM
netgearlogreader netgearlogreader is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jul 2007
Posts: 4
netgearlogreader is on a distinguished road
Default Re: Strange messages in netgear log file

Quote:
Originally Posted by Mars Mug View Post
If you use a P2P program occasionally then that could be the cause of the messages, after you have stopped using the program, in which case you could consider them false positives.
Hi, thanks for the reply. So I do trade live music on Dime via bittorrent (all legal, folks). How long are we talking here?

I think that this might well explain all of those DOS attack messages, but what do these mean:

ICMP_echo_req
LAN access from remote
UPnP event: Public_UPNP_C3

Strangely, google is relatively silent on the subject.

Additionally, I cloned the MAC address of my computer to my router so that my ISP would assign a new IP address on the DHCP release/renew cycle (their suggestion!), and as soon as the new IP was active, I got a few of these DOS attack messages, which leads me to believe that perhaps the IP space of the ISP is constantly bombarded with these things. Is that an irrational fear?

Thanks again for all help ...
Reply With Quote
  #4  
Old July 25th, 2007, 07:53 AM
Mars Mug's Avatar
Mars Mug Mars Mug is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: Stevenage UK
Posts: 12,614
Mars Mug is on a distinguished road
Default Re: Strange messages in netgear log file

I donít have a Netgear router so canít be sure of what you are seeing. I have a Buffalo router which sends me e-mails for these things, and typically I will see a few e-mails a day, but after doing some torrents downloading (and quitting the program) I will see dozens of hits per day for a couple of days, which then tail off to just a few hits. When I used to have just the modem and no router with SPI, Zone Alarm would register thousands of hits per week, I gave up bothering to check the logs after a while.

So basically I canít say for sure that you have nothing at all to worry about, Iím sure that if I did the statement would come back and bite me in the bum. But my gut feeling is itís not a problem and your router is doing the job itís supposed to do.
__________________
I don't work for Netgear.

My name is Andy.
Reply With Quote
  #5  
Old July 25th, 2007, 08:20 AM
netgearlogreader netgearlogreader is offline
Junior Member
NETGEAR Newbie
 
Join Date: Jul 2007
Posts: 4
netgearlogreader is on a distinguished road
Default Re: Strange messages in netgear log file

Hey,

Interestingly, I just switched ISPs and used an older g router at my old location. I never received any such log messages -- in fact one thing that alarmed me is that the log seemed to only be outgoing traffic from computers on my side of the router, so now seeing all of these messages suggested to me that perhaps an IRC bot was set up on my machine or something .... there's no secure.log information suggesting that otherwise, and my outgoing traffic firewall didn't catch any such thing, so I'm not terribly concerned about this particular possibility.

Anyhow, the emergence of these new messages coincides with the new ISP + router combination, and from what I understand it might be an artifact of p2p. I'll cease using it for a few days and see if the messages subside. It is strange that a totally different IP continued to receive such messages (possibly because in the same IP space), but it does make me feel better that you have seen something similar after p2p usage, etc.

Regards,
nglr
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 01:36 AM.