Assistance Deciphering Firewall Events

I have been working remotely on my mom's computer in Australia and was checking the event logs for her home gateway modem / router.

After identifying a few attempts from china, korea and poland to (presumably) gain access to her system I cleared the event log.

After a couple of hours there were 4 new entries in the log that were different from the previous entries in that the 4 new entries did not list her computer as the destination IP - rather, the source (4 different IPs) was still overseas (china), but now the destination IP was another IP address in Australia.

It appears to me - I'm not an expert by any means - that someone is attempting to access another (a 3rd-party) computer, also in Australia, by first trying to go through my mom's computer - perhaps to somehow obscure the origin of the possible attack - just a guess.

Here are the entries from the event log - with the destination IP obscured by me to protect the unsuspecting owner of that IP:
Feb 27 00:12:36 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 5.135.78.226 Dst ip: 101.162.xxx.xxx Type: Destination Unreachable Code: Port Unreacheable

Feb 26 23:18:22 FIREWALL icmp check (1 of 2): Protocol: ICMP Src ip: 210.73.75.145 Dst ip: 101.162.xxx.xxx Type: Destination Unreachable Code: Port Unreacheable

Feb 26 22:50:22 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 118.170.141.105 Dst ip: 101.162.xxx.xxx Type: Destination Unreachable Code: Port Unreacheable

Feb 26 20:50:33 FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 183.61.254.121 Dst ip: 101.162.xxx.xxx Type: Destination Unreachable Code: Communication with Destination Host is Administratively Prohibited

What I am hoping for is that someone can shed some light on what is happening here (in the log) so that I can understand it a little better.

Again:
My mom's IP address is completely different from those of the log (123.211.xxx.xxx), and
I am not a network / security guru so please be gentle with me if I am missing something obvious

Thanks in advance.

 

Just internet noise that you should eventually ignore. Behind the router the comps are safe as they can be from inbound scans.

 

Hi Cudni;

Thanks for the reply.

I was hoping for an explanation with a little more detail though, as well as confirmation as to whether, or not, my assumption is correct (as to someone trying to connect to a 3rd party computer via my mom's computer).

My reason is so that I can gain a little more knowledge and deeper understanding of the process and what is actually happening - as opposed to simply ignoring it.

If you are able to elaborate on your reply, or if anyone else can offer some additional relevant information, I would very much appreciate your insight.

Thanks, again.

 

Looks like port scanning using ICMP packets. Not to worry, if you check your router's logs you will see plenty of these entries.

 

If someone understands precisely what those log entries are communicating and would be so kind as to elaborate, I too would be interested in an explanation. My initial reaction...

The "FIREWALL icmp check" communicates that the log entry corresponds to an ICMP message that was received (from the Internet side I would think) by the router and is being checked.

I don't know what the "1 of N" number refers to. One explanation would be that it is meant to communicate that the same event occurred N times within a certain time window but only the first one is being logged.

Type corresponds to ICMP message type, Code corresponds to ICMP message code. Those are ICMP error messages for reporting a problem relating to an IP datagram that was received, and to be useful such ICMP error messages include the IP header and first 8 bytes from the IP datagram that triggered the error message. For example:

Code:

+---------+-------+-------+----------------------+------------------------+
|Ethernet |IP     |ICMP   |IP header of datagram |UDP header from datagram|
|header   |header |header |that generated error  |that generated error    |
+---------+-------+-------+----------------------+------------------------+

In those log entries, I'm thinking the Protocol, Src IP, and Dst IP come from the IP Header of the ICMP message and *aren't* the Protocol, Src IP, and Dst IP from the IP header of the datagram that generated the error. IOW, I'm thinking those log entries are showing that the router received four ICMP error messages addressed to 101.162.xxx.xxx and with those src IP Addresses shown (France, China, Taiwan, China respectively).

Note, however, that the OP points out that the IP Address of the router was 123.211.xxx.xxx rather than 101.162.xxx.xxx. Those both appear to be Telstra IP Address ranges which makes me wonder if his mom had 101.162.xxx.xxx at the time of those log entries and then acquired 123.211.xxx.xxx before the OP connected. A check of DHCP log entries and/or tracerouting the full IP Addresses might shed light on whether that could have happened.

Even if it did, I'm left wondering why those IP Addresses would have been sending destination unreachable messages to his mother. They didn't smell like IP Addresses that his mother's machine would/should be sending anything to. I'm not aware that a stack would respond to receiving such ICMP messages and thus I don't see how this scenario would be those IP Addresses trying to scan her.

I've tried looking at it in other ways but ended up questioning those for different reasons or just lack of info. We don't have the datagrams to look at <sigh>. So again, if someone would be willing to offer their take, at least two of us would be interested and possibly more.

 

Hi TheWindBringeth;

Thanks for weighing in.

That's my assumption, also, that the same event has happened N times but only 'one' of the events is being shown - though, most likely it is the 1st occurrence, as each identical event, thereafter, would not be shown - as it already matches an identical previous event.

At the time I had been logged into her computer via Teamviewer for close to 30 hours. Neither her computer, nor the router, had been restarted during that time. As well, I did not release the router from it's IP lease or request a new IP as that would have dropped my connection.

The reason for which I did not want this to happen is that my mom is a 16-hours/day carer for another elderly lady and is not present, or available, to physically assist with the computer / router if I need anything (unplugged/BIOS/CLI/insert disk/smash with hammer, etc.) so I was avoiding anything that could lock me out of her system. I am in Canada so I cannot simply go to her house for every computer prob.

Do you know where I would find the DHCP logs? her router is a TG582n. I have admin and root CLI access (TELNET and FTP). I just ran a few DHCP commands on the router but it looks as though logging may not be enabled. I have a couple of TG582n CLI reference manuals so I'll start going through them. I am not entirely sure, yet, how to set it up for DHCP logging - I'll keep digging though. I'll enable one DHCP logging option at a time and then start pinging her IP to see if anything shows up in a log.

I ran a command line tracert, from my mom's computer, on all 4 of those foreign addresses and, right now, none of them pass through an IP of 101.xxx.xxx.xxx. That being said, I 'do' realize that routing changes frequently and that the path on which the packets take today may be different than that which was provided yesterday.

 

Hi ComputerSaysNo;

Thanks for your input.

I agree - it's simply port scanning. I am aware of that and have been adding each offending IP address in China, Poland, Russia, Korea, France, Finland and Malaysia to the blacklist within the router. If there is simple scanning from an IP then there will, also, be more complex scanning for vulnerabilities to follow up.

If I blacklist and block the offending IPs from 'any' communication then I don't have to worry about ports on the router AND on the computer - Although I am (arbitrarily) 99.99% sure that the router is stealthed (according to the 100% results from online port scanners, such as Shields Up).

Again, the purpose of the post was not to identify what was the cause of the entries in the firewall, but rather, why the source and destination IPs were, both, not the IP of my mom's router.

 

I apologize for focusing on something you seem to be clear on. I just wanted to make sure that the events that caused those log entries and the information being dumped were nailed because that can shed light on what things could have been forged. Sending a forged IP datagram directly to another machine via link layer and/or forging "datagram that generated the error" information in an ICMP error message would be examples.

The TG582n looks like an integrated ADSL device. I'm not familiar with the flavors of those but I think they typically acquire dynamic IP Addresses via other means such as IPCP. Whatever the case, when not using a static IP Address it is sometimes nice to have log entries which show the history of dynamic IP Address assignments. It sounds like you have good reason to believe you knew what her IP Address when those events occurred. IOW, it sounds as though you have ruled out the possibility that her IP Address could have changed and the remote access software you were using auto recovered from that and re-established the session.

WRT traceroute, the thought was to explore whether the 101.162.xxx.xxx address is assigned to customers in your mother's area and by extension assess whether it could potentially have been assigned to her at one point. IP Address geolocation databases can be useful for that and you can also look at traceroutes to compare how similar the routes are. Reverse DNS names sometimes contain region information.

 

Hi TheWindBringeth;

The IP 101.162.xxx.xxx is in Brisbane and my mom lives almost 2,000km north of there. She has never lived in Brisbane.

She has been in her current location for 3 years and has only just started on broadband - around 4 months ago, having dialup previous to that.

I understand that there are likely many variables to this equation that perhaps I am not considering - I appreciate your insight.

My mom's ISP is Telstra and the 101.162.xxx.xxx address is also a Telstra customer - I made this judgement with a tracert to that address and also by checking that IP in the address of a browser from my mom's computer.

Interestingly, though, the logon prompt for the router at the 101.162.xxx.xxx address came up when I put that IP into the address bar of a browser on my mom's computer. But, when I tried the same thing from a browser on my computer here in Canada, it would only timeout - no connection.

I am still looking for where the DHCP logs are within the router - it may take some time before something shows up in a log ... or for me to find the correct log to enable.

Cheers

 

FWIW, a quick search turned up the following Telstra forum post of a log snippet from a Technicolor TG587n v3. Which appears to have captured an IP Address change: http://crowdsupport.telstra.com.au/...ems-with-ADSL2/m-p/72718/highlight/true#M2015. Note the IP Address being shown in a PPP entry. Which makes sense for DSL. Were it a cable Internet arrangement you'd be looking for such information in the logs for the DHCP client within the router.

Code:

Warning Sep 8 12:25:27	PPP link up (Internet) [124.178.XXX.XXX]
Info    Sep 8 12:25:27	PPP CHAP Chap receive success : authentication ok
Info 	Sep 8 12:25:26	PPP CHAP Receive challenge (rhost = wwz2-wellXXXXXX)
Info 	Sep 8 12:24:59	xDSL linestate up (ITU-T G.992.5; downstream: 13878 kbit/s, upstream: 1021 kbit/s; output Power Down: 19.3 dBm, Up: 12.2 dBm; line Attenuation Down: 35.0 dB, Up: 21.5 dB; snr Margin Down: 6.1 dB, Up: 6.4 dB)
Info 	Sep 8 12:24:36	xDSL linestate down
Warning Sep 8 12:23:53	PPP link down (Internet) [120.145.XXX.XXX]
Info 	Sep 8 12:23:50	xDSL linestate up (ITU-T G.992.5; downstream: 13661 kbit/s, upstream: 1020 kbit/s; output Power Down: 19.3 dBm, Up: 12.2 dBm; line Attenuation Down: 35.0 dB, Up: 21.5 dB; snr Margin Down: 6.1 dB, Up: 6.3 dB)
Info 	Sep 8 12:23:27	xDSL linestate down

The following page, and the partial event log table at the bottom, appears to confirm that the TG582n logs similar events.
http://help.demon.net/help-articles/troubleshooting-and-faqs/technicolor-router-support/

 

Hi;

My apologies - I was under the impression that I was looking for a specific DHCP log that would shed light on past IP addresses by having stats for all past IP addresses assigned to her computer.

With a dozen different DHCP logging options from the TELNET CLI I have been trying to find some sort of saved history of DHCP stats that would provide this info - I didn't understand that you simply were asking for the basic connection stats - my bad.

Unfortunately we have yet to hear from anyone with a specific explanation regarding the 3rd-party IP issue so perhaps it's time to put this post to rest.

All feedback has been appreciated and has helped me by forcing me to look up info and learn a little more than I did a few days back - learning new info is a good thing.

Cheers.

 

Your Mom's IP 123.211.x.x is likely the public side, the IP Telstra gives you, and perhaps changes even though you don't initiate the change.
But the internal IP 101.162.x.x looks strange since it's not in the private range, and as TheWindBringeth wrote, it's Telstra as well. So I'm not sure how you can logon using the 101.162.x.x address since it's not on the inside part of the router, me thinks.
http://en.wikipedia.org/wiki/Private_network

Perhaps ADSL modem/router works like that, with two separate web-side addresses for the DSL part and then the router part, and then finally her private IP.
I don't have one, I don't know.
Does the router manual describe anything typical regarding the setup?
Take a look if they describe the WAN and LAN sides of the router (WAN=wide area=internet, LAN=local area network, the inside part, that's where your Mom logs into)

When, from Canada, you try to reach Australia, the router's web side will very likely drop those packets since most likely there is, and should be, a setting to drop unsolicited packets from the internet.

Now if your Mom would setup something like remote assistance, which would permit your entry, then you might be able to see her box. But RA is unsafe, so make sure she shuts it off after you're done.
Perhaps this will help
http://support.microsoft.com/kb/301527

 

Hi;

Unfortunately you have completely misunderstood what is going on.

My mom's IP 'is' 123.211.xxx.xxx.

The internal IPs are all 10.0.0.x.

The 4 firewall entries, which I posted in the original post, are identically copied directly from the router's firewall log - they are not me changing them as to what 'I think' they mean - they are simply copied and pasted to here.

The source IP, listed in the router's firewall log, (only using 1 of the 4), is 5.135.78.226 and orginated from France.

The destination IP, listed in the router's firewall log, is 101.162.xxx.xxx and is based in Brisbane, Qld, Australia - approximately 2,000 kilometers south of where my mom lives.

As you can see it's rather unusual for a 3rd-party IP (destination IP) to be listed or even mentioned in someone else's firewall.

As I stated previously:

I did not say I logged into the computer at 101.162.xxx.xxx I said that the logon prompt came up. It's not unusual for the logon prompt to come up if a router is setup for remote management or if there is no firewall. These TG582n routers that Telstra provides for their service are all configured wide open to the internet - Telstra has pre-configured them all to be fully available, open and visible from the internet - brilliant!!. The routers have media sharing functionality built into them and if the content sharing option is enabled - it automatically disables the firewall completely - so, yes, all TG582n routers used by Telstra are wide open and visible FROM the internet - as default configuration BY Telstra. Which means that the LOGON PROMPT will come up when someone tries to access the address of the router FROM the internet side as well as from the local network side as there is no firewall enabled - NONE!!

By typing the address directly into the address bar of a browser I am trying to make a direct connection to another computer JUST THE SAME as if I were to type a hostname like abc.com into the address bar. Hostname-based addresses are NOT really addressed by letters - they resolve to a number-based address - they are only used for the benefit of our vanity, memory, etc etc. - all addresses on the internet are actually number-based addresses - not names. Typing a number directly into the address bar will take me directly to a computer just the same as typing it's name value - get it??!! If you want to see for yourself, then give this a try - open up two tabs in a browser or two separate browser windows.

In the first tab/window type microsoft.com into the address bar and press enter.
In the second tab/window type 65.55.58.201 into the address bar and press enter.

You will see that they are the same - all named address resolve to a numbered address - everything on computers pares down to numbers - that's how computers work.

Attempting to access the computer at 101.162.xxx.xxx from Canada is exactly the same and no different from trying to do it from my mom's computer in Australia - I'm using a web browser, typing in the address in the address bar and pressing the enter key - that's it. That is the reason that I commented on receiving the logon prompt from the browser in Australia and not receiving it from a browser in Canada - it was an unexpected and unusual result.

I'm not trying to access an address within my mom's home network - it's a 3rd computer that is 2,000 kilometers away from where my mom lives.

In the future please take the time to actually read and understand what someone posts before commenting - 0 understanding of what is being described is completely frustrating and useless.

For reference - I have been a computer tech for 20 years. I do understand the difference between private home network addresses and public addresses.

The point that I was making in the original post was how peculiar and odd it was to see a 3rd-party address listed in my mom's router. That's why I posted here - because it's so unusual, not because I don't understand the difference between a home network address and a public IP address.

 

Since I mentioned only DHCP initially, and didn't elaborate further when I mentioned ADSL typically acquires IP Addresses via other means such as IPCP, you can blame me. The high level objective *is* to look for IP Address history, but you have to adjust the approach based on the situation. A "How is IP Address determined... what component handles that... where are its logs" type of approach. One example: IPCP is an NCP used by PPP to acquire IP Addresses in PPPoE & PPPoA scenarios common to ADSL. Look for IPCP log entries which may appear as PPP log entries.

In one you are accessing a Telstra customer (presumably) IP Address from outside the Telstra network, and in the other you are doing so from inside the Telstra network. So you have to consider the possibility that there are extra checks at the border so to speak. Not being able to directly access your mother's router from Canada would reinforce that possibility. If you can directly access your mother's router from Canada, then you could consider that the checking (blocking) isn't being done at Telstra's external border but is being done closer to 101.162.xxx.xxx. By a device that your packets from Canada hit but that your packets from mom's router don't hit. Theoretically, the blocking could possibly even be done by the 101.162.xxx.xxx device itself. I don't think a "neighbors may help each other so allow Telstra customers to connect to each other while blocking external networks" approach is safe, but some conditional along those lines is a theoretical possibility that must be considered.

You could chalk it up to a glitch in the matrix, focus on other things, and keep an eye out for it happening again. If it does happen again you could redouble your efforts to understand it. If at some point you do want to pin down why it happened, one option would be to ask in the Telstra forum.

I admire you for helping your mother and trying to be diligent. Best of luck.