Hitron CGN gateway Firewall logs, FP or legitimate concern?

Discussion in 'other firewalls' started by AustinTech, Dec 2, 2014.

  1. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    trying to come up with an answer for the last 2 months, regarding some suspicious log entries from my gateway's firewall logs. The log entries concern possible SYN FLOOD and STEALTH SCAN attempts as flagged per the IDS. However, the source is being flagged as various devices on my lan (Cellphone, Laptop and PS4) in each instance. Inevitably I've hit dead ends on trying to find an answer in my own research on this and have decided to take to the forums for assistance. I've exhausted the most obvious of avenues for support (ISP, Gateway manufacturer) and have hit brick walls on both ends. MY ISP does not provide support on the gateway, (even though they lease it) and the Manufacturer, will not provide support as I am not the MSO(ISP) who owns the equipment. So needless to say I am at an impass. Any help or knowledge that anyone with firewall configuration experience can provide, is GREATLY appreciated as is their time as I've reached the limit of my knowledge with troubleshooting this. The gateway is a Hitron Tech. Model - CGN gateway (Cable modem/router). I apologize in advance for the lengthy post but wasn't sure how best to explain this without being as detailed as possible so I apologize for any unintended spam.

    In regards to the logs I have 4 dates in peculiar, where suspicious activity was logged. I have been unsuccessful in determining whether these are false positives or something more malicious. Below are the logs, respective to their dates, as well as information relevant to what was occurring during these timeframes. I've removed my IP in the logs and replaced with obvious entries, relevant to type of connection to the network, what device was being used, activity and total time on the lan around the time of the log entry. Time also includes periods of idle connection (Device connected to network but no browsers open).

    (Wireless, via Laptop, 2 hours, Light Browsing.)

    Code:
    Warning 2014/11/18 05:12:03 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.221 LEN=48
    Warning 2014/11/18 05:12:03 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=67.217.177.30 LEN=52
    Warning 2014/11/18 05:12:02 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=50.116.194.21 LEN=48
    Warning 2014/11/18 05:12:02 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=67.217.177.62 LEN=48
    Warning 2014/11/18 05:12:02 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=48
    Warning 2014/11/18 05:12:01 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=199.166.0.200 LEN=52
    Warning 2014/11/18 05:12:01 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=48
    Warning 2014/11/18 05:12:00 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=48
    Warning 2014/11/18 05:12:00 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=48
    Warning 2014/11/18 05:12:00 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=69.172.216.111 LEN=52
    Warning 2014/11/18 05:11:59 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=48
    Warning 2014/11/18 05:11:57 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=52
    Warning 2014/11/18 05:11:57 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.164.105.38 LEN=52
    Warning 2014/11/18 05:11:57 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=107.22.160.47 LEN=52
    Warning 2014/11/18 05:11:56 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
    Warning 2014/11/18 05:11:56 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.202.177 LEN=52
    Warning 2014/11/18 05:11:56 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=152.163.13.76 LEN=52
    Warning 2014/11/18 05:11:55 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
    Warning 2014/11/18 05:11:55 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=216.120.27.21 LEN=52
    Warning 2014/11/18 05:11:55 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.194.77.154 LEN=52
    Warning 2014/11/18 05:11:54 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=107.22.160.47 LEN=52
    Warning 2014/11/18 05:11:54 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=52
    Warning 2014/11/18 05:11:54 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=50.18.112.4 LEN=48
    Warning 2014/11/18 05:11:52 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=199.166.0.200 LEN=52
    Warning 2014/11/18 05:11:52 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=216.120.27.21 LEN=48
    Warning 2014/11/18 05:11:51 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=98.138.49.43 LEN=52
    Warning 2014/11/18 05:11:51 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=205.210.186.110 LEN=52
    Warning 2014/11/18 05:11:51 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=216.151.217.9 LEN=48
    Warning 2014/11/18 05:11:50 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=48
    Warning 2014/11/18 05:11:50 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=69.172.216.56 LEN=52
    Warning 2014/11/18 05:11:50 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.191.221.2 LEN=52
    Warning 2014/11/18 05:11:49 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=48
    Warning 2014/11/18 05:11:49 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.148.100.145 LEN=48
    Warning 2014/11/18 05:11:48 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=48
    Warning 2014/11/18 05:11:47 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.84.168.77 LEN=48
    Warning 2014/11/18 05:11:46 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.221 LEN=52
    Warning 2014/11/18 05:11:46 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.202.201 LEN=52
    Warning 2014/11/18 05:11:45 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.221 LEN=52
    Warning 2014/11/18 05:11:45 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=52
    Warning 2014/11/18 05:11:45 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
    Warning 2014/11/18 05:11:44 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=198.8.71.228 LEN=48
    Warning 2014/11/18 05:11:44 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=48
    Warning 2014/11/18 05:11:44 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
    Warning 2014/11/18 05:11:43 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=152.163.13.76 LEN=52
    Warning 2014/11/18 05:11:43 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=107.22.160.47 LEN=52
    Warning 2014/11/18 05:11:42 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=199.166.0.200 LEN=52
    Warning 2014/11/18 05:11:41 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=50.116.194.21 LEN=52
    Warning 2014/11/18 05:11:41 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=48
    Warning 2014/11/18 05:11:40 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=67.217.177.62 LEN=52
    Warning 2014/11/18 05:11:40 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=74.125.227.156 LEN=48
    Warning 2014/11/18 05:11:40 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=192.155.195.218 LEN=52
    Warning 2014/11/18 05:11:39 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=52
    (Wireless, via Cell Phone, 1 Hour, Light Browsing.)

    Code:
    Warning 2014/11/18 22:27:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=79
    Warning 2014/11/18 22:27:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=279
    Warning 2014/11/18 22:27:11 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=625
    Warning 2014/11/18 22:26:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=625
    Warning 2014/11/18 22:26:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.130 LEN=79
    Warning 2014/11/18 22:26:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.130 LEN=575
    Warning 2014/11/18 22:26:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=79
    Warning 2014/11/18 22:26:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=277
    Warning 2014/11/18 22:26:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.138 LEN=79
    Warning 2014/11/18 22:26:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.138 LEN=322
    Warning 2014/11/18 22:26:38 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=79
    Warning 2014/11/18 22:26:36 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=694
    Warning 2014/11/18 22:26:36 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=645
    Warning 2014/11/18 22:26:36 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.236.175 LEN=79
    Warning 2014/11/18 22:26:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.236.175 LEN=503
    Warning 2014/11/18 22:26:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=79
    Warning 2014/11/18 22:26:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=695
    Warning 2014/11/18 22:26:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=645
    Warning 2014/11/18 22:26:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.136 LEN=79
    Warning 2014/11/18 22:26:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.136 LEN=514
    (Wireless, via Laptop, 4 hours, Moderate Browsing.)

    Code:
    Warning 2014/11/19 23:48:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:48:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:48:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:47:55 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:47:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:47:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:47:10 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:47:09 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:47:09 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:46:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:46:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    Warning 2014/11/19 23:46:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
    (Wireless, via Laptop, 5 hours, Moderate Browsing.)

    Code:
    Warning 2014/11/24 11:11:28 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.23.58 LEN=89
    Warning 2014/11/24 10:53:23 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.213.34.165 LEN=89
    Warning 2014/11/24 10:53:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.69.17 LEN=89
    Warning 2014/11/24 10:53:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.69.104.53 LEN=89
    Warning 2014/11/24 10:33:30 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.200.161.50 LEN=89
    Warning 2014/11/24 10:33:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.218.71.225 LEN=89
    Warning 2014/11/24 10:33:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.69.17 LEN=89
    Warning 2014/11/24 10:13:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.76.202 LEN=89
    Warning 2014/11/24 10:13:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.218.17.157 LEN=89
    Warning 2014/11/24 10:13:14 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.69.104.53 LEN=89
    Warning 2014/11/24 09:56:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.230.39 LEN=89
    Warning 2014/11/24 09:56:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.186.57.212 LEN=89
    Warning 2014/11/24 09:47:14 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.244.36.66 LEN=89
    Warning 2014/11/24 09:47:10 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.230.39 LEN=89
    Warning 2014/11/24 09:47:09 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.218.71.225 LEN=89
    Warning 2014/11/24 09:34:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.200.156.110 LEN=89
    Warning 2014/11/24 09:34:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.230.39 LEN=89
    Warning 2014/11/24 09:34:14 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.23.58 LEN=89
    Warning 2014/11/24 09:01:33 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.200.222.150 LEN=89
    Warning 2014/11/24 09:01:29 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.140.246 LEN=89
    Warning 2014/11/24 09:01:28 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.142.223 LEN=89
    Warning 2014/11/24 08:54:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=172.233.42.170 LEN=40
    (*PLEASE NOTE* After troubleshooting to the best of my abilities and after being unable to turn up any results of malware/spyware/trojans via several different scans on the Laptop, made the decision to replace Gateway with new one from ISP on 11/30 (Same model), to begin process of elimination. Also re-imaged Laptop and re-formatted Cell Phone the same day. After receiving new gateway, configured settings to same as prior gateway, (Block Ping from WAN, Block ACK, Automatic DHCP IP Assignment, Firewall "On", Intrusion Detection "On") with one exception being as I completely disabled wireless on the new one. I have since connected only 2 devices to the new gateway via wired connection, both at separate times, the Laptop and a PS4. Laptop has not triggered any alerts since reimaging, however, PS4 did. Which is ironic as it did not trigger even one alert in the 2 weeks since I have had it on the last router. Log below.)

    (Wired, via PS4, 5 hours, Online Gameplay)

    Code:
    Warning 2014/12/01 06:45:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.104.53 LEN=89
    Warning 2014/12/01 06:41:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.53.115 LEN=89
    Warning 2014/12/01 06:41:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
    Warning 2014/12/01 06:41:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.142.223 LEN=89
    Warning 2014/12/01 06:29:48 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.57.40 LEN=89
    Warning 2014/12/01 06:29:44 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
    Warning 2014/12/01 06:29:43 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
    Warning 2014/12/01 06:25:20 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
    Warning 2014/12/01 06:25:20 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.137.111 LEN=89
    Warning 2014/12/01 06:20:30 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.212.146 LEN=89
    Warning 2014/12/01 06:20:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.104.53 LEN=89
    Warning 2014/12/01 06:20:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
    Warning 2014/12/01 06:11:59 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=50.112.184.91 LEN=89
    Warning 2014/12/01 06:11:31 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.147.149 LEN=89
    Warning 2014/12/01 06:11:30 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
    Warning 2014/12/01 06:07:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.147.149 LEN=89
    Warning 2014/12/01 06:07:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.255.55 LEN=89
    Warning 2014/12/01 06:03:11 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.213.154.208 LEN=89
    Warning 2014/12/01 06:02:52 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.142.223 LEN=89
    Warning 2014/12/01 06:02:51 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.147.149 LEN=89
    Warning 2014/12/01 05:55:13 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
    Warning 2014/12/01 05:55:11 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.182.174 LEN=89
    Warning 2014/12/01 05:53:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.9.15 LEN=89
    Warning 2014/12/01 05:53:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
    Warning 2014/12/01 05:49:28 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
    Warning 2014/12/01 05:49:27 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.80.237 LEN=89
    Warning 2014/12/01 05:44:44 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.57.40 LEN=89
    Warning 2014/12/01 05:44:24 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
    Warning 2014/12/01 05:44:23 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
    Warning 2014/12/01 05:37:59 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
    Warning 2014/12/01 05:37:58 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.219.11 LEN=89
    Warning 2014/12/01 05:35:49 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.56.109 LEN=89
    Warning 2014/12/01 05:34:45 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
    Warning 2014/12/01 05:33:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.196.86 LEN=89
    Warning 2014/12/01 05:33:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.15.106 LEN=89
    Warning 2014/12/01 05:26:33 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.12.187 LEN=89
    Warning 2014/12/01 05:26:05 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.69.17 LEN=89
    Warning 2014/12/01 05:26:04 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.23.58 LEN=89
    Warning 2014/12/01 05:24:04 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.9.15 LEN=89
    Warning 2014/12/01 05:24:03 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.247.112 LEN=89
    Warning 2014/12/01 05:17:57 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.201.42 LEN=89
    Warning 2014/12/01 05:17:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
    Warning 2014/12/01 05:17:20 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
    Warning 2014/12/01 05:13:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=50.112.131.237 LEN=89
    Warning 2014/12/01 05:13:13 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.47.46 LEN=89
    Warning 2014/12/01 05:09:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.56.109 LEN=89
    Warning 2014/12/01 05:09:43 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
    Warning 2014/12/01 05:09:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
    Warning 2014/12/01 05:05:47 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.23.58 LEN=89
    Warning 2014/12/01 05:05:46 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.213.56.185 LEN=89
    Warning 2014/12/01 05:00:47 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.156.110 LEN=89
    Warning 2014/12/01 05:00:16 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
    Warning 2014/12/01 05:00:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
    Warning 2014/12/01 04:55:05 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.17.157 LEN=89
    Warning 2014/12/01 04:55:03 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=50.112.154.67 LEN=89
    Warning 2014/12/01 04:51:48 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.28.170 LEN=89
    Warning 2014/12/01 04:51:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.140.246 LEN=89
    Warning 2014/12/01 04:51:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
     
  2. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    Anyone familiar with these types of alerts?? Still trying to find someone who is familiar with this type of activity flagged by the intrusion detection system and whether this is a result of a false positive or actual concern.
     
  3. DX2

    DX2 Guest

    Ask Mayahana, he'd probably know. :_)
     
  4. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    Thanks. Just sent Mayahana a message.
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Looks like your timeout and thresholds are too low on the device, triggering what to me look like false positives. Do you have access to the device? If so examine your IPS settings to increase the threshold for recognition of attack to avoid these false positives. Anytime a threshold is reached it will trigger this. (Three phase handshake timeout)

    If your ISP provided this device, and is unwilling to help, or doesn't know this is the problem I'd probably find a new ISP. Or you could ask for an escalation, point to what I said here even if you don't understand it so they think you DO understand it, and have them remotely adjust the thresholds. If they can't/won't, I'd replace their cheap gear with your own and do it yourself. This kind of thing can cause some significant issues.

    Another big problem could be if the device doesn't even allow advanced settings, again it's the ISP's blame for using something that doesn't. Often in deployment as a dSSE we find we need to adjust SIP timeout/thresholds because of issues like this and the device doesn't allow granular control, so the customer needs to replace the device.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I should be more specific, your Syn/Flood parameters (threshold/timeouts) jack them up a bit on the router.
     
  7. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    Thank you for your response Mayahana. That is what I figured might be the case. I do have access to the settings but there isn't any way to change the threshold. Pretty much the only things I can modify is whether to enable/disable the IDS but no way to configure it that I have found. Using customer supplied credentials only allows me to change my login password. After doing one quick google search I was able to obtain the non-supplied mso login (which is available online via a forum where someone apparently leaked it 4 years ago.. so much for security..) just to get some level of administrative control as they have literally everything locked down for customer use. But even the mso settings are useless as they just run an auto-script every few days which resets the gateway back to their config which locks everything back to restricted and leaves the security wide open. The ISP that supplies the gateway is utterly useless. No support whatsoever and they literally place the blame on the manufacturer for lack of control. But judging by the script, I do believe they know more than they claim.. The fact that they supply these gateways with locked, outdated firmware, ports wide-open, Wireless locked in at WEP with WPS enabled, even though these support WPA2 and refuse to allow the customer to make any changes and flat out say they can't either, is a real doozy.. I have been locked in a finger-pointing battle with Both the manufacturer and ISP for awhile now and neither is willing to take accountability. So I have been just trying to figure a way around it and handle everything myself until I decided to take to the forums. Even though I'm not very knowledgeable with firewall configuration I do believe that getting my own equipment may end up being the best route, as you had suggested. Besides my own security, I'm more concerned with the 100's of customers in my city alone, who are using the same service. Because I live in a rural area, this is our only provider. And the majority of their customers, living rural, know little regarding wireless networking or security for that matter. Very disconcerting.. And I fear that is how things like this fly under the radar for as long as they do. But I'm thankful for people with your experience and your honesty. And thank you for taking the time to answer and assist. Shame more companies do not utilize that policy.
     
    Last edited: Dec 5, 2014
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Sounds like your ISP is a joke. So customer supplied gear is probably the best course of action. I'd get something good, a cheaper UTM, or an ASUS with Trend.

    Tivo is incompetent, they are running old Linux shells they never upgrade, and they are full of vulnerabilities. My UTM blocks over 200 potential exploits coming from my Tivo's each day, and Tivo won't seem to do anything about it. Just because it's linux they think it is secure..

    Wait for all of these smart appliances, and net connected devices to get into homes. A security nightmare.. Without a UTM people are toast.
     
  9. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    Yep, they are definitely one of the worst ISP's I've ever encountered. ISP's like the one I'm dealing with, have no business providing hardware if they cannot support it or at least manage it with an iota of competence. They are actually doing more harm than good. And as I told their regional manager yesterday, they better hope someone with even the slightest bit of know-how, doesn't stumble onto just how open they are leaving themselves.. Leaving their customers wide-open like that, is a recipe for trouble for both parties. Not the smartest bunch clearly.. And I've also a few friends, who have echoed those same issues with TiVo. For some reason so many companies do not seem to understand the concept of security. It never has been nor ever will be a standalone principle. On that same note, security has well evolved from an 3rd party service to an internal necessity. And as you had mentioned concerning MTU's being a vital defense, so will the knowledge of each individual party. People can no longer afford to be ignorant when it comes to their personal networks. I know I can't and even more so appreciate that now. Especially with my current ISP, lol.. A prime example of this, being the evolution of smart home security systems and their integration into the networking model. Talk about scary.. The price we pay for convenience I guess. Couldn't agree more with you on getting my own equipment. I'm actually looking at picking up an Asus RT-AC66U flashed with Tomato. A little steeper learning curve for me but its worth it from what I'm hearing. Looking forward to calling the ISP in a week and telling them to come pick up their garbage.
     
  10. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    But thanks again for your suggestions. I have a little more peace of mind knowing the issues with the alerts were likely due to the limitations of the gateway and that I'm better off with my own equipment.
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    My home security system is all networked. Redunant failover, backups, and encryption of course, but it's right there, all networked.
     
  12. AustinTech

    AustinTech Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    7
    Mine is ran through a GSM cell network, with 3rd party monitoring. Of course, wireless is the standard these days which I'm okay with until that becomes obsolete or a more secure method is discovered. But I'm referring more to full device/appliance integration, digital/bluetooth door locks, remote entry, in-home surveillance, etc. The things which could in essence be used against you and teeter the line of "do I really need that", lol. I've seen a few high-dollar homes, built on this principle. And everyone of them were overkill. Not too mention, extraordinarily creepy.. However, to each his own. Its interesting seeing the evolution of tech like that but for me, its like vacationing in Greenland. Sure, it's a cool place but I wouldn't want to live there, lol.
     
    Last edited: Dec 8, 2014
Loading...