IPFire FW logs: what am I looking at?

Just installed an old laptop with IPFire as a dedicated firewall, etc., you know the story. For the past 12 hours stuff like this (paraphrased obviously) has been appearing in the firewall logs:

Code:

Dropped TCP input on a high port, from some IP in the US, MAC address X

Dropped TCP input on a slightly higher port, from some IP in Ireland, MAC address X

Dropped TCP input on a port slightly higher still, from some IP in Spain, MAC address X

Dropped TCP input on yet another high port, from some IP in Russia, MAC address X

...

The IPs are mostly US, but all over the place, in wildly different areas; and in some cases they correlate to obviously bogus locations. For instance, one of the French ones is "located" in the middle of a small forest near a lonely stretch of highway, according to Google Maps.

However, the MAC address listed is always the same one, and is not the MAC of anything on my network.

The ports on which connections are attempted are mostly high ones. On occasion I also see clusters of service ports, HTTP/HTTPS, and of course SSH. Connection attempts occur a few times per minute.

Also, Snort has detected half a dozen known exploits from some of the offending IPs. I'm quite sure I am under some kind of attack.

If that's the case though... Then why my network? The firewall box has been claiming to drop packets from the offending IPs for 12+ hours now. If I were a bot, I'd have moved on to greener pastures several hours ago. I also have to wonder why Snort has reported so few recognized attacks, given the sheer volume of dropped packets...

I can think of several answers, some of which are less pleasant than others, but all of which are quite speculative. So I'm very interested in what you people have to say about this...

 

Go with your gut. It's usually right.

 

Hmm. 16+ hours and no sign of stopping.

My current hypotheses, in approximate order of badness:

Hypothesis 1: Someone thinks my network is something it isn't; perhaps installing the new firewall has drawn unwanted attention.

Hypothesis 2: This attack comes from a large botnet that can afford to keep pounding away. This is a "normal" state of affairs on the Internet, and I'm only noticing now because IPFire has a decent logging system.

Hypothesis 3: See 2, except one of the machines on my network was or is a bot, and this is an attempt to confirm that the bot is still there and/or reestablish control. (Not sure if that makes sense though.)

Hypothesis 4: One or more machines was compromised and serving up some kind of (probably illegal) content. What I'm seeing are not attacks, but attempts to access content that isn't there any more (possibly since I put up the new firewall), or see where said content has gone. (Not sure if that makes sense either.)

Hypothesis 5: The firewall has already been compromised. The packet drop messages are a diversion, and the firewall machine is doing God-only-knows-what right under my nose.

I would surmise that 2 is the most likely. Seems odd that everything is linked to one single MAC address though. 1 is probably egotism, 3 and 4 paranoia. I suspect 5 is more likely than I think, but can't prove it (yet).

Anyway for now though I've seen no evidence that the firewall is compromised (yet), so I'm going to turn on the transparent proxy's logging facility; if one of the machines is botted or getting DNS redirects or something, I suppose that should turn it up...

 

Alright, I think I may have to rethink the idea that this is a botnet... One of the "attacking" IP addresses resolves to the Facebook main page. Again, same MAC address. Unless botnets typically spoof IPs, or something?

 

Pretty sure port knocking happens all the time. In class we NMAP'd various places just to learn.

I don't think the IP is spoof'd, IDK how anyone would even accomplish that. It honsetly just sounds like a glitch, a program is trying to connect or maybe a printer or whatever because the ports are closed its moving on to the next one going up and up and up looking for a port to connect to.

 

In that case, glad to hear it's probably nothing.

 

"Port knocking" would imply a sequence of connection attempts on the same local port from the same remote host. Which is not the case here.
IP address could be spoofed on a LAN, impossible across many routers on a WAN.
If you are on a large LAN with a dynamic IP address (most common case), the high ports and various remote IPs could indicate simply leftover connection attempts from P2P sessions while your current IP was used by P2P users. Without more info on your connection type or other specifics on your system these connection attempts could mean practically anything.

 

While I cannot say for certain from only 4 packets logs, I would hazard a guess that the MAC address is the last router on thier path to you. MAC doesn't travel across WAN AFAIK.

As for the port connection attempts, it is not uncommon at all. On any given sunday there are dozens of connection requests to most any router. Some requests are mundane, others are probing. Like a botnet infected machine querying a range of IPs looking for a specific port/service running and accepting communications.

If you notice source IPs within your ISP subnet, then you can log them and present them to your ISP, if they care. I used to be with a small ISP that I routinely sent them my logs, and they would actually monitor the offending IPs and if the activity was deemed suspicious, would cut them off until they got the issue resolved. That ISP had a pretty low amount of botnet activity, and its customers went with them because of that type of service. Of course some people who knew very little were a bit miffed, but life isn't perfect

Anyway, having your ports scanned is commonplace from my experience. As long as you have NAT on your router, for the most part you ignore it. You watch them long enough and you will start to see common ports being hit, ports that could have exploit potential. Those are the ones you want to pay more attention to, and there are many. Still though, with a NAT router, it should pose no great concern.

Plug your machine on the connection without a router, and then you can have some fun. I use pfSense as my router, and I have just as many scans of this nature as I have with dlink/linksys routers, even on 3 different ISP networks.

Sul.

 

Thanks Sully, that makes more sense. I would guess that the MAC I see is a router belonging to my ISP, since it's not my modem's MAC and there's nothing else in front of the IPFire machine.