Under attack ... or not ? Trying to understand.

Discussion in 'Network Routers' started by Peter, Jul 20, 2008.

  1. Peter

    Peter Guest


    Since a few days I notice excessive access attempts to my home network,
    which is simply a router, a few PCs (mostly just my laptop running) and a
    Buffalo Terastation server. I noticed this accidentally, I forgot why I
    checked the router's log.

    My SMC networks router logs entries like this:
    2008/07/20 15:15:26 : Blocked access attempt from XXX.21.16.27
    (obscured IP, don't want bad people to link their break-in attempts (their
    IP) to this post for help. XXX is hundred seventy two btw :)

    At a certain point I noticed hundreds per minute coming in, really crazy.
    When I checked IPs, I noticed they came from Singapore, China etc.

    The fact that I see them as blocked is good I guess, but obviously I am
    scared that also some of them get through, maybe not even logged as such.
    My laptop has a software firewall as well and I must say I have not seen any
    incoming attempts there.
    I'm keeping an eye on my Buffalo nat server's "user access status" and only
    my laptop's IP is listed there.
    So I'm relatively confident that I'm safe yet not entirely sure of course
    and I must say I don't completely understand the situation.

    The way I understand routers, a request from a LAN system must go to the WAN
    (external IP) in order for the router to allow incoming packets from that
    external IP to get through, and get routed to the correct machine in the

    So I have this older Topcom router still lying around and I tried the
    following. I put it in the first line of defense, behind my cable modem,
    before my SMC router.
    I tested stealth-y-ness via www.grc.com and I was given an all OK.

    Not long after I started to get all these blocked access attempts again on
    my SMC router (log).
    THAT freaked me out ... why were all these login attempts getting through
    the first router !!!!!
    Again, the way I understand routers is that if the request comes from within
    (LAN), packets are let through from WAN to LAN (port and IP appropriately
    changed by the router). Obvious questions started to torment my mind:
    So why was router 1 letting them through and not router 2 ?
    Is my PC infected with malware and ARE there in fact requests coming from my
    laptop ?
    However, that doesn't make sense then as router 2 is still blocking them ?
    Or are there also packets getting through ?
    Not to my laptop because my software firewall doesn't see them ... so is
    there access possible to my TeraServer ??
    How do I check that ? The server log sees only one IP (my LAN IP) logged

    Since yesterday night suddenly everything stopped. Still using the same
    setup. I'm not sure if router 1 is blocking out a lot of the attempts now
    (its log is crap and hard to make sense from). I do see the same login
    attempts failing from time to time, but the frequency is now low, once every
    hour for instance.

    Another thing that puzzled me is that I powered down my modem a full night
    (Fri to Sat) and I was assigned a new IP the next morning (I assumed that
    would put things to an end) however the login frenzy started quasi
    immediately after I had powered up router and laptop.

    Again, the latter made me think that maybe it's malware on my laptop because
    the break in attempts are/were following me to my new IP. I have scanned my
    PC several times by now with the latest signatures (Kaspersky) and nothing
    has been found so far. I also used Ewido to check for malware (nothing).

    This is getting lengthy but I'm trying to give all the facts, if not
    interesting, then at least therapeutic for me, to get it off my chest :))

    One LAST thing. I closed Trillian (which I use to combine MSM and ICQ)
    because I figured they could possibly be used to obtain my IP as well.
    Suppose someone's out there targeting me and checking my IP via ICQ each
    time ?
    Not long after the attacks did indeed stop, yet I still have the same IP,
    powering down the modem last night did not yield to a new IP unfortunately.
    I have not yet dared restarting Trillian, though I should, to ascertain it's
    importance or not.

    First I want some feedback, ideas, am I under attack and or am I worried for
    nothing ?
    Peter, Jul 20, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.