dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4081
share rss forum feed

Caveat

join:2012-03-01
USA

2 edits

Continuous Network Activity, Odd Firewall Behavior

NOTE: This post (and countless others, no doubt) obviously concerns both "connectivity" as well as "modem/router". Yet, I found myself unable to tick both categories and therefore reluctantly chose "none".

Hello again,

Ever since first setting it up last month, I've been experiencing some odd behavior with my Verizon DSL connection.

First, I see continuous, non-stop, low-level network activity (in both directions) that I cannot account for.

Below is the output from the netstat and ifconfig commands I ran right after booting into Ubuntu (GNU/Linux).

netstat output at boot:

caveat@ubuntu:~$ sudo netstat -anp | grep -e tcp -e udp
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1277/cupsd
tcp 1 0 192.168.1.36:53883 23.67.243.18:80 CLOSE_WAIT 1760/clock-applet
tcp6 0 0 ::1:631 :::* LISTEN 1277/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1460/dhclient
caveat@ubuntu:~$

Output of ifconfig at boot:

eth1 Link encap:Ethernet HWaddr [I redacted what appeared here because I wasn't sure whether posting it could compromise my privacy or security in some way]
inet addr:192.168.1.[xx] Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: [redacted] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:81 errors:0 dropped:0 overruns:0 frame:0
TX packets: 27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes: 14460 (14.4 KB) TX bytes: 2957 (2.9 KB)
Interrupt:18

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::[redacted] Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:720 (720.0 B) TX bytes:720 (720.0 B)

And now the ifconfig output after ten-fifteen minutes of being completely idle as far as I could tell (had only the terminal and gedit text-editor open. Notice the additional traffic in both directions: (lo remained the same each time, so I didn't bother copying the output)


eth1 Link encap:Ethernet HWaddr [redacted]
inet addr:192.168.1.[xx] Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: [redacted] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets: 790 errors:0 dropped:0 overruns:0 frame:0
TX packets: 131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes: 59842 (59.8 KB) TX bytes: 9619 (9.6 KB)
Interrupt:18



Just a few minutes later, a little more traffic still:

eth1 Link encap:Ethernet HWaddr [redacted]
inet addr:192.168.1.[x] Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: [redacted] Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets: 1126 errors:0 dropped:0 overruns:0 frame:0
TX packets: 180 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes: 81346 (81.3 KB) TX bytes: 12755 (12.7 KB)
Interrupt:18

The "Network Monitoring" app in PCLinuxOS* also showed continuous low-level network activity in both directions-- even when the same netstat command did not show any services listening on any ports.

(*PCLOS had been my primary distro up until today and the one I first set-up the new Verizon DSL connection with)

My router (provided by Verizon) is the Westell 7500 ( Model: A90-750015-07, Rev:Z, Made in China 06/2011) and I have not set up any wireless at all yet, so this is with just the standard ethernet connection.

The green E1 light on the router continuously blinks slowly-- maybe once, sometimes twice per second. The "Internet" light seems somewhat erratic; I monitored it fairly closely today while waiting to get the ifconfig output that I posted above (with nothing open other than a terminal and a text editor), and did not notice it blink at all during that short period. However, I'm pretty sure that there were many times in the past when despite being completely idle as far as I could see, I noticed the "Internet" light blinking.

Another thing that has me completely baffled:

I have run many port scans at the GRC "Shield's Up!" site-- some with my software firewall and my router firewall both enabled, some with both of them disabled, and others with various combinations of each... And I always get the same result regardless. This is true not only for the two GNU/Linux installations that I have now used this router/DSL account with (PCLinuxOS and now Ubuntu) but also for all of the several other distros that I have tried running live during this time.

In contrast, when I used dialup, my port scan results would vary quite distinctly depending upon the status and settings of my software firewall as well as the ISP I was using.

This is what I get from GRC (every time):

said by GRC Shield's Up! :

Results from scan of ports: 0-1055

0 Ports Open
3 Ports Closed
1053 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 20, 21, 500

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

I'm not worried about the results themselves (Seems like most of those who really know security don't consider "stealth" necessary-- or even ideal in all circumstances). What concerns me is what I already described above: How could I possibly get the exact same results regardless of my both router firewall settings as well as my OS/software firewall/port settings?!

At the same time, I know that changing the setting of the Westell firewall through the GUI at »192.168.1.1 actually does make a difference in what traffic can get through...Only after doing just that was I was finally able to connect to a key server to import a GPG signing key...

So, to summarize, my two basic questions are:

1.) Why do I have constant network activity even when completely idle?
and
2.) Why is there never any variation in the results of my port scans-- whether I have both my router and and software firewalls at the max settings, or have neither of them enabled at all, the port scan results show no difference whatsoever.

I thank everyone who took the time to read this and for any help that anyone may be able to offer in solving this mystery to me.


Smith6612
Premium,MVM
join:2008-02-01
North Tonawanda, NY
kudos:24
Reviews:
·Verizon Online DSL
·Frontier Communi..

1 recommendation

1: Try disabling network scanning in the Westell 7500's "My Network" link in the GUI. The ARP traffic you're seeing is from that.

2: This is due to NAT. If the Firewall on the modem and system is being disabled, NAT is still at play, and if your system has nothing listening in on a port, that is also at play.


Caveat

join:2012-03-01
USA

1 edit

Thanks Smith6612 and sorry for not replying sooner. (Had tried but site was down)

See below.

said by Smith6612:

1: Try disabling network scanning in the Westell 7500's "My Network" link in the GUI. The ARP traffic you're seeing is from that.

That did it!

But is there any downside to having network scanning disabled?

2: This is due to NAT. If the Firewall on the modem and system is being disabled, NAT is still at play, and if your system has nothing listening in on a port, that is also at play.

Wait... I thought that NAT is the router firewall (hence the term "NAT router")?!

Caveat

join:2012-03-01
USA

Note to Mods: It now seems to me that this thread is not so much specific to Verizon as to DSL routers/modems in general, and the Westell 7500 in particular.

So perhaps it should be moved to a more appropriate forum?
.......

Another concern I have regarding my Westell 7500:

I sometimes notice the "Internet" LED flickering when the ethernet cable is unplugged from my computer (or any other device). (And wireless is disabled)

What could explain that?

Thanks again.



Alex G Bell

join:2002-07-02
Boston, MA
reply to Caveat

I don't know if this answers your question or not, but if ICMP ping is disabled (it is enabled by default in the Westell 7500 in router mode--but not bridge mode--I don't think there is an easy way to turn it off) the ATM switch in the ISP's WAN network can still ping your modem (OAM test); this is one way it knows the modem is connected to your line when in bridge mode--the flickering DSL light you see may be because of it, or it may be because of a failed malicious port inquiry. Oh, sorry, you meant the "internet" light, sorry.
--
"Remember, Comrade, people who are willing to destroy an efficient telephone system may not be playing with a full deck."



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by Alex G Bell:

I don't know if this answers your question or not, but if ICMP ping is disabled (it is enabled by default in the Westell 7500 in router mode--but not bridge mode--I don't think there is an easy way to turn it off)..

I point to »Verizon Online DSL FAQ »How do I stealth all ports on my Westell 7500 modem router
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


Alex G Bell

join:2002-07-02
Boston, MA

1 recommendation

You are certainly right; my memory was confused between the ICMP ping issue and the FTP issue. As I now remember, I could not stealth the FTP ports without disabling FTP entirely on the Westell (6100G as I recall).
--
"Remember, Comrade, people who are willing to destroy an efficient telephone system may not be playing with a full deck."


Caveat

join:2012-03-01
USA

1 edit

Now the "Internet" LED -- but none of the other LEDs-- is flickering like mad while I am connected, browser open, but idle as far as I can see.
...........
Thanks for trying to help, Alex G.Bell.
_________________________

From what I've seen, including in posts right here at DSLR, there seems to be a fairly broad consensus among security experts that achieving "stealth" is unnecessary and perhaps even undesirable.


Caveat

join:2012-03-01
USA
reply to Caveat

Since it has been close to two weeks now without any reply to my posts, I have decided to summarize the remaining, unresolved questions/concerns regarding my Westell 7500:

1.) Is there any downside to disabling the network scanning that had been causing the continuous activity that I had originally asked about?

2.) The "Internet" LED sometimes flickers continuously when the ethernet cable is unplugged from my computer (or any other device) (And wireless is disabled)

What could cause this?

3.) Regarding the Internet LED flickering while connected but idle as far as I can see, is there anything (other than some overlooked legitimate net traffic on my system) that could cause this?

4.) Is there a way to temporarily disable NAT in order to test a software firewall or to see which ports may be blocked by Verizon?

5.) Finally,


As I have noted previously, it would appear, from a number of posts I have seen here and elsewhere, that there seems to be a fairly broad consensus among security experts that achieving "stealth" is unnecessary and perhaps even undesirable.

Yet, in the FAQ entry linked above, there is no mention that the issue is even controversial and the implication is that stealthing all ports is something that one should do. Shouldn't this be corrected?


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by Caveat:

1.) Is there any downside to disabling the network scanning that had been causing the continuous activity that I had originally asked about?

I do not know for sure, but I am taking an educated guess - if that helps.

If forwarding ports with network scanning enabled, you can select the device that you want to forward to.

If network scanning is disabled: To forward ports, you must enter in the IP Address of the device that you want to forward to.

said by Caveat:

2.) The "Internet" LED sometimes flickers continuously when the ethernet cable is unplugged from my computer (or any other device) (And wireless is disabled)

What could cause this?

As addressed by Alex G Bell See Profile

#1 The router is repling to ping?

OR

#2 it may be because of a failed malicious port inquiry?

said by Caveat:

3.) Regarding the Internet LED flickering while connected but idle as far as I can see, is there anything (other than some overlooked legitimate net traffic on my system) that could cause this?

See above.

said by Caveat:

4.) Is there a way to temporarily disable NAT in order to test a software firewall or to see which ports may be blocked by Verizon?

#1 One of the ways is to follow the info that is at »Verizon Online DSL FAQ »How do I use a router with the Westell 6100?

#2 Another way might be to use Firewall -> DMZ Host OR Firewall -> Static NAT.

See the sample screens shots of what the DMZ Host and Static NAT feature(s) look like in my modem combo in the thread »[modem/router] Putting Westell G90-6100 into bridge mode

said by Caveat:

5.) Finally,


As I have noted previously, it would appear, from a number of posts I have seen here and elsewhere, that there seems to be a fairly broad consensus among security experts that achieving "stealth" is unnecessary and perhaps even undesirable.

Yet, in the FAQ entry linked above, there is no mention that the issue is even controversial and the implication is that stealthing all ports is something that one should do. Shouldn't this be corrected?

If you think it should, use the Got Feeback Link..
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.