dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1726

AustinTech
@70.196.2.x

AustinTech

Anon

Need a little help from a Firewall Maverick

trying to come up with an answer for the last 2 months, regarding some suspicious log entries from my gateway's firewall logs. The log entries concern possible SYN FLOOD and STEALTH SCAN attempts as flagged per the IDS. However, the source is being flagged as various devices on my lan (Cellphone, Laptop and PS4) in each instance. Inevitably I've hit dead ends on trying to find an answer in my own research on this and have decided to take to the forums for assistance. I've exhausted the most obvious of avenues for support (ISP, Gateway manufacturer) and have hit brick walls on both ends. MY ISP does not provide support on the gateway, (even though they lease it) and the Manufacturer, will not provide support as I am not the MSO(ISP) who owns the equipment. So needless to say I am at an impass. Any help or knowledge that anyone with firewall configuration experience can provide, is GREATLY appreciated as is their time as I've reached the limit of my knowledge with troubleshooting this. The gateway is a Hitron Tech. Model - CGN gateway (Cable modem/router). I apologize in advance for the lengthy post but wasn't sure how best to explain this without being as detailed as possible so I apologize for any unintended spam.

In regards to the logs I have 4 dates in peculiar, where suspicious activity was logged. I have been unsuccessful in determining whether these are false positives or something more malicious. Below are the logs, respective to their dates, as well as information relevant to  what was occurring during these timeframes. I've removed my IP in the logs and replaced with obvious entries, relevant to type of connection to the network, what device was being used, activity and total time on the lan around the time of the log entry. Time also includes periods of idle connection (Device connected to network but no browsers open).

(Wireless, via Laptop, 2 hours, Light Browsing.)

Warning 2014/11/18 05:12:03 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.221 LEN=48
Warning 2014/11/18 05:12:03 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=67.217.177.30 LEN=52
Warning 2014/11/18 05:12:02 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=50.116.194.21 LEN=48
Warning 2014/11/18 05:12:02 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=67.217.177.62 LEN=48
Warning 2014/11/18 05:12:02 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=48
Warning 2014/11/18 05:12:01 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=199.166.0.200 LEN=52
Warning 2014/11/18 05:12:01 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=48
Warning 2014/11/18 05:12:00 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=48
Warning 2014/11/18 05:12:00 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=48
Warning 2014/11/18 05:12:00 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=69.172.216.111 LEN=52
Warning 2014/11/18 05:11:59 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=48
Warning 2014/11/18 05:11:57 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=52
Warning 2014/11/18 05:11:57 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.164.105.38 LEN=52
Warning 2014/11/18 05:11:57 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=107.22.160.47 LEN=52
Warning 2014/11/18 05:11:56 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
Warning 2014/11/18 05:11:56 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.202.177 LEN=52
Warning 2014/11/18 05:11:56 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=152.163.13.76 LEN=52
Warning 2014/11/18 05:11:55 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
Warning 2014/11/18 05:11:55 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=216.120.27.21 LEN=52
Warning 2014/11/18 05:11:55 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.194.77.154 LEN=52
Warning 2014/11/18 05:11:54 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=107.22.160.47 LEN=52
Warning 2014/11/18 05:11:54 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=52
Warning 2014/11/18 05:11:54 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=50.18.112.4 LEN=48
Warning 2014/11/18 05:11:52 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=199.166.0.200 LEN=52
Warning 2014/11/18 05:11:52 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=216.120.27.21 LEN=48
Warning 2014/11/18 05:11:51 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=98.138.49.43 LEN=52
Warning 2014/11/18 05:11:51 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=205.210.186.110 LEN=52
Warning 2014/11/18 05:11:51 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=216.151.217.9 LEN=48
Warning 2014/11/18 05:11:50 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=48
Warning 2014/11/18 05:11:50 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=69.172.216.56 LEN=52
Warning 2014/11/18 05:11:50 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.191.221.2 LEN=52
Warning 2014/11/18 05:11:49 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=48
Warning 2014/11/18 05:11:49 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.148.100.145 LEN=48
Warning 2014/11/18 05:11:48 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.220 LEN=48
Warning 2014/11/18 05:11:47 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.84.168.77 LEN=48
Warning 2014/11/18 05:11:46 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.221 LEN=52
Warning 2014/11/18 05:11:46 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.202.201 LEN=52
Warning 2014/11/18 05:11:45 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=173.241.244.221 LEN=52
Warning 2014/11/18 05:11:45 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=52
Warning 2014/11/18 05:11:45 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
Warning 2014/11/18 05:11:44 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=198.8.71.228 LEN=48
Warning 2014/11/18 05:11:44 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=48
Warning 2014/11/18 05:11:44 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=63.241.108.124 LEN=52
Warning 2014/11/18 05:11:43 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=152.163.13.76 LEN=52
Warning 2014/11/18 05:11:43 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=107.22.160.47 LEN=52
Warning 2014/11/18 05:11:42 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=199.166.0.200 LEN=52
Warning 2014/11/18 05:11:41 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=50.116.194.21 LEN=52
Warning 2014/11/18 05:11:41 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=162.248.16.24 LEN=48
Warning 2014/11/18 05:11:40 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=67.217.177.62 LEN=52
Warning 2014/11/18 05:11:40 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=74.125.227.156 LEN=48
Warning 2014/11/18 05:11:40 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=192.155.195.218 LEN=52
Warning 2014/11/18 05:11:39 [IDS:SYN_FLOOD] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=208.71.122.1 LEN=52

(Wireless, via Cell Phone, 1 Hour, Light Browsing.)

Warning 2014/11/18 22:27:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=79
Warning 2014/11/18 22:27:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=279
Warning 2014/11/18 22:27:11 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=625
Warning 2014/11/18 22:26:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=625
Warning 2014/11/18 22:26:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.130 LEN=79
Warning 2014/11/18 22:26:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.130 LEN=575
Warning 2014/11/18 22:26:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=79
Warning 2014/11/18 22:26:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.137 LEN=277
Warning 2014/11/18 22:26:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.138 LEN=79
Warning 2014/11/18 22:26:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.138 LEN=322
Warning 2014/11/18 22:26:38 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=79
Warning 2014/11/18 22:26:36 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=694
Warning 2014/11/18 22:26:36 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=645
Warning 2014/11/18 22:26:36 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.236.175 LEN=79
Warning 2014/11/18 22:26:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.236.175 LEN=503
Warning 2014/11/18 22:26:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=79
Warning 2014/11/18 22:26:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=695
Warning 2014/11/18 22:26:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=173.194.77.95 LEN=645
Warning 2014/11/18 22:26:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.136 LEN=79
Warning 2014/11/18 22:26:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=CELL_PHONE DST=74.125.227.136 LEN=514

(Wireless, via Laptop, 4 hours, Moderate Browsing.)

Warning 2014/11/19 23:48:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:48:40 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:48:39 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:47:55 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:47:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:47:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:47:10 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:47:09 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:47:09 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:46:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:46:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41
Warning 2014/11/19 23:46:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=96.17.203.131 LEN=41

(Wireless, via Laptop, 5 hours, Moderate Browsing.)

Warning 2014/11/24 11:11:28 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.23.58 LEN=89
Warning 2014/11/24 10:53:23 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.213.34.165 LEN=89
Warning 2014/11/24 10:53:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.69.17 LEN=89
Warning 2014/11/24 10:53:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.69.104.53 LEN=89
Warning 2014/11/24 10:33:30 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.200.161.50 LEN=89
Warning 2014/11/24 10:33:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.218.71.225 LEN=89
Warning 2014/11/24 10:33:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.69.17 LEN=89
Warning 2014/11/24 10:13:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.76.202 LEN=89
Warning 2014/11/24 10:13:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.218.17.157 LEN=89
Warning 2014/11/24 10:13:14 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.69.104.53 LEN=89
Warning 2014/11/24 09:56:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.230.39 LEN=89
Warning 2014/11/24 09:56:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.186.57.212 LEN=89
Warning 2014/11/24 09:47:14 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.244.36.66 LEN=89
Warning 2014/11/24 09:47:10 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.230.39 LEN=89
Warning 2014/11/24 09:47:09 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.218.71.225 LEN=89
Warning 2014/11/24 09:34:19 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.200.156.110 LEN=89
Warning 2014/11/24 09:34:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.230.39 LEN=89
Warning 2014/11/24 09:34:14 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.68.23.58 LEN=89
Warning 2014/11/24 09:01:33 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.200.222.150 LEN=89
Warning 2014/11/24 09:01:29 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.140.246 LEN=89
Warning 2014/11/24 09:01:28 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=54.201.142.223 LEN=89
Warning 2014/11/24 08:54:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=LAPTOP DST=172.233.42.170 LEN=40

(*PLEASE NOTE* After troubleshooting to the best of my abilities and after being unable to turn up any results of malware/spyware/trojans via several different scans on the Laptop, made the decision to replace Gateway with new one from ISP on 11/30 (Same model), to begin process of elimination. Also re-imaged Laptop and re-formatted Cell Phone the same day. After receiving new gateway, configured settings to same as prior gateway, (Block Ping from WAN, Block ACK, Automatic DHCP IP Assignment, Firewall "On", Intrusion Detection "On") with one exception being as I completely disabled wireless on the new one. I have since connected only 2 devices to the new gateway via wired connection, both at separate times, the Laptop and a PS4. Laptop has not triggered any alerts since reimaging, however, PS4 did. Which is ironic as it did not trigger even one alert in the 2 weeks since I have had it on the last router. Log below.)

(Wired, via PS4, 5 hours, Online Gameplay)

Warning 2014/12/01 06:45:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.104.53 LEN=89
Warning 2014/12/01 06:41:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.53.115 LEN=89
Warning 2014/12/01 06:41:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
Warning 2014/12/01 06:41:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.142.223 LEN=89
Warning 2014/12/01 06:29:48 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.57.40 LEN=89
Warning 2014/12/01 06:29:44 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
Warning 2014/12/01 06:29:43 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
Warning 2014/12/01 06:25:20 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
Warning 2014/12/01 06:25:20 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.137.111 LEN=89
Warning 2014/12/01 06:20:30 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.212.146 LEN=89
Warning 2014/12/01 06:20:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.104.53 LEN=89
Warning 2014/12/01 06:20:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
Warning 2014/12/01 06:11:59 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=50.112.184.91 LEN=89
Warning 2014/12/01 06:11:31 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.147.149 LEN=89
Warning 2014/12/01 06:11:30 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
Warning 2014/12/01 06:07:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.147.149 LEN=89
Warning 2014/12/01 06:07:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.255.55 LEN=89
Warning 2014/12/01 06:03:11 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.213.154.208 LEN=89
Warning 2014/12/01 06:02:52 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.142.223 LEN=89
Warning 2014/12/01 06:02:51 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.147.149 LEN=89
Warning 2014/12/01 05:55:13 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
Warning 2014/12/01 05:55:11 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.191.182.174 LEN=89
Warning 2014/12/01 05:53:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.9.15 LEN=89
Warning 2014/12/01 05:53:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
Warning 2014/12/01 05:49:28 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
Warning 2014/12/01 05:49:27 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.80.237 LEN=89
Warning 2014/12/01 05:44:44 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.57.40 LEN=89
Warning 2014/12/01 05:44:24 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
Warning 2014/12/01 05:44:23 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
Warning 2014/12/01 05:37:59 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
Warning 2014/12/01 05:37:58 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.219.11 LEN=89
Warning 2014/12/01 05:35:49 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.56.109 LEN=89
Warning 2014/12/01 05:34:45 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
Warning 2014/12/01 05:33:35 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.69.196.86 LEN=89
Warning 2014/12/01 05:33:34 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.15.106 LEN=89
Warning 2014/12/01 05:26:33 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.12.187 LEN=89
Warning 2014/12/01 05:26:05 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.69.17 LEN=89
Warning 2014/12/01 05:26:04 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.23.58 LEN=89
Warning 2014/12/01 05:24:04 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.9.15 LEN=89
Warning 2014/12/01 05:24:03 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.247.112 LEN=89
Warning 2014/12/01 05:17:57 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.201.42 LEN=89
Warning 2014/12/01 05:17:21 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
Warning 2014/12/01 05:17:20 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
Warning 2014/12/01 05:13:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=50.112.131.237 LEN=89
Warning 2014/12/01 05:13:13 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.47.46 LEN=89
Warning 2014/12/01 05:09:54 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.186.56.109 LEN=89
Warning 2014/12/01 05:09:43 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.230.39 LEN=89
Warning 2014/12/01 05:09:42 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.200.78 LEN=89
Warning 2014/12/01 05:05:47 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.68.23.58 LEN=89
Warning 2014/12/01 05:05:46 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.213.56.185 LEN=89
Warning 2014/12/01 05:00:47 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.156.110 LEN=89
Warning 2014/12/01 05:00:16 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
Warning 2014/12/01 05:00:15 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.200.144.223 LEN=89
Warning 2014/12/01 04:55:05 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.17.157 LEN=89
Warning 2014/12/01 04:55:03 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=50.112.154.67 LEN=89
Warning 2014/12/01 04:51:48 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.187.28.170 LEN=89
Warning 2014/12/01 04:51:26 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.201.140.246 LEN=89
Warning 2014/12/01 04:51:25 [IDS:STEALTH_SCAN] IN=eth0.1 OUT=wan1 SRC=PS4 DST=54.218.71.225 LEN=89
AustinTech
join:2014-12-02

AustinTech

Member

Sorry mods. Just realized registered users can't see my post prior as I didn't complete registration first. My apologies.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to AustinTech

MVM

to AustinTech
Make / model of the "gateway" this was from? EDIT: Never mind, you supplied it -- Hitron Tech. Model - CGN gateway.
I presume this is it?

If so, I would trust this "gateway" IDS functionality as far as I can kick it, as there's
not alot of brains/horsepower behind it.

Secondly, this is where I'd go from here :

a) start crossreferencing the listed IP addresses with resources / URLs. I trust you know how to use the Regional Internet Registries
and NSLOOKUP? Determine if they are URL(s) you are actively using/browsing to, and what.

b) you could get a program called wireshark to watch for this supposedly malicious traffic. From the looks of things, you're
basically looking for traffic FROM your LAN host(s) TO the specified destination IP addresses
with TCP flag set to SYN (SYN flood) or FIN (Stealth Scan).

Where you need to go from there I can't say... but this should at least determine whether
this is the "gateway"
that's going stupid or not.

Otherwise, if you don't have a serious need for IDS, I'd turn this "feature" off, just for the sake of your own sanity.

My 00000010bits

Regards
AustinTech
join:2014-12-02

AustinTech

Member

Thanks for your reply HELLFIRE. Yep, that link would be the correct one in regards to the gateway. Unfortunately I am not very knowledgeable with nslookup and I'm not 100% sure how to cross reference the IP's with URL's. I've done who is searches on the majority of the IP's which seem to be a good majority of advertising servers (Akamai, OpenX, Google) and various others. I'm wondering if these aren't just advertisements loading on specific pages. The IP's listed in the log involving PS4, seem to all belong to Amazon (AWS, AC2) with dynamic domains. Not sure if Sony is using Amazon servers for game play. I am at a loss as I know little involving the specifics of networking outside the lan. I've considered getting my own router/modem, however I'm limited on knowledge with dealing the details of most configurations these days, which is inevitably why I bit on the (lease from us and dont worry pitch) from the ISP. Big mistake. It seems to be near impossible to find support on the functionality of the firewall even from the manufacturer. Peace of mind these days has become a rare commodity when it comes to support and security.. Wish I had did more studying on networking security when I was a little younger instead of waiting until now, when time has become more of a luxury. Thanks for being patient and taking the time to answer though. I'm hesitant on disabling the IDS as I'm afraid that if it is something malicious I might miss something more conclusive. Yeah the whole preservation of sanity in this case, seems to be an unfair tradeoff when dealing with a 15$ a month headache, lol.
AustinTech

2 edits

AustinTech

Member

Just saw that the ISP actually has a forum here in the community. Even though they are refusing to support the hardware I would think at least one person who subscribes to their service has to have encountered this if they are still providing this gateway to the public. Maybe someone has had some success with this or encountered similar if not exact issues, given their consumer base. Is there a way to move the thread to the Suddenlink forum? Any mods who might be able to help? I apologize but it seems I might get a little more feedback had I have started this in that forum instead of the security forum based on the given facts. Please forgive the oversight. Would have used the "Hey Mod" function but wasn't sure if that was necessary for this specific request or for violations of forum rules.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to AustinTech

MVM

to AustinTech
NSLOOKUP -- from the command prompt of whatever OS you're using.

Regional Internet Registries :
- apnic.net
- lacnic.net
- arin.net
- ripe.net
- afrinic.net

Your theory that this is related to advertising is a possibility, only way to be sure
is wireshark, however, if you feel out of your depth with networking, I'd probably
stay away from this program.

Only other thing I can think of is contacting the manufacturer of the gear and asking
which direction this IDS works in : LAN to WAN, or WAN to LAN. If the former, I'd
personally turn this off, for the reasons I originally stated.

My 00000010bits

Regards
GeorgetownTX
join:2006-11-28
Georgetown, TX

GeorgetownTX to AustinTech

Member

to AustinTech
Sometimes a firewall's SYN flood detection algorithm is a bit too sensitive, or detects in unwanted direction (LAN-to-LAN, LAN-to-WAN, instead of just WAN-to-LAN). Browsing a dense web page with a lot of embedded advertisements can create a lot of TCP connection requests in a very short time, and that might trigger SYN flood clamp.
AustinTech
join:2014-12-02

2 edits

AustinTech to HELLFIRE

Member

to HELLFIRE
Thanks for your response HELLFIRE.

I actually just managed to get ahold of Hitron Technologies. It took me 5 emails and 4 strangely-dropped phone calls to their sales and support dept.. They graced me with a response via email. Unfortunately, they refused to answer any of my questions regarding the router or it's Firewall/IDS and forwarded my response to the "appropriate Suddenlink contacts". This after I explained to them that Suddenlink was unable to answer any questions about the gateway and has already stated that they will not support it. I'm starting to feel like the tennis ball in a tennis match lol As for whether this IDS is LAN-TO-WAN or vice-versa, I'm suspecting that it is LAN-TO-WAN, as I haven't seen any detections for inbound traffic from the WAN. That and the spec. sheet I found online is of no use in regards to the IDS/Firewall. Then again, the level of granularity as far as modifying the firewall or IDS is non-existent, with the exception of "Enable" or "Disable" and "Low, Medium and High". Without knowing for sure which direction of traffic this is pointed to inspect I'm a little afraid to disable it. I'm assuming that the firewall portion is filtering the inbound traffic and if so I should be somewhat protected on that end? Thank you for taking the time to assist.
AustinTech

2 edits

AustinTech to GeorgetownTX

Member

to GeorgetownTX
Thanks for your response Georgetown.

I actually believe this to be the case with the syn flood detections that were coming from my laptop and cell. Not sure about the stealth scan detections though but I know I stopped browsing on both my laptop and cell after I reformatted both and swapped out the Gateway with a new one and I've had no detections from either thusfar even while connecting to my work's vpn. However I got another detection from my IDS last night while playing an online game via the PS4. All the destination IP's belonged to Akamai and Amazon AWS/CE2 cloud services, with some of the DST IP's also listed in the logs for previous detections from my laptop and cell. This sort of defeats my theory on advertisements, as I was not viewing anything via a browser but playing a game online. I was unable to find anything online on whether Activision or Sony is using Akamai or Amazon rack space or hosting for cloud servers, (except that the online service is based on P2P and that they are not using dedicated servers but globally-located servers) so I'm not sure if this may be the reason or like you had stated that the IDS/firewall's detection algorithm may be too sensitive.
GeorgetownTX
join:2006-11-28
Georgetown, TX

GeorgetownTX

Member

Ask SL if they'll replace the Hitron with an Arris.