fonzbear2000
Premium
join:2005-08-09
Saint Paul, MN
2 edits | There are a TON of "found attack from" on my security log!
Should I be worried?
This is just a few of them:
=>Found attack from 88.176.90.132.
Source port is ICMP and destination port is ICMP which use the ICMP protocol.
Sun Jun 21 15:22:52 2009
=>Found attack from 60.53.191.84.
Source port is ICMP and destination port is ICMP which use the ICMP protocol.
Sun Jun 21 15:24:56 2009
=>Found attack from 66.6.136.35.
Source port is 47458 and destination port is 22 which use the TCP protocol.
Sun Jun 21 15:29:03 2009
=>Found attack from 80.57.208.203.
Source port is 2401 and destination port is 10370 which use the TCP protocol.
Sun Jun 21 15:31:06 2009
=>Found attack from 90.193.205.229.
Source port is ICMP and destination port is ICMP which use the ICMP protocol.
Sun Jun 21 15:43:58 2009
=>Found attack from 83.171.11.253.
Source port is ICMP and destination port is ICMP which use the ICMP protocol.
Sun Jun 21 15:46:33 2009
=>Found attack from 86.100.100.246.
Source port is ICMP and destination port is ICMP which use the ICMP protocol.
Something called "WAN ping blocking" is enabled and it's supposed to block ICMP pings.
"Block ICMP Ping
Computer hackers use what is known as "Pinging" to find potential victims on the Internet. By pinging a specific IP address and receiving a response from the IP address, a hacker can determine that something of interest might be there. The Router can be set up so it will not respond to an ICMP Ping from the outside. This heightens the level of security of your Router. To turn off the ping response, select "Block ICMP Ping" and click "Apply Changes". The router will not respond to an ICMP ping. "
--
»Check this out! |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
 ·Shaw
| You have no concerns there. As a matter of fact, blocking your WAN ping can cause your connection to drop. A ping is just a ping, nothing more. If you have no ports open, they just bounce.
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to fonzbear2000
Nothing to worry about there. Most of us consider that to be "internet background noise". That's actually a fairly low level.
If your ISP assigns you an IP that had been used by a gamer or a heavy P2P user, you would probably see a higher rate of warnings.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
fonzbear2000
Premium
join:2005-08-09
Saint Paul, MN
| reply to Its a Secret
said by Its a Secret  :You have no concerns there. As a matter of fact, blocking your WAN ping can cause your connection to drop. A ping is just a ping, nothing more. If you have no ports open, they just bounce. I'm just curious. On my previous wireless router, I would completely lose my connection and have to reset the router to get it back. Is that what a connection drop is?
--
»Check this out! |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny | Yep, that would be it. |
|
fonzbear2000
Premium
join:2005-08-09
Saint Paul, MN
| said by Its a Secret :Yep, that would be it. Well, if my connection drops at all, I'll uncheck it, but my previous Dlink wireless G router didn't even have that option and the connection dropped on that all the frickin' time so I'm hoping that this is actually preventing it.
--
»Check this out! |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny | It really is ok to have pings enabled. There is zero security concern here. |
|
fonzbear2000
Premium
join:2005-08-09
Saint Paul, MN
| said by Its a Secret :It really is ok to have pings enabled. There is zero security concern here. Ya, but 6 days in a row without a connection drop while on the previous router, I would get at least 2-3 a week. It's all good.  If I get any drops, I'll disable it.
--
»Check this out! |
|
docrice
join:2008-03-31
Fremont, CA
| reply to fonzbear2000
I'll be the first to say it - early consumer-grade routers from years ago sucked. The fact that some models would occasionally "lock-up" for some reason and required a hard reset in order to function properly wasn't acceptable in my eyes. If you had this with business-class equipment, makers like Cisco, Nortel, Juniper, etc., would be overwhelmed by angry support tickets. Granted, you have the occasional DoS or odd bug in any network-OS code (such as Cisco IOS), but that's more of an exception than the rule.
It looks like the cheap devices have upped in terms of quality and feature set over time though.
What you are seeing in your logs is your typical automated portscans and service enumeration attempts from attackers via their own systems or, more likely, from hijacked systems that they have successfully compromised. It's a fact of life, just like pollution. ICMP blocking typically means that ICMP type 8 (echo request) is dropped at your router's interface designated for external networks (the Internet). For home broadband connections, setting it to drop is pretty common. On business production systems, that might not necessarily be appropriate.
It's possible some ISPs might occasionally check DHCP leases on their subscriber accounts by sending an ICMP check based on their IP lease records just to check their "alive" states, somewhat like SNMP. If that's the case, you may wish to let the router allow ICMP responses (or at least type 0, echo response), assuming your router's management console allows you the granularity in selecting which ICMP types to permit / drop / reject. |
|
fonzbear2000
Premium
join:2005-08-09
Saint Paul, MN
| said by docrice :It's possible some ISPs might occasionally check DHCP leases on their subscriber accounts by sending an ICMP check based on their IP lease records just to check their "alive" states, somewhat like SNMP. If that's the case, you may wish to let the router allow ICMP responses (or at least type 0, echo response), assuming your router's management console allows you the granularity in selecting which ICMP types to permit / drop / reject. Thanks, but considering that block ICMP was checked by default and things seem to be going fine so far, I think I'm going to leave it be. If I start to get dropped connections, I'll try unchecking it.
--
»Check this out! |
|
