mratlboy
join:2009-07-07
Norman, OK
| [ALL] Cox: Router blocking China Requests / Allowing Broadcasts?
Cox and users of Cox Internet:
I have noticed for some time in my router logs that a lot of requests are coming from China (and other Asia countries...but mainly China) to make a connection to my router (using non-standard ports...the high port numbers that is). I have run virus/spyware tests and appear clean and I do not do peer to peer sharing.
I get dynamic IP addresses from Cox and I have refreshed many times to try and find an IP that is not being chased by China, but so far I cannot find a clean one. I do not think it is my machine sending a a signal and then China trying to connect to me. It seems that China addresses are broadcasting to all of the Cox ip addresses (at least in my area - Oklahoma).
For those that know how, check your router or firewall logs for blocked incoming connections and use »www.dnsstuff.com/ to reverse search the IP address to see where the offending IP address is from. Do you see some (or a lot) from China also?
-Does Cox allow broadcast requests to all of its IP addresses or do the Chinese offenders keep a list of all IPs it has ever seen?
-Can Cox block these broadcast requests (if that is what they are)?
-Is there anything I can do to stop these also (they are being blocked but they are constant)?
-Are these triggered events or broadcast attempts?
-A lot of stuff is made in China within networking and computers, are they phoning home (doubt it but its another option)?
Hope there are people that know how to look into this - I can see what is going on in my router but I do not know what can be done about it.
Thanks for insight and help!
-mratlboy |
|
CoxTech1
VIP
join:2002-04-25
Chesapeake, VA
1 edit | Re: [ALL] Cox: Router blocking China Requests / Allowing Broadca
I don't believe these issues you're seeing are unique to you or us as a service provider. I've been seeing these entries in my logs for a few years now. Typically my router will log well in excess of 100,000 entry attempts regardless of what IP address is being used. I don't believe they're using any sophisticated broadcast or anything to find IP addresses but rather using bots to randomly port scan IP's to see if they get lucky. If you dig a little deeper you might even find that this type of traffic is not only coming from China but most other parts of the world as well. At one time I had attempted to block such requests only to find that my blocklist had included nearly 1/2 of the Internet and my router's ACL's had simply grown too long for the router to keep up. |
|
Net_Neutral
join:2009-01-29 | reply to mratlboy
/SIGH
This is nothing unique to you - or to cox. Calm down, take a deep breath. The reason your seeing logs in your firewall is because its doing its job. That is what it is supposed to do. |
|
mratlboy
join:2009-07-07
Norman, OK
| reply to mratlboy
Thanks guys - did not know this and is sucks but guess I will shrug it off. You would think ISPs would note offending IPs and block them before they get to us - but maybe that is too overwhelming. I also thought the IP scans were deteriorating my Internet connection but maybe it is just my line - I'll get a tech to take a look.
Thanks for the bad news though  |
|
CoxTech1
VIP
join:2002-04-25
Chesapeake, VA
| Keep in mind that lots of this traffic is reflected off of PC's infected with remote access trojans meaning an attack of this nature can come from literally any network, even Cox. I remember last year having to submit an abuse report for a subscriber in one of our markets for exactly this kind of activity. My point in the end would be if we blocked networks for this kind of traffic each time it happened the end result would be the entire Internet being blocked. |
|
mratlboy
join:2009-07-07
Norman, OK
| reply to mratlboy
Great...now I am paranoid about remote access trojans...lol. I just did some reading on it and many seem stealthy to spyware detectors. But due to this new fear, I found a tool that displays all TCP and UDP connections, as well as the processes connected to them: »technet.microsoft.com/en-us/sysi···437.aspx New to me at least and seems easier than netstat to get a quick view. |
|
tubbynet
reminds me of the danse russe
Premium
join:2008-01-16
Chandler, AZ
 ·Cox HSI
 ·Callcentric
 ·Sprint Mobile Broa..
 ·FrontierNet Intern..
1 edit | said by mratlboy  :Great...now I am paranoid about remote access trojans...lol. I just did some reading on it and many seem stealthy to spyware detectors. But due to this new fear, I found a tool that displays all TCP and UDP connections, as well as the processes connected to them: » technet.microsoft.com/en-us/sysi···437.aspx New to me at least and seems easier than netstat to get a quick view. if you have a router/firewall and run a fully patched system, there is no need to worry (unless you are using the internet for questionable activities).
now, its harder than it seems to make a connection over some tcp or udp port. first, you have to have an open port in your router/firewall that actually leads to an active host. second, you need to have that port listening for connections on that same port. third, the correct service needs to be running to answer the connection (i.e. if you have a web server running on tcp/42516 but someone is trying to access ssh on tcp/42516, no connection will be made).
of course, if you have some spare tinfoil and time to make some hats, go right ahead 
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
mratlboy
join:2009-07-07
Norman, OK
| reply to mratlboy
lol...thanks for the reassurance - I do run fully patch with virus/spyware detection and of course the router - just freaked when I saw so many blocked conx requests. But since it seems to be standard nowadays, I'll keep the foil for a later day  |
|
DivineDark
join:2001-08-30
Oklahoma City, OK
clubs:
2 edits | reply to mratlboy
I do not not wish to post |
|
