Logs can be a PITA to understand. Ingress traffic on the WAN port with no
corresponding "ESTABLISHED" connection could be noise, attacks, or residual requested
traffic to timed out established connections. On the same token you have to know what
was ALLOW to decide if DENY means unsolicited traffic. Key being what interface (WAN
or LAN) did the packet enter on, LAN traffic should be ignored to limit the log SNR
(normal LAN vs unusual WAN traffic) unless you suspect egress leakage.
Nothing short of decent logging software is worth using to decipher logs since flat
files just don't give the same level of flexibility. LinkLogger is a damn good logger
if only Blake would open up access to the database or at least let the user point to
their own data for offline analysis. He won't since it's part of the copy protection
which hobbles a great analysis tool for us looking use Syslog to collect the data and
LinkLogger to analyze it.
Lastly I wont use any router I can't load DD-WRT on since stock firmwares leave so
much to be desired.
On 11/15/2010 8:32 AM, DSinc wrote:
Harry,
Thanks. Your reply now further clouds my investigation. I can see from the dlink
forum thread that the "Advanced DNS Service" of my router auto-magically lock
in the
204 DNS addresses. Perhaps these may be semi-private DNS addresses granted to
dlink
from 302 Direct Media LLC. I also see the linkage between OpenDNS and its'
parent
Direct Media LLC. This confusion will have to wait. I have disabled the
"Advanced DNS
Service" in my router and redirected back to my local DNS servers.
You second share is more bothersome. Thanks for the info. I suppose I need to
get a
better IP tracer app. I use NeoTrace v3.25. Whoever/Whatever this server is, I
do
feel I am being chronically probed. Luckily the router is fully blocking the
requests
ATM.
I log these connection requests from "their" servers port range of
~49347-64216. My
docs indicate that these are "Dynamic and/or Private ports."
The connection requests always try my ports:
80, HTTP
81, Host2 Name Server
139, NetBios Session Service
443, HTTP protocol over TLS/SSL
515, Printer Spooler
2191, TvBus Messaging
9100, Printer PDL Data Stream
I can sorta understand the first 4 because I would use these normally for
browsing
and email. The 2191 may be because my ISP offers TV via their fiber network. I
do not
do TV yet! The 515 and 9100 will need some more local research; suspect this
may be
my Brother network printer. It has a very confusing and badly documented print
server. ATM, I will accept these 2 as just plain MY BAD. LOL!
I will continue to study my router's docs to find out if I can just block the
"local"
ip addy. The DGL4500 seems to hide this feature really well. I may bring my
older
DGL4300 router back online. It has a direct selection for blocking
(black-listing) ip
addresses.......... :)
Thanks,
Duncan
On 11/15/2010 01:36, Harry McGregor wrote:
On 11/14/10 4:56 PM, DSinc wrote:
Josh,
Understand, but the router's log file (weekly) is quite large
(220KB). If you would like a look, I can try and copy a portion into
an off-list email to you.
The router is set for DHCP on the WAN side. And, initially used the
ISP's local dedicated DNS Servers. Since I changed the DNS selection
to "Dynamic", the DNS windows are grayed out and now show DNS servers
I trace to ATT......
204.194.234.200 (p)
204.194.232.200 (s)
Those are not ATT DNS servers, almost anything ATT is 12.0.0.0/8
A whois on the IP addresses:
OrgName: 302 Direct Media LLC
OrgId: DIREC-107
Address: 548 Market St #25810
City: San Francisco
StateProv: CA
PostalCode: 94104
Country: US
Now, from a BGP perspective, they get transit from Level3 and ATT
(http://www.robtex.com/as/as30607.html)
I don't think these are coming from your ISP, read this page:
http://forums.dlink.com/index.php?topic=5064.0
As to host-68-169-188-189.mapoltl.epb.com , that seems to be unrelated,
it's a virtual server in a colo in LA, and has a ton of domains on it,
and could be scanning you, or trying to infect you with malware, no real
clue on it
.
Harry
Still confused,
Duncan
On 11/14/2010 03:02, Josh MacCraw wrote:
Port addresses would be helpful in determining what the traffic is.
You router should be in DHCP mode for the WAN which will in turn give
you the valid DNS servers for you ISP.
On 11/12/2010 9:27 AM, DSinc wrote:
I have a new ISP (epbfi.com?). They have their own DNS servers:
66.18.32.2 (p)
66.18.32.3 (s)
My router is a DLink DGL4500; so I set it to point to the ISP's DNS
servers.
I am trying to figure out why my router is being hammered by another
server of my
ISP. I say hammered because my router's log file fills up with
[info] listings of
blocked requests from another ISP server to my assigned IP addy. The
server is:
host-68-169-188-189.mapoltl.epb.com
Yes, I could just deselect [info] objects from my router's log file.
I've spoken to the tech support staff. They tell me I am getting
"reverse DNS
routing" stuff. I was told to remove my router's dedicated DNS
assigns and set my
router to "dynamic." I think I have done this.
<snip>
