Josh,
I think I understand your basics. I do not use/have/follow them. My bad.
I read my router's log files every so often and react accordingly. I can
only begin at what my router gives me ATM.
So know I should know so much more. I do not. I ask the List!
I think I have a plan. Just need to figure out how to do it........... :)
Understand the DD-WRT stance. I do not know enough about it to play,
yet! I still do "run-whatcha-brung" ATM. No wireless at my crib!
Best,
Duncan
On 11/15/2010 22:02, Josh MacCraw wrote:
Logs can be a PITA to understand. Ingress traffic on the WAN port with
no corresponding "ESTABLISHED" connection could be noise, attacks, or
residual requested traffic to timed out established connections. On
the same token you have to know what was ALLOW to decide if DENY means
unsolicited traffic. Key being what interface (WAN or LAN) did the
packet enter on, LAN traffic should be ignored to limit the log SNR
(normal LAN vs unusual WAN traffic) unless you suspect egress leakage.
Nothing short of decent logging software is worth using to decipher
logs since flat files just don't give the same level of flexibility.
LinkLogger is a damn good logger if only Blake would open up access to
the database or at least let the user point to their own data for
offline analysis. He won't since it's part of the copy protection
which hobbles a great analysis tool for us looking use Syslog to
collect the data and LinkLogger to analyze it.
Lastly I wont use any router I can't load DD-WRT on since stock
firmwares leave so much to be desired.
On 11/15/2010 8:32 AM, DSinc wrote:
Harry,
Thanks. Your reply now further clouds my investigation. I can see
from the dlink
forum thread that the "Advanced DNS Service" of my router
auto-magically lock in the
204 DNS addresses. Perhaps these may be semi-private DNS addresses
granted to dlink
from 302 Direct Media LLC. I also see the linkage between OpenDNS and
its' parent
Direct Media LLC. This confusion will have to wait. I have disabled
the "Advanced DNS
Service" in my router and redirected back to my local DNS servers.
You second share is more bothersome. Thanks for the info. I suppose I
need to get a
better IP tracer app. I use NeoTrace v3.25. Whoever/Whatever this
server is, I do
feel I am being chronically probed. Luckily the router is fully
blocking the requests
ATM.
I log these connection requests from "their" servers port range of
~49347-64216. My
docs indicate that these are "Dynamic and/or Private ports."
The connection requests always try my ports:
80, HTTP
81, Host2 Name Server
139, NetBios Session Service
443, HTTP protocol over TLS/SSL
515, Printer Spooler
2191, TvBus Messaging
9100, Printer PDL Data Stream
I can sorta understand the first 4 because I would use these normally
for browsing
and email. The 2191 may be because my ISP offers TV via their fiber
network. I do not
do TV yet! The 515 and 9100 will need some more local research;
suspect this may be
my Brother network printer. It has a very confusing and badly
documented print
server. ATM, I will accept these 2 as just plain MY BAD. LOL!
I will continue to study my router's docs to find out if I can just
block the "local"
ip addy. The DGL4500 seems to hide this feature really well. I may
bring my older
DGL4300 router back online. It has a direct selection for blocking
(black-listing) ip
addresses.......... :)
Thanks,
Duncan
On 11/15/2010 01:36, Harry McGregor wrote:
On 11/14/10 4:56 PM, DSinc wrote:
Josh,
Understand, but the router's log file (weekly) is quite large
(220KB). If you would like a look, I can try and copy a portion into
an off-list email to you.
The router is set for DHCP on the WAN side. And, initially used the
ISP's local dedicated DNS Servers. Since I changed the DNS selection
to "Dynamic", the DNS windows are grayed out and now show DNS servers
I trace to ATT......
204.194.234.200 (p)
204.194.232.200 (s)
Those are not ATT DNS servers, almost anything ATT is 12.0.0.0/8
A whois on the IP addresses:
OrgName: 302 Direct Media LLC
OrgId: DIREC-107
Address: 548 Market St #25810
City: San Francisco
StateProv: CA
PostalCode: 94104
Country: US
Now, from a BGP perspective, they get transit from Level3 and ATT
(http://www.robtex.com/as/as30607.html)
I don't think these are coming from your ISP, read this page:
http://forums.dlink.com/index.php?topic=5064.0
As to host-68-169-188-189.mapoltl.epb.com , that seems to be unrelated,
it's a virtual server in a colo in LA, and has a ton of domains on it,
and could be scanning you, or trying to infect you with malware, no
real
clue on it
.
Harry
Still confused,
Duncan
On 11/14/2010 03:02, Josh MacCraw wrote:
Port addresses would be helpful in determining what the traffic is.
You router should be in DHCP mode for the WAN which will in turn give
you the valid DNS servers for you ISP.
On 11/12/2010 9:27 AM, DSinc wrote:
I have a new ISP (epbfi.com?). They have their own DNS servers:
66.18.32.2 (p)
66.18.32.3 (s)
My router is a DLink DGL4500; so I set it to point to the ISP's DNS
servers.
I am trying to figure out why my router is being hammered by another
server of my
ISP. I say hammered because my router's log file fills up with
[info] listings of
blocked requests from another ISP server to my assigned IP addy. The
server is:
host-68-169-188-189.mapoltl.epb.com
Yes, I could just deselect [info] objects from my router's log file.
I've spoken to the tech support staff. They tell me I am getting
"reverse DNS
routing" stuff. I was told to remove my router's dedicated DNS
assigns and set my
router to "dynamic." I think I have done this.
<snip>
