Re: Arcane messages from router
Ronda, thanks for the info and the link to the very interesting article. Also, the article at http://en.wikipedia.org/wiki/Operation_Aurora makes me feel better about using a Mac, and a non-Microsoft browser. On 31/01/2012, at 11:24 AM, Ronda Brown wrote: Hi Ray, Yes, I had noticed that the IP Address is from China. From what I understand these are automated port scans and are unfortunately quite routine. They are not directed at you specifically but rather at the entire network segment which you share with other subscribers. The hackers are looking for weakly secured, exposed services and hosts that they can intrude and commandeer to mount further attacks. Your router drops this traffic on the floor in its default configuration rendering it effectively harmless to you, unless you have configured it to expose hosts or services to the wide area network. There is no meaningful network performance impact. The packet traffic is dropped and it's small compared to the background or your actual legitimate browsing activity. Your Router is doing its job and Denial of Service (DoS) attack prevention averts potential threats by scanning incoming traffic. The Router is informing you of the attempts via email messages which you have set in your Router. Most people aren’t even aware of these attempts, unless they have the alert email messages set on their Router. I did have my (since replaced) Netgear DG834G V4 alert me of such attempts, but don’t on my new Netgear. I don’t feel the need to be alerted all the time, I have my firewall on and WPA2 Personal security. As I mentioned before, as long as you have your wireless network protected with WPA2, and Firewall ON on your Macs, I would not worry about it. Have a look here: http://www.scottbrownconsulting.com/2010/02/network-attackers-where-in-the-world-3/ China is the highest ;-) Cheers, Ronni Regards, Ray Forma Mob +61 (0) 428 596938 -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
Re: Arcane messages from router
Hi Ray, Have you been using a P2P (peer to peer) type application e.g. torrents, or file sharing application? When the application is closed you may well see the router firewall kick in by blocking access since the application is no longer running to accept the connection. As long as you have WPA2 security on your Wireless Network I don’t think you need worry about these messages. Cheers, Ronni 17 MacBook Pro 2.3GHz Quad-Core i7 “Thunderbolt 2.3GHz / 8GB / 750GB @ 7200rpm HD OS X 10.7.2 Lion Windows 7 Ultimate (under sufferance) On 30/01/2012, at 9:55 AM, Ray Forma wrote: My NETGEAR DG834G router is starting to send me lots of emailed messages similar to the following: TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,6588 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,7212 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,5390 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,8080 - [DOS] TCP Packet - Source:58.218.199.147,12200 Destination:59.100.232.231,8008 - [DOS] Occasionally there is a message that ends with [Port Scan] instead of [DOS] Are these notifications of 'Denial Of Service' attacks? My Mac is not serving anything to the Internet. If so, is there anything I should do besides making sure I have a firewall in place? Regards, Ray Forma Mob +61 (0) 428 596938 -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
Re: Arcane messages from router
Ronda, I have never used torrent or file-sharing apps, and have WPA2 security set on my Wireless Network. I have since done a Whois on the IP address of the source, and it gave me the following interesting info: netname:CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom address:260 Zhongyang Road,Nanjing 210037 country:CN phone: +86-25-86588231 phone: +86-25-86588745 fax-no: +86-25-86588104 e-mail: i...@jsinfo.net remarks:send anti-spam reports to s...@jsinfo.net remarks:send abuse reports to ab...@jsinfo.net Is this an example of China's trainee electronic warfare students doing their homework? Do any other Wamuggers who have their router set to provide notification of DNS packets and Port Scans get similar attacks, or are these things sliding past most users' radars? On 31/01/2012, at 9:15 AM, Ronda Brown wrote: Hi Ray, Have you been using a P2P (peer to peer) type application e.g. torrents, or file sharing application? When the application is closed you may well see the router firewall kick in by blocking access since the application is no longer running to accept the connection. As long as you have WPA2 security on your Wireless Network I don’t think you need worry about these messages. Cheers, Ronni 17 MacBook Pro 2.3GHz Quad-Core i7 “Thunderbolt 2.3GHz / 8GB / 750GB @ 7200rpm HD OS X 10.7.2 Lion Windows 7 Ultimate (under sufferance) On 30/01/2012, at 9:55 AM, Ray Forma wrote: My NETGEAR DG834G router is starting to send me lots of emailed messages similar to the following: TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,6588 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,7212 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,5390 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,8080 - [DOS] TCP Packet - Source:58.218.199.147,12200 Destination:59.100.232.231,8008 - [DOS] Occasionally there is a message that ends with [Port Scan] instead of [DOS] Are these notifications of 'Denial Of Service' attacks? My Mac is not serving anything to the Internet. If so, is there anything I should do besides making sure I have a firewall in place? Regards, Ray Forma Mob +61 (0) 428 596938 Regards, Ray Forma Mob +61 (0) 428 596938 -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
Re: Arcane messages from router
Hi Ray, Yes, I had noticed that the IP Address is from China. From what I understand these are automated port scans and are unfortunately quite routine. They are not directed at you specifically but rather at the entire network segment which you share with other subscribers. The hackers are looking for weakly secured, exposed services and hosts that they can intrude and commandeer to mount further attacks. Your router drops this traffic on the floor in its default configuration rendering it effectively harmless to you, unless you have configured it to expose hosts or services to the wide area network. There is no meaningful network performance impact. The packet traffic is dropped and it's small compared to the background or your actual legitimate browsing activity. Your Router is doing its job and Denial of Service (DoS) attack prevention averts potential threats by scanning incoming traffic. The Router is informing you of the attempts via email messages which you have set in your Router. Most people aren’t even aware of these attempts, unless they have the alert email messages set on their Router. I did have my (since replaced) Netgear DG834G V4 alert me of such attempts, but don’t on my new Netgear. I don’t feel the need to be alerted all the time, I have my firewall on and WPA2 Personal security. As I mentioned before, as long as you have your wireless network protected with WPA2, and Firewall ON on your Macs, I would not worry about it. Have a look here: http://www.scottbrownconsulting.com/2010/02/network-attackers-where-in-the-world-3/ China is the highest ;-) Cheers, Ronni On 31/01/2012, at 10:52 AM, Ray Forma wrote: Ronda, I have never used torrent or file-sharing apps, and have WPA2 security set on my Wireless Network. I have since done a Whois on the IP address of the source, and it gave me the following interesting info: netname:CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom address:260 Zhongyang Road,Nanjing 210037 country:CN phone: +86-25-86588231 phone: +86-25-86588745 fax-no: +86-25-86588104 e-mail: i...@jsinfo.net remarks:send anti-spam reports to s...@jsinfo.net remarks:send abuse reports to ab...@jsinfo.net Is this an example of China's trainee electronic warfare students doing their homework? Do any other Wamuggers who have their router set to provide notification of DNS packets and Port Scans get similar attacks, or are these things sliding past most users' radars? On 31/01/2012, at 9:15 AM, Ronda Brown wrote: Hi Ray, Have you been using a P2P (peer to peer) type application e.g. torrents, or file sharing application? When the application is closed you may well see the router firewall kick in by blocking access since the application is no longer running to accept the connection. As long as you have WPA2 security on your Wireless Network I don’t think you need worry about these messages. Cheers, Ronni 17 MacBook Pro 2.3GHz Quad-Core i7 “Thunderbolt 2.3GHz / 8GB / 750GB @ 7200rpm HD OS X 10.7.2 Lion Windows 7 Ultimate (under sufferance) On 30/01/2012, at 9:55 AM, Ray Forma wrote: My NETGEAR DG834G router is starting to send me lots of emailed messages similar to the following: TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,6588 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,7212 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,5390 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,8080 - [DOS] TCP Packet - Source:58.218.199.147,12200 Destination:59.100.232.231,8008 - [DOS] Occasionally there is a message that ends with [Port Scan] instead of [DOS] Are these notifications of 'Denial Of Service' attacks? My Mac is not serving anything to the Internet. If so, is there anything I should do besides making sure I have a firewall in place? Regards, Ray Forma Mob +61 (0) 428 596938 Regards, Ray Forma Mob +61 (0) 428 596938 -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
Re: Arcane messages from router
Yes I monitored that stuff for a while and there was a constant stream of it from various sources - I turned it off, assuming the router was doing its job by detecting the 'attacks' PM pete...@amnet.net.au 0408 902 349 On 31/01/2012, at 10:52 AM, Ray Forma wrote: Ronda, I have never used torrent or file-sharing apps, and have WPA2 security set on my Wireless Network. I have since done a Whois on the IP address of the source, and it gave me the following interesting info: netname:CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom address:260 Zhongyang Road,Nanjing 210037 country:CN phone: +86-25-86588231 phone: +86-25-86588745 fax-no: +86-25-86588104 e-mail: i...@jsinfo.net remarks:send anti-spam reports to s...@jsinfo.net remarks:send abuse reports to ab...@jsinfo.net Is this an example of China's trainee electronic warfare students doing their homework? Do any other Wamuggers who have their router set to provide notification of DNS packets and Port Scans get similar attacks, or are these things sliding past most users' radars? On 31/01/2012, at 9:15 AM, Ronda Brown wrote: Hi Ray, Have you been using a P2P (peer to peer) type application e.g. torrents, or file sharing application? When the application is closed you may well see the router firewall kick in by blocking access since the application is no longer running to accept the connection. As long as you have WPA2 security on your Wireless Network I don’t think you need worry about these messages. Cheers, Ronni 17 MacBook Pro 2.3GHz Quad-Core i7 “Thunderbolt 2.3GHz / 8GB / 750GB @ 7200rpm HD OS X 10.7.2 Lion Windows 7 Ultimate (under sufferance) On 30/01/2012, at 9:55 AM, Ray Forma wrote: My NETGEAR DG834G router is starting to send me lots of emailed messages similar to the following: TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,6588 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,7212 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,5390 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,8080 - [DOS] TCP Packet - Source:58.218.199.147,12200 Destination:59.100.232.231,8008 - [DOS] Occasionally there is a message that ends with [Port Scan] instead of [DOS] Are these notifications of 'Denial Of Service' attacks? My Mac is not serving anything to the Internet. If so, is there anything I should do besides making sure I have a firewall in place? Regards, Ray Forma Mob +61 (0) 428 596938 Regards, Ray Forma Mob +61 (0) 428 596938 -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
Arcane messages from router
My NETGEAR DG834G router is starting to send me lots of emailed messages similar to the following: TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,6588 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,7212 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,5390 - [DOS] TCP Packet - Source:58.218.199.227,12200 Destination:59.100.232.231,8080 - [DOS] TCP Packet - Source:58.218.199.147,12200 Destination:59.100.232.231,8008 - [DOS] Occasionally there is a message that ends with [Port Scan] instead of [DOS] Are these notifications of 'Denial Of Service' attacks? My Mac is not serving anything to the Internet. If so, is there anything I should do besides making sure I have a firewall in place? Regards, Ray Forma Mob +61 (0) 428 596938 -- The WA Macintosh User Group Mailing List -- Archives - http://www.wamug.org.au/mailinglist/archives.shtml Guidelines - http://www.wamug.org.au/mailinglist/guidelines.shtml Settings Unsubscribe - http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
