Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1348 posts

Uber Geek
+1 received by user: 159

Trusted

Topic # 223507 3-Oct-2017 03:43
Send private message quote this post

Just trawling through my firewall logs this evening... as ya do... and I noticed a kackload of port scans appearing to be sourced from 202.162.73.2, which resolves to www.trademe.co.nz.


Digging deeper, it turns out I've been getting at least 1000 ports scanned daily from this IP since as far back as Dec 2016!


The scans are of seemingly random ports appearing to range from 1024 to 65536, some of which are repeat scans on the same ports.


 


Has anyone seen anything like this before?  I'll probably report this to Trademe as to my eye this looks like a compromised host, but I figured I'd run it past you guys first in case anyone can think of another explanation.


 


All reasonable hypothesis considered!


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2


1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1880528 10-Oct-2017 18:48
Send private message quote this post

Anyone?


6859 posts

Uber Geek
+1 received by user: 3163

Moderator
Trusted
Subscriber

  Reply # 1880530 10-Oct-2017 18:55
Send private message quote this post

To be honest I don't think it is a "port scan" in such. Many firewalls will alert "portscan" for normal activity.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


 
 
 
 




1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1880533 10-Oct-2017 18:59
Send private message quote this post

 Naa, this IP is attempting to connect to thousands of ports, I can see the individual attempts in my firewall activity reports.


2044 posts

Uber Geek
+1 received by user: 655

Subscriber

  Reply # 1880674 10-Oct-2017 23:35
One person supports this post
Send private message quote this post

Im assuming that you have a static IP. Any idea what type of packets you are receiving? TCP SYN packets for example? Wild guess is that someone at Trademe is running a VPN client, and they have mistakenly configured your IP as the server address.

 

Note as well that the source IP may be spoofed. So there is a possibility that this might be nothing to do with Trademe.






'That VDSL Cat'
6793 posts

Uber Geek
+1 received by user: 1293

Trusted
Spark
Subscriber

  Reply # 1880679 10-Oct-2017 23:50
Send private message quote this post

Aredwood:

 

Note as well that the source IP may be spoofed. So there is a possibility that this might be nothing to do with Trademe.

 

 

My suspensions too. 

 

 

 

Checking both my VF and Spark connections, no unsolicited traffic from that ip.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1880685 11-Oct-2017 00:06
Send private message quote this post

Aredwood:

 

Im assuming that you have a static IP. Any idea what type of packets you are receiving? TCP SYN packets for example? Wild guess is that someone at Trademe is running a VPN client, and they have mistakenly configured your IP as the server address.

 

 

Nope, dynamic IP.  Not sure about packet type, but here's the log entries for the last hour.  It sure doesn't look like normal VPN traffic to me!

 

 

2017:10:10-23:41:27 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="44717" tcpflags="RST"
2017:10:10-23:41:27 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="44714" tcpflags="RST"
2017:10:10-23:41:59 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="44775" tcpflags="RST"
2017:10:10-23:41:59 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="44772" tcpflags="RST"
2017:10:10-23:43:03 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="44884" tcpflags="RST"
2017:10:10-23:43:35 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="44932" tcpflags="RST"
2017:10:10-23:44:39 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45025" tcpflags="RST"
2017:10:10-23:44:39 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45023" tcpflags="RST"
2017:10:10-23:45:42 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45115" tcpflags="RST"
2017:10:10-23:46:15 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45159" tcpflags="RST"
2017:10:10-23:46:47 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45198" tcpflags="RST"
2017:10:10-23:46:47 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45196" tcpflags="RST"
2017:10:10-23:47:19 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45259" tcpflags="RST"
2017:10:10-23:47:19 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45257" tcpflags="RST"
2017:10:10-23:48:23 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45362" tcpflags="RST"
2017:10:10-23:48:55 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45403" tcpflags="RST"
2017:10:10-23:49:59 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45502" tcpflags="RST"
2017:10:10-23:50:31 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45565" tcpflags="RST"
2017:10:10-23:51:35 PhatWall ulogd[2812]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:1d:aa:8a:8c:60" dstmac="00:1a:8c:4c:17:c9" srcip="202.162.73.2" dstip="192.168.1.1" proto="6" length="40" tos="0x00" prec="0x00" ttl="254" srcport="80" dstport="45664" tcpflags="RST"

 

 

 

 

Aredwood:

 

Note as well that the source IP may be spoofed. So there is a possibility that this might be nothing to do with Trademe.

 

 

I guess it could be, but I'm not sure why you would run a port scan when you can't see the results...


438 posts

Ultimate Geek
+1 received by user: 123

Subscriber

  Reply # 1883107 13-Oct-2017 18:20
Send private message quote this post

A TTL of 254 mean these packets didn't come across the Internet and were probably generated by your upstream NAT Gateway.

 

Two likely scenarios I can think of.

 

1. You've got a firewall rule blocking trademe on that NAT GW and it's set to "reject" rather than "drop". The firewall may spoof a TCP RST (tcpflags="RST" in your trace) in this case.

 

2. The NAT GW is timing out long lived TCP connections from it's state table, and sending a helpful TCP reset to the client to let it know the connection will no longer work.

 

 

 

BTW: There is a type of port scan that spoofs the source IP, called a blind or idle port scan. It works even if the attacker doesn't see the response.




1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1883113 13-Oct-2017 18:35
Send private message quote this post

hashbrown:

 

A TTL of 254 mean these packets didn't come across the Internet and were probably generated by your upstream NAT Gateway.

 

 

Well, my upstream VDSL router is forwarding all packets to my firewall so that would explain that.

 

 

 

hashbrown:

 

Two likely scenarios I can think of.

 

1. You've got a firewall rule blocking trademe on that NAT GW and it's set to "reject" rather than "drop". The firewall may spoof a TCP RST (tcpflags="RST" in your trace) in this case.

 

2. The NAT GW is timing out long lived TCP connections from it's state table, and sending a helpful TCP reset to the client to let it know the connection will no longer work.

 

 

Ther are no firewall blocking rules of any kind on the NAT GW, it's completely open and forwarding everything to the firewall.

 

Maybe, but that still doesn't explain what's generating the connections in the first place to this massive range of ports?  Plus the source is showing as trademe.

 

Also, this is only showing up as traffic from trademe and no other site.


947 posts

Ultimate Geek
+1 received by user: 187


  Reply # 1883120 13-Oct-2017 19:25
Send private message quote this post

Was anyone behind your firewall browsing trademe during those times in the timestamps?

 

 

What ISP? (this sort of stuff happened in the transparent proxy days)



1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1883124 13-Oct-2017 19:37
Send private message quote this post

Sure, there's usually some trademe access during the day, but not that consistently and for that long.  These events are happening on a pretty consistent basis (every 30-90 seconds) and for 11-24hrs a day solid.

ISP is 2Degrees.


2044 posts

Uber Geek
+1 received by user: 655

Subscriber

  Reply # 1883228 14-Oct-2017 02:30
Send private message quote this post

What happens if you get a different dynamic IP?








1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1883230 14-Oct-2017 03:39
Send private message quote this post

This has been going on since Dec 2016 so it seems to span IPs at least.  I do have a DDNS domain however.

 

I haven't observed it at the time of getting a new IP however.


438 posts

Ultimate Geek
+1 received by user: 123

Subscriber

  Reply # 1883235 14-Oct-2017 07:02
One person supports this post
Send private message quote this post

SamF:

 

Maybe, but that still doesn't explain what's generating the connections in the first place to this massive range of ports?  Plus the source is showing as trademe.

 

Also, this is only showing up as traffic from trademe and no other site.

 

 

There isn't really a maybe here.  Each router decrements the TTL by 1 and the maximum TTL is 255.  For the TTL to be 254 whatever generated those packets is no more than one hop away. i.e. on your network.  Whether or not the source IP is trademe, that packet didn't traverse the Internet.

 

There also isn't a massive range of ports.  The trace indicates these are replies to connections from your network on port 80, the standard web port. Your systems use a new high port for each new connection, which is how TCP works.

 

My guess is something like the trademe mobile app generates long-lived idle connections that your NAT GW is timing out.  If you want more insight, create a firewall rule that logs the detail of all connections outbound to that IP. Then map the source ports of those connections to the destination ports of the TCP resets.  

 

If I were making a longer list of scenarios here, your network being used to hack trademe would make more sense than vice-versa.  Trademe hacking you with a long running port scan would sit a couple of entries above "Aliens!".




1348 posts

Uber Geek
+1 received by user: 159

Trusted

  Reply # 1883348 14-Oct-2017 12:42
Send private message quote this post

Hmm, yes, you make a very good point.  The TTL is really the key in this case isn't it.

 

Looking at it that way your theory certainly makes sense.  I'm still finding it hard to believe that anything on my side would be initiating that many connections to TM, but I guess as you pointed out, in the ranking of probabilities it's more likely than TM being the source.

 

I'll setup a trace on outgoing connections to TM and see what comes up.

Thanks for taking the time to explain all that, I appreciate it.


947 posts

Ultimate Geek
+1 received by user: 187


  Reply # 1883354 14-Oct-2017 12:54
Send private message quote this post

254 TTL could also be the ISP first hop... so it could be your ISP sending you unsolicited traffic?

 

 

I agree though it is more likely something your end or false positive with Trademe's TCP setup.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.