biob Posted December 22, 2018 Share Posted December 22, 2018 Hi guys and girls im getting increasingly worried about the web facing side of my network😔 I’ve recently seen getting port scanned by a device which shouldn’t that shouldn’t be there( only one device should be there). I’m double NAT’d with ISP router and my own. Ive recently bought a edgerouter, but worried about configuring the firewall wrong. Can someone please advise? I want to keep my family safe. Quote Link to comment Share on other sites More sharing options...
digininja Posted December 22, 2018 Share Posted December 22, 2018 Give us more information. What do you mean by a device that shouldn't be there? Where is it and how do you know it is scanning you? When you say web facing, do you mean internet facing? 1 Quote Link to comment Share on other sites More sharing options...
biob Posted December 22, 2018 Author Share Posted December 22, 2018 Hi digininja, sorry yes I meant internet facing. The first router(ISP device, WiFi is disabled)in the chain only has one client connected(my router, WiFi enabled and internal devices connect to this). Example let say my router was 10.4.4.2 and the isp router is the gateway(10.4.4.1). My router was being port scanned on 10.4.4.77, this showed up in my routers logs(IP scheme is for demonstration purposes) I’ve also seen a couple of port scans on my router from external IP’s and when I investigated my isp router had been reset to factory default(This concerned me).  Quote Link to comment Share on other sites More sharing options...
biob Posted December 22, 2018 Author Share Posted December 22, 2018 I should mention when I saw it in the logs I pinged it and done a basic port scan on my phone. It was still there and port 53 was open on it. Started up my laptop and the used nmap and  device stopped responding. Tried on my phone again and it wasn’t there anymore. Quote Link to comment Share on other sites More sharing options...
biob Posted December 22, 2018 Author Share Posted December 22, 2018 I think the scan on my phone is giving a false positive.... can scan other IP’s in that range and I’m getting same results 🤔 Quote Link to comment Share on other sites More sharing options...
biob Posted December 22, 2018 Author Share Posted December 22, 2018 One example of log DoS attack:FIN Scan (1) attack packets from 216.58.204.34 internal one was: DoS attack:ACKÂ Scan (1) attack packets from 10.4.4.77 Quote Link to comment Share on other sites More sharing options...
digininja Posted December 22, 2018 Share Posted December 22, 2018 Don't worry about the external stuff, any box on the internet is getting hit like that all the time. For the internal, I assume the ISP modem is plugged directly into your firewall box with a cable and that there is nothing else connected between them, all the rest of the boxes are on the other side of your internal box. Are you using a different subnet for the internal network? i.e. not 10.4.4.0/24? Where are you seeing the alerts? Is it on your router or on another box? What is the router? Is it something you can trust to give good information or a cheap box that may just have bugs and be mis-representing the information? Quote Link to comment Share on other sites More sharing options...
biob Posted December 22, 2018 Author Share Posted December 22, 2018 Have ISP box in router mode(first layer of NAT) connected to second router(internal network, different subnet). RJ45 connection between both router with nothing in between. My router is a Netgear nighthawk and not a lot of control options. SPI is turned on ,on both router and I’ve also setup to block ports that have no reason to leave my network. im seeing the alerts on the nighthawk logs.               Internet ISP router/modem(NAT)(first subnet) My router(NAT)(2nd subnet, nighthawk)               My network Quote Link to comment Share on other sites More sharing options...
digininja Posted December 22, 2018 Share Posted December 22, 2018 To hit that IP address, have you tried plugging in on the modem to nighthawk connection? Quote Link to comment Share on other sites More sharing options...
Bigbiz Posted December 23, 2018 Share Posted December 23, 2018 Maybe you have a 5gz isp router/modem but your devices arent picking it up because they dont support 5gz network? Quote Link to comment Share on other sites More sharing options...
digininja Posted December 23, 2018 Share Posted December 23, 2018 He said he had turned WiFi off on the ISP device. Anything on his device should be getting an IP from the client side which wouldn't be on that subnet. 1 Quote Link to comment Share on other sites More sharing options...
biob Posted December 23, 2018 Author Share Posted December 23, 2018 I’ve stuck a Packet squirrel in between isp router and mine. Turned all my clients off, so I can see what was going through last night. But have nothing in router logs for last night 🤔 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.