Confusing routers attack report

Hi,
my DSL router (Zyxel) gives me attack reports like the following:

No. Time Source IP Destination IP Note
1|18:56:24 |192.168.26.205:1199 |80.85.194.225:80 |ATTACK ports scan TCP
2|18:56:24 |192.168.26.205:1198 |80.85.194.225:80 |ATTACK ports scan TCP
3|18:56:24 |192.168.26.205:1197 |80.85.194.225:80 |ATTACK ports scan TCP
....
What makes me confused is that following to the report the "Source IP" is
the one that gets scanned. The "Source ID" is a machine inside our lan. The
"Destination IP" is mostly not suspicious, e.g. IP of well known online
magazines, sometimes it belongs to dial up machines. The routers firewall
is configured to block all calls from the outside to the lan and to let
pass only explicitely named services from the inside to the outside.
Am I misinterpreting the report?
G.F.

Genaral Failure wrote:

> Hi,
> my DSL router (Zyxel) gives me attack reports like the following:
>
> No. Time Source IP Destination IP Note
> 1|18:56:24 |192.168.26.205:1199 |80.85.194.225:80 |ATTACK ports scan
> TCP
> 2|18:56:24 |192.168.26.205:1198 |80.85.194.225:80 |ATTACK ports scan
> TCP
> 3|18:56:24 |192.168.26.205:1197 |80.85.194.225:80 |ATTACK ports scan
> TCP ...
> What makes me confused is that following to the report the "Source IP" is
> the one that gets scanned. The "Source ID" is a machine inside our lan.
> The "Destination IP" is mostly not suspicious, e.g. IP of well known
> online magazines, sometimes it belongs to dial up machines. The routers
> firewall is configured to block all calls from the outside to the lan and
> to let pass only explicitely named services from the inside to the
> outside. Am I misinterpreting the report?
> G.F.



hmm.. looks like yer firewall is logging the outbound as well as the
inbound. is the firewall an 'application level' firewall? are all
attacks destined for port 80?

Hi,

The log is quite unusual because (if it is a NAT-Router as i expect) the
device should not care about outgoing traffic as long as you explicitly
forbid outgoing traffic on entered ports.
So i'd try a Firmware update first...
How is the device exactly called?

Regards,
Jochen


"Genaral Failure" <(E-Mail Removed)> wrote
> ...
> Am I misinterpreting the report?
> G.F.

Jochen Demmer wrote:

> Hi,
>
> The log is quite unusual because (if it is a NAT-Router as i expect)

yes, it is

> the
> device should not care about outgoing traffic as long as you explicitly
> forbid outgoing traffic on entered ports.

So I did. Only needed services (http, smtp, pop, dns and a few more) with
their related ports are allowed.

> So i'd try a Firmware update first...
> How is the device exactly called?

Its a Zyxel Prestige 650H-E7. Firmware is up to date.

G.F.

k wrote:

>
> hmm.. looks like yer firewall is logging the outbound as well as the
> inbound.

that should be o.k.. See my reply to <Jochen Demmer>.

> is the firewall an 'application level' firewall?

no, its simple NAT and packet filtering

> are all attacks destined for port 80?

yes. What confuses me is that the ports of the source machine change
sequently and the destination is always 80. Thats not what I usually call a
port scan.
G.F.

Hi Again!
Do you know of this logged traffic is caused by yourself or could it be a
unwanted application?
If it is self-caused traffic like i guess, i wouldn't mind these
log-messages, though it's quite confusing.
Maybe you can change some kind of "log-level" in the routers configuration.
I got similar problems with a router and the SPI (Statefull Packet
Inspection) Feature that even blocked some traffic that should be accepted.
If you have this feature activated i'd try to turn it off (temporary).
HTH,
Jochen

Jochen Demmer wrote:

> Hi Again!
> Do you know of this logged traffic is caused by yourself or could it be a
> unwanted application?
Up to now I couldn't identify an application that could cause such traffic.

> .. I got similar problems with a router and the SPI (Statefull
> Packet Inspection) Feature that even blocked some traffic that should be
> accepted. If you have this feature activated i'd try to turn it off
> (temporary). HTH,

Its just a box - cheap but hardcoded. If the router was a linux machine it
would be easier.
Thank you anyway.
G.F.

Genaral Failure wrote:
> Jochen Demmer wrote:
>
> > Hi Again!
> > Do you know of this logged traffic is caused by yourself or could
it be a
> > unwanted application?
> Up to now I couldn't identify an application that could cause such
traffic.

When tracking down these sorts of problems list _specifically_ what
commands you used -- I think we already know that you have not
identified the source of these warnings (beyond that they appear to
come from the zyxel).

> > .. I got similar problems with a router and the SPI (Statefull
> > Packet Inspection) Feature that even blocked some traffic that
should be
> > accepted. If you have this feature activated i'd try to turn it off
> > (temporary). HTH,
>
> Its just a box - cheap but hardcoded. If the router was a linux
machine it
> would be easier.
> Thank you anyway.
> G.F.

Can you provide a link to the user's guide -- I couldn't find it
quickly. Did find one for a 64x series but nada re: details on the
installed filter rules -- just a quick "here's how to add up to 12 more
rules" section. I wonder if their filter rules are logging outgoing
traffic and triggering this because of the sequence of port #s. Shrugs
....

Also, you may want to google for any recent reports like this:
http://kerneltrap.org/node/4276
The firmware upgrade page in the dsl is _not_ password protected :-(

Likely I'm wrong (happens all the time) but for some reason I have it
in my mind that zyxel uses an embedded Linux in their router/bridge
products these days.

At this stage I would be very prone to get out tcpdump -- or better,
ethereal for real time display -- and start sniffing traffic to get
some idea what may be going on.

Are there specific, repeatable occasions that this occurs -- eg., only
when visiting certain web sites. The full url would be nice as the IP
logged didn't reveal much:
http://80.85.194.225/ gives me:
"Globales Webserver Root Verzeichnis" on an otherwise blank page.
OpenRBL reports this:
Lookup 80.85.194.225 (ww2.otto.de) in 20+9 Zones
AS: 80.85.192.0/20 AS16378 ? RADB/RIPE ??
Net 80/8 EU-ZZ-80 ? Amsterdam, North Holland
Results: Negative=29, Positive=0 (2004-12-23 16:51:26 UTC)

At least it's not on a spam blackhole list ;-)

prg
email above disabled