Chinese IP attacks on my router?

[wasteomind]

I just got a new router, and its been working fine, except for some reason at night it seems to slow to a crawl for no apparent reason. I am pretty sure it isn't my ISP because this issue has never cropped up with the old router, and rebooting the new one seems to help.

However checking my routers logs I have noticed that a Chinese IP address has been attempting to access my router on multiple ports for over 18 hours now. The log indicates the blocked attempts are about 3 seconds apart, and all coming from IPs in the 221.192.*.* range. There are over 800 log entries on my router about this now. As far as I am aware the router is blocking the attempts, but I'm not 100% sure.

Now I'm not sure if the events are related, but I'm assuming this shouldn't be common. I know cyber crime from China is on the rise, but what concerns should I have and what steps can I take to protect myself?

 

[AMD_Gamer]

I just got a new router, and its been working fine, except for some reason at night it seems to slow to a crawl for no apparent reason. I am pretty sure it isn't my ISP because this issue has never cropped up with the old router, and rebooting the new one seems to help.

However checking my routers logs I have noticed that a Chinese IP address has been attempting to access my router on multiple ports for over 18 hours now. The log indicates the blocked attempts are about 3 seconds apart, and all coming from IPs in the 221.192.*.* range. There are over 800 log entries on my router about this now. As far as I am aware the router is blocking the attempts, but I'm not 100% sure.

Now I'm not sure if the events are related, but I'm assuming this shouldn't be common. I know cyber crime from China is on the rise, but what concerns should I have and what steps can I take to protect myself?

Fight back! do the same to that IP!

setup a DMZ and a honeypot or something.

 

[Zardoz]

I have had this happen before. for the most part the router should be doing it's job. depending on the router, check to see if it has a setting for blocking incoming ip or ip range.and set it for the ips you are getting scanned at. you can also shut off the cable modem and router wait for about 20 mins and bring it back up. you might get a new ip address on the isp side.

a little whois

221.192.0.0
Record Type: IP Address

#
# Query terms are ambiguous. The query is assumed to be:
# "n 221.192.0.0"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=221.192.0.0?showDetails=true&showARIN=false
#

NetRange: 221.0.0.0 - 221.255.255.255
CIDR: 221.0.0.0/8
OriginAS:
NetName: APNIC7
NetHandle: NET-221-0-0-0-1
Parent:
NetType: Allocated to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to
http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate:
Updated: 2010-07-30
Ref: http://whois.arin.net/rest/net/NET-221-0-0-0-1

OrgName: Asia Pacific Network Information Centre
OrgId: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
RegDate:
Updated: 2004-03-01
Ref: http://whois.arin.net/rest/org/APNIC

ReferralServer: whois://whois.apnic.net

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/AWC12-ARIN

 

[Red Squirrel]

What type of packets is it sending, is it like ping or some kind of ack? Maybe you can set a rule to just drop packets. Right now the router might be replying back, and that's using up more bandwidth. If the packets are just dropped you're just downloading, not uploading.

The problem with China is they have like no laws there. They can hack you all they want and not get in trouble for it, but if you hack back then since it's illegal here you could be in trouble. They know this and take advantage of it.

 

[dashpuppy]

What type of packets is it sending, is it like ping or some kind of ack? Maybe you can set a rule to just drop packets. Right now the router might be replying back, and that's using up more bandwidth. If the packets are just dropped you're just downloading, not uploading.

The problem with China is they have like no laws there. They can hack you all they want and not get in trouble for it, but if you hack back then since it's illegal here you could be in trouble. They know this and take advantage of it.

I used to get tons of notices from my sonicwall for port scan's and stuff from CHINA!

 

[Chibo]

I drop all traffic from China and Russia with the CountryBlock addon for pfSense

 

[Anelly]

Use a VPN to protect your online activity and encrypt data

 

[Jay_2]

I drop all traffic from China and Russia with the CountryBlock addon for pfSense

I have been tempted to do this as well.

 

[cymon]

Hi,

Best long term solution is to use a GeoIP database to find the rough location of the sender's computer. Next step, you'll need a small asteroid in low-earth orbit. You want to de-orbit the asteroid so that it lands near the computer.

Failing that, just block all of China. Unless you have any friends there that you want to skype with, you're not really losing anything.

 

[YeOldeStonecat]

This is normal, it's part of the "noise of the internet"....if you get a higher end firewall that kick in monitoring of the WAN port....you can find yourself spending hours and hours pouring through the logs seeing attacks on your public IP address from all over the world. It's normal...it's part of the internet, it happens all the time.

I choose not to get sucked into that and biting my fingernails worrying...I let the firewall do its job, and I focus on other things.

 

[jadams]

Every now and again I get the same thing on my FTP server. The logs show someone trying to brute force the Administrator account. Cept there is no Administrator account

I just ban the IP.

 

[Red Squirrel]

This is normal, it's part of the "noise of the internet"....if you get a higher end firewall that kick in monitoring of the WAN port....you can find yourself spending hours and hours pouring through the logs seeing attacks on your public IP address from all over the world. It's normal...it's part of the internet, it happens all the time.

I choose not to get sucked into that and biting my fingernails worrying...I let the firewall do its job, and I focus on other things.

Speaking of that, anyone know of any addon for pfsense that would show this type of info? It's always fun to see what it's blocking and also confirms that it's doing it's job. I know I can set logging on firewall rules but I am thinking more about the lower level stuff like syn/ack attacks.

And yeah I tend to block China and Russia completely off my websites and other web services. They mean nothing but trouble.

 

[Acer_Sheep]

And yeah I tend to block China and Russia completely off my websites and other web services. They mean nothing but trouble.

Since when they are trouble? I've been on dozens of RU, CN websites without any problem. Some of chinese sites are slow but otherwise safe to use.

 

[ciggwin]

What do you do to block China/Russia - block it via IP range?

 

[TehRoot]

Countries are allocated via the IP ranges assigned to them to the best of my knowledge. This is meant for your average "script kiddie" who tries to do something over a direct connection, the IP blocking really does nothing for anything really malicious since most likely the attack will be bounced. But yes, it's blocked by IP Range.

 

[Red Squirrel]

Since when they are trouble? I've been on dozens of RU, CN websites without any problem. Some of chinese sites are slow but otherwise safe to use.

I block them from connecting to me, not the other way around.

I don't know how accurate it is, but I use this:

http://www.countryipblocks.net/

One of my sites kept getting hacked (very old forum, I just don't have the time upgrade) so I blocked like all the 3rd world countries. Not a single spammer or hacker since. I don't understand how, but my revenues actually went up. May have to do with the better CTR.

 

[TehRoot]

Yeah, depending on the situation, block banning can be a very good thing.

 

[Cmustang87]

Yep it's pretty common to get traffic reports like that. They will usually labeled like "PortScans" and stuff like that. There's lots of garbage traffic on the internet, your firewall now is just reporting a lot more to you.

 

[Whatsisname]

That's as common as rocks. Setup fail2ban or something, have strong passwords, and then forget about it.

 

[XOR != OR]

Another vote for country bans. That plus the DROP list from spamhaus. Happy camper.

 

[Veeb0rg]

I drop all traffic from China and Russia with the CountryBlock addon for pfSense

Just added this to my new pfsense box.. thanks for the tip.

 

[Red Squirrel]

Oh and yeah in case of a server fail2ban is a MUST. It does not matter how strong your password is, if you don't have fail2ban or other method to stop brute force it's not a matter of if they get in, it's a matter of when. Even if you change your password often, there's a decent chance you pick one in a range that did not get tried yet. SSH is actually highly targetted as from there the attacker is free to do anything with the server, but this also goes for FTP and web based applications.

I was messing around once with a Linux VM, I don't recall what I was planing to do with it, but I had to put it online for something. Some kind of experiment or dev environment of some sort. I did the port forward, walked away, came back, my internet was not working. I isolated the problem to my VM attempting to get into the DoD, universities, government sites etc... It had been hacked by a bot and now that it was compromized it had become part of a botnet and was also trying to hack into other machines online. I had root authentication off but it managed to find an obscure user account I had created. Just comes to show how easy it is to get hacked by bots without something like fail2ban.

Also, don't use the default port for stuff like SSH. That's more security through obscurity so obviously it's not a solution per say, but it will cut down a lot on attempts.

All this does not apply to a home PC like in the OP, and more to a server.

 

[ThreeDee]

http://www.okean.com/thegoods.html

 

[bigdogchris]

I viewed my logs and were getting DOS ACK attack from CNET and HP addresses, here in the US.