Chinese IP attacks on my router?

Discussion in 'Networking & Security' started by wasteomind, May 9, 2011.

  1. wasteomind

    wasteomind Gawd

    Messages:
    516
    Joined:
    Aug 13, 2004
    I just got a new router, and its been working fine, except for some reason at night it seems to slow to a crawl for no apparent reason. I am pretty sure it isn't my ISP because this issue has never cropped up with the old router, and rebooting the new one seems to help.

    However checking my routers logs I have noticed that a Chinese IP address has been attempting to access my router on multiple ports for over 18 hours now. The log indicates the blocked attempts are about 3 seconds apart, and all coming from IPs in the 221.192.*.* range. There are over 800 log entries on my router about this now. As far as I am aware the router is blocking the attempts, but I'm not 100% sure.

    Now I'm not sure if the events are related, but I'm assuming this shouldn't be common. I know cyber crime from China is on the rise, but what concerns should I have and what steps can I take to protect myself?
     
  2. AMD_Gamer

    AMD_Gamer [H]ard as it Gets

    Messages:
    18,277
    Joined:
    Jan 20, 2002
    Fight back! do the same to that IP!

    setup a DMZ and a honeypot or something.
     
  3. Zardoz

    Zardoz 2[H]4U

    Messages:
    3,251
    Joined:
    Aug 27, 2000
    I have had this happen before. for the most part the router should be doing it's job. depending on the router, check to see if it has a setting for blocking incoming ip or ip range.and set it for the ips you are getting scanned at. you can also shut off the cable modem and router wait for about 20 mins and bring it back up. you might get a new ip address on the isp side.

    a little whois

     
  4. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    What type of packets is it sending, is it like ping or some kind of ack? Maybe you can set a rule to just drop packets. Right now the router might be replying back, and that's using up more bandwidth. If the packets are just dropped you're just downloading, not uploading.

    The problem with China is they have like no laws there. They can hack you all they want and not get in trouble for it, but if you hack back then since it's illegal here you could be in trouble. They know this and take advantage of it.
     
  5. dashpuppy

    dashpuppy [H]ardness Supreme

    Messages:
    6,163
    Joined:
    May 5, 2010
    I used to get tons of notices from my sonicwall for port scan's and stuff from CHINA!
     
  6. Chibo

    Chibo Gawd

    Messages:
    605
    Joined:
    Jun 21, 2003
    I drop all traffic from China and Russia with the CountryBlock addon for pfSense ;)
     
  7. Anelly

    Anelly n00b

    Messages:
    6
    Joined:
    May 5, 2009
    Use a VPN to protect your online activity and encrypt data
     
  8. Jay_2

    Jay_2 2[H]4U

    Messages:
    3,583
    Joined:
    Mar 20, 2006
    I have been tempted to do this as well.
     
  9. cymon

    cymon Limp Gawd

    Messages:
    453
    Joined:
    Apr 16, 2009
    Hi,

    Best long term solution is to use a GeoIP database to find the rough location of the sender's computer. Next step, you'll need a small asteroid in low-earth orbit. You want to de-orbit the asteroid so that it lands near the computer.

    Failing that, just block all of China. Unless you have any friends there that you want to skype with, you're not really losing anything.
     
  10. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    This is normal, it's part of the "noise of the internet"....if you get a higher end firewall that kick in monitoring of the WAN port....you can find yourself spending hours and hours pouring through the logs seeing attacks on your public IP address from all over the world. It's normal...it's part of the internet, it happens all the time.

    I choose not to get sucked into that and biting my fingernails worrying...I let the firewall do its job, and I focus on other things.
     
  11. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Every now and again I get the same thing on my FTP server. The logs show someone trying to brute force the Administrator account. Cept there is no Administrator account :D

    I just ban the IP.
     
  12. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Speaking of that, anyone know of any addon for pfsense that would show this type of info? It's always fun to see what it's blocking and also confirms that it's doing it's job. I know I can set logging on firewall rules but I am thinking more about the lower level stuff like syn/ack attacks.

    And yeah I tend to block China and Russia completely off my websites and other web services. They mean nothing but trouble.
     
  13. Acer_Sheep

    Acer_Sheep [H]ard|Gawd

    Messages:
    1,201
    Joined:
    May 18, 2007
    Since when they are trouble? I've been on dozens of RU, CN websites without any problem. Some of chinese sites are slow but otherwise safe to use.
     
  14. ciggwin

    ciggwin [H]ardness Supreme

    Messages:
    4,864
    Joined:
    May 30, 2006
    What do you do to block China/Russia - block it via IP range?

    [​IMG]
     
  15. TehRoot

    TehRoot Limp Gawd

    Messages:
    155
    Joined:
    Apr 6, 2011
    Countries are allocated via the IP ranges assigned to them to the best of my knowledge. This is meant for your average "script kiddie" who tries to do something over a direct connection, the IP blocking really does nothing for anything really malicious since most likely the attack will be bounced. But yes, it's blocked by IP Range.
     
  16. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    I block them from connecting to me, not the other way around.

    I don't know how accurate it is, but I use this:

    http://www.countryipblocks.net/

    One of my sites kept getting hacked (very old forum, I just don't have the time upgrade) so I blocked like all the 3rd world countries. Not a single spammer or hacker since. I don't understand how, but my revenues actually went up. May have to do with the better CTR.
     
  17. TehRoot

    TehRoot Limp Gawd

    Messages:
    155
    Joined:
    Apr 6, 2011
    Yeah, depending on the situation, block banning can be a very good thing.
     
  18. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    Yep it's pretty common to get traffic reports like that. They will usually labeled like "PortScans" and stuff like that. There's lots of garbage traffic on the internet, your firewall now is just reporting a lot more to you.
     
  19. Whatsisname

    Whatsisname [H]ardForum Junkie

    Messages:
    10,202
    Joined:
    Nov 15, 2000
    That's as common as rocks. Setup fail2ban or something, have strong passwords, and then forget about it.
     
  20. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,549
    Joined:
    Jun 17, 2003
    Another vote for country bans. That plus the DROP list from spamhaus. Happy camper.
     
  21. Veeb0rg

    Veeb0rg 2[H]4U

    Messages:
    3,278
    Joined:
    Dec 31, 2000
    Just added this to my new pfsense box.. thanks for the tip.
     
  22. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Oh and yeah in case of a server fail2ban is a MUST. It does not matter how strong your password is, if you don't have fail2ban or other method to stop brute force it's not a matter of if they get in, it's a matter of when. Even if you change your password often, there's a decent chance you pick one in a range that did not get tried yet. SSH is actually highly targetted as from there the attacker is free to do anything with the server, but this also goes for FTP and web based applications.

    I was messing around once with a Linux VM, I don't recall what I was planing to do with it, but I had to put it online for something. Some kind of experiment or dev environment of some sort. I did the port forward, walked away, came back, my internet was not working. I isolated the problem to my VM attempting to get into the DoD, universities, government sites etc... It had been hacked by a bot and now that it was compromized it had become part of a botnet and was also trying to hack into other machines online. I had root authentication off but it managed to find an obscure user account I had created. Just comes to show how easy it is to get hacked by bots without something like fail2ban.

    Also, don't use the default port for stuff like SSH. That's more security through obscurity so obviously it's not a solution per say, but it will cut down a lot on attempts.

    All this does not apply to a home PC like in the OP, and more to a server.
     
  23. ThreeDee

    ThreeDee [H]ardForum Junkie

    Messages:
    10,643
    Joined:
    Sep 5, 2001
  24. bigdogchris

    bigdogchris [H]ard as it Gets

    Messages:
    17,886
    Joined:
    Feb 19, 2008
    I viewed my logs and were getting DOS ACK attack from CNET and HP addresses, here in the US.