Need help with router logs - getting attacked?

[st4rk]

Ok so this is my first IT job where I've had to manage outside routers myself. My first IT job I ever had my boss basically took care of that, and we had an overnight person that would stay and monitor our routers for attacks.

Now this time it's all up to me. I just got hired here. They had logging enabled, but it wasn't being output to any syslog servers. So I recently installed kiwi and got it working. I just checked the logs for the first time after they had been running for a couple days.

I have an incoming access list on the outside interface of the router, it is access list number 103.

First, these entries seem like people are probing the network for these ports to see if they can exploit something, right? I'm under the impression that activity like this is to be expected:

2007-11-30 14:48:30 list 103 denied tcp 68.142.91.105(80) -> my router outside IP(65000), 1 packet
2007-11-30 14:53:33 list 103 denied tcp 68.142.91.105(80) -> my router outside IP(65000), 4 packets
2007-11-30 14:53:42 list 103 denied tcp 208.111.129.96(80) -> my router outside IP(65301), 1 packet
2007-11-30 14:58:38 list 103 denied tcp 208.111.129.99(80) -> my router outside IP(1311), 1 packet
2007-11-30 14:59:33 list 103 denied tcp 208.111.129.96(80) -> my router outside IP(65301), 3 packets
2007-11-30 15:04:33 list 103 denied tcp 208.111.129.99(80) -> my router outside IP(1311), 3 packets
2007-11-30 15:22:09 list 103 denied tcp 194.129.79.21(80) -> my router outside IP(2222), 1 packet
2007-11-30 15:27:34 list 103 denied tcp 194.129.79.21(80) -> my router outside IP(2222), 3 packets
2007-12-03 12:00:26 list 103 denied tcp 209.73.188.78(80) -> my router outside ip(16660), 1 packet
2007-12-03 12:05:53 list 103 denied tcp 216.109.126.22(80) -> my router outside ip(16959), 1 packet
2007-12-03 12:05:53 list 103 denied tcp 209.73.188.78(80) -> my router outside ip(16660), 2 packets
2007-12-03 12:10:54 list 103 denied tcp 216.109.126.22(80) -> my router outside ip(16959), 3 packets

Did a whois on those IP's, some are from the UK.

These next entries in the log confuse me, I have no idea what's going on here:

2007-12-05 06:28:07 list 103 denied tcp 89.21.3.115(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(47845), 1 packet
2007-12-05 06:33:20 list 103 denied tcp 89.21.3.115(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(47845), 4 packets
2007-12-05 06:34:47 list 103 denied tcp 89.21.3.115(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(48033), 1 packet
2007-12-05 06:40:21 list 103 denied tcp 89.21.3.115(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(48037), 5 packets
2007-12-05 06:40:21 list 103 denied tcp 89.21.3.115(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(48033), 4 packets

Thanks for any input.

 

[st4rk]

2007-12-05 08:59:59 1383: list 103 denied tcp 122.224.146.54(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(52161), 1 packet
2007-12-05 09:05:25 1386: list 103 denied tcp 122.224.146.54(80) (FastEthernet0/1 0004.e2c8.58e8) -> my outside router IP(52161), 2 packets

Okay that IP is from China. Do any of you get crap from China in your logs?!

 

[Arch]

Thats the noise of the Internet. My router at home generates the same crap if I have access-list logging turned on.

 

[archivalbackup]

That's nothing!

I put in a block rule for all asia-pacific/ RIPE networks in my firewall for home and I have lines with 10,000+ blocks.

What you are seeing is just normal traffic, sweeps etc.