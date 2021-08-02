I use the following TCPDump command (when logged to my router via SSH) to detect inbound connections/connection attempts that are NEW, and NOT RELATED to my outbound connections:

tcpdump -i WAN-Interface -Q in "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"



Results shows IP's from all over the world (especially China, Singapore, Russia) trying to establish connections to known vulnerable ports, such as RDP TCP Port 3389, SSH, and Telnet. The worst part is that when I exit TCPDump by pressing CTRL+C, it shows that 0 packets were dropped by filter... Default router (UniFi Dream Machine) rules do not allow inbound connections and on top of that I added my own rules, all of which are DROP rules.



Should I consider those connections as attacks? I mean why would someone try to connect via SSH to my WAN IP when remote management is disabled? That command never lists any of my local network IP addresses. I hope it means that none of my local network clients connect to those IP's.



Another really funky thing is that the act of using that TCPDump command results in my local DNS server trying to resolve "in-addr.arpa" domains for each IP address detected by that TCPDump command. Why is that? How can the act of running that TCPDump have an effect DNS resolution? My local DNS server IP is also used for WAN DNS server IP to drop connections used by Ubiquiti for telemetry and metrics (trace.svc.ui.com). Perhaps using local DNS server IP for WAN DNS makes my local DNS server a public DNS server? My local DNS server has very strict IPTables for inbound rules and DNS server service (AdGuard Home) response to all those "in-addr.arpa" connections is "NXDOMAIN". My DNS server service (AdGuard Home) uses "resolve all domains to 0.0.0.0 black-hole, except for domains needed for local client VPN tunnels". Again, I only see all those "in-addr.arpa" resolution attempts for those WAN-Inbound IP's when I run that TCPDump command...