Connection Attacks reported in the Firewall Log of my BiPac 7800N Router

Hey guys!

Whilst logged in the GUI for my router earlier I went to the Firewall log page and was rather shocked to see that I had been under HackAttack: [SPI:Illegal connection state attack] since 8.29am (GMT).

Here's a small example of what the log lists:

Apr 15 08:32:51 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 116.15.25.33:49389 to 82.26.200.129:48718
Apr 15 08:32:51 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 96.254.120.20:49978 to 82.26.200.129:48718
Apr 15 08:32:54 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 71.77.40.11:61952 to 82.26.200.129:48718
Apr 15 08:32:56 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 71.187.14.238:57571 to 82.26.200.129:48718
Apr 15 08:32:56 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 71.45.156.233:62360 to 82.26.200.129:48718
Apr 15 08:32:58 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 72.27.15.110:19293 to 82.26.200.129:60525
Apr 15 08:33:00 Bi7800N user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_0_0_38_1] 175.137.164.252:62230 to 82.26.200.129:48718

Also this a segment from the System Log:

Apr 15 08:41:35 daemon UPNPD[2033]: HTTP Connection closed inexpectedly
Apr 15 08:42:03 daemon UPNPD[2033]: HTTP Connection closed inexpectedly
Apr 15 08:43:18 daemon DHCP SERVER: DHCPINFORM from 192.168.1.103
Apr 15 08:43:21 daemon DHCP SERVER: DHCPINFORM from 192.168.1.103
Apr 15 08:47:25 daemon DHCP SERVER: DHCPINFORM from 192.168.1.103
Apr 15 08:47:28 daemon DHCP SERVER: DHCPINFORM from 192.168.1.103
Apr 15 08:47:53 daemon DHCP SERVER: DHCPDISCOVER from 00:26:55:8b:86:7b via br0
Apr 15 08:47:55 daemon DHCP SERVER: DHCP offer to 00:26:55:8b:86:7b
Apr 15 08:47:55 daemon DHCP SERVER: DHCP request from 00:26:55:8b:86:7b
Apr 15 08:47:55 daemon DHCP SERVER: DHCP ack to 00:26:55:8b:86:7b

There's also 'daemon UPNPD[2036]' listed quite often in the log.

What's going on?? :S Am I still safe to surf the net? I can provide you with the complete log if required cause its very long.

• Router settings wise for the firewall, there's one default rule I can't alter basically saying anything frm any local ip on any port to allow it.
  
• I then have options for an "Ethernet MAC Filter" set to 'Block' but it has no parameters set.
  
• There's a "Wireless MAC Filter" set to 'Block', "Intrusion Detection" enabled set to 'Maximum TCP Open Handshaking Count' 50/per second, 'Maximum Ping Count' set to 10/per second and "Maximum ICMP Count" set to 50/per second.
  
• Under "Block WAN PING" the two options "Block WAN PING" & "Block WAN (IPv6) PING" are both set to 'Enable',
  
• I then have options for a URL filter which is currently disabled.
  
• Other settings such as "IGMP/MLD Proxy", "IGMP/MLD Snooping" are all set to enabled.

Any help appreciated! Cheeers!

Anubis_386

Looks to me like a device connecting on your network by UPNP trying to communicate out. Do you have UPNP enabled on your router?

I would make sure that upnp is disable on the WAN interface. For some reason, certain routers have come with it enabled be default on the WAN side, and quite a few of those routers have no way to turn it off. You can read more details here.

You can test for that exploit here.

If upnp is trying to go from the LAN to the WAN, that is normal. Things like Skype and xbox use upnp so you don't have to open ports in your firewall.

Insane Scyth said:

I would make sure that upnp is disable on the WAN interface. For some reason, certain routers have come with it enabled be default on the WAN side, and quite a few of those routers have no way to turn it off. You can read more details here.

You can test for that exploit here.

If upnp is trying to go from the LAN to the WAN, that is normal. Things like Skype and xbox use upnp so you don't have to open ports in your firewall.

Click to expand...

the outside WAN port is usually a L3 interface, i'm still a little confused as why it would be on the wan portin the first place. UPNP should not be on that interface period. the only thing that would "possibly" help is with double nat, but even then translations are at NAT not Upnp.

it does look like that IP address (175.137.164.252) is more so around Malaysia.


my question is do you have inbound ports forwarded, like remote desktop, 80/443, or any other type of outside to inside translation?



the only reason i ask is the people could be doing a port sweep on your ip range and found open ports. once they find a open host they start to try to infiltrate as much as possible.


and they all try to connect to port 48718. do you have a service that uses that? it might have been still open and they picked it up at the port scan.