Attack detected / Firewall triggered

**Done_Fishin** · 02-03-2008, 02:51 AM

I was checking out my router log today .. and found this

Quote:

Current Log Entries

0000-00-00 00:00:01 E |System |Current Mode: Bridge-Router

0000-00-00 00:00:01 E |CWMP |CWMP agent cannot reach the ACS named http://111.111.111.111:1111/ACS-INTF. Short retry initiated

0000-00-00 00:00:01 E |DSL |Boost DSP

0000-00-00 00:00:01 E |DSL |DataPump Version - 07.00.02.00

0000-00-00 00:00:02 E |DSL |State: WAITING

0000-00-00 00:00:04 E |Ethernet |Link 1 Up - 100Base-TX Full Duplex

0000-00-00 00:00:14 E |DSL |State: INITIALIZING

0000-00-00 00:00:26 E |DSL |HYBRID 1

0000-00-00 00:00:26 E |DSL |Link up 1 US 511 DS 4092 (INTL:ADSL2+)

0000-00-00 00:00:49 E |PPP |LCP neg PAP

0000-00-00 00:00:49 E |PPP |LCP up

0000-00-00 00:00:50 E |PPP |IPCP nak option: 3

0000-00-00 00:00:50 E |PPP |IPCP nak option: 129

0000-00-00 00:00:50 E |PPP |IPCP nak option: 131

0000-00-00 00:00:50 E |PPP |IPCP up ip: 91.140.17.190, gw: 62.169.255.23

0000-00-00 00:00:50 E |PPP |IPCP dns: 62.169.194.17, 62.169.194.18

0000-00-00 00:00:56 E |Attack Detected |TCP packet with only FIN flag set - 81.183.114.73:63706 -> 91.140.17.190:31246 len=40 id=15594

0000-00-00 00:00:56 E |DHCP Server |Address 192.168.254.2 given out to 00:14:85:31:2c:be

0000-00-00 00:00:56 E |DHCP Server |1 Address(es) leased

0000-00-00 00:01:36 E |Firewall |D:19:0 ICMP(11) 62.169.255.23:2816 -> 192.168.254.2:42673 len=56 id=5849 DF=0 MF=0 byte-off=0

0000-00-00 00:01:37 E |Firewall |D:19:0 ICMP(11) 62.169.192.69:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:39 E |Firewall |D:19:0 ICMP(11) 151.5.128.229:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:40 E |Firewall |D:19:0 ICMP(11) 151.6.33.225:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:41 E |Firewall |D:19:0 ICMP(11) 151.6.6.109:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:43 E |Firewall |D:19:0 ICMP(11) 151.6.2.82:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:44 E |Firewall |D:19:0 ICMP(11) 213.200.68.77:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:45 E |Firewall |D:19:0 ICMP(11) 213.200.80.93:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:47 E |Firewall |D:19:0 ICMP(11) 213.200.84.250:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:49 E |Firewall |D:19:0 ICMP(11) 62.169.255.23:2816 -> 192.168.254.2:42673 len=56 id=5981 DF=0 MF=0 byte-off=0

0000-00-00 00:01:51 E |Firewall |D:19:0 ICMP(11) 62.169.192.69:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:52 E |Firewall |D:19:0 ICMP(11) 151.5.128.229:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:54 E |Firewall |D:19:0 ICMP(11) 151.6.33.225:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:55 E |Firewall |D:19:0 ICMP(11) 151.6.6.109:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:57 E |Firewall |D:19:0 ICMP(11) 213.200.68.77:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:01:59 E |Firewall |D:19:0 ICMP(11) 213.200.80.93:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:02:00 E |Firewall |D:19:0 ICMP(11) 213.200.84.250:2816 -> 192.168.254.2:42673 len=56 id=0 DF=0 MF=0 byte-off=0

0000-00-00 00:02:09 E |Attack Detected |TCP packet with only FIN flag set - 81.183.114.73:63706 -> 91.140.17.190:31246 len=40 id=15644

0000-00-00 00:02:20 E |CWMP |CWMP is attempting to connect to the ACS named http://111.111.111.111:1111/ACS-INTF. Retry in 5 seconds

0000-00-00 00:54:12 E |CWMP |CWMP is attempting to connect to the ACS named http://111.111.111.111:1111/ACS-INTF. Retry in 2560 seconds

0000-00-00 01:10:03 E |Firewall |D:19:0 TCP 15.216.76.109:80 -> 192.168.254.1:3916 len=52 id=14470 DF=0 MF=0 byte-off=0

0000-00-00 11:11:45 E |DHCP Server |Address 192.168.254.3 given out to 00:10:dc:66:d4:7a

0000-00-00 11:11:45 E |DHCP Server |2 Address(es) leased

0000-00-00 11:11:47 E |DHCP Server |Address 192.168.254.3 given out to 00:10:dc:66:d4:7a

0000-00-00 11:11:47 E |DHCP Server |2 Address(es) leased

0000-00-00 11:53:24 E |Firewall |D:19:0 TCP 38.99.76.177:80 -> 192.168.254.3:1409 len=40 id=10414 DF=1 MF=0 byte-off=0

0000-00-00 11:53:25 E |Firewall |D:19:0 TCP 38.99.76.177:80 -> 192.168.254.3:1409 len=40 id=10415 DF=1 MF=0 byte-off=0

0000-00-00 11:53:26 E |Firewall |D:19:0 TCP 38.99.76.177:80 -> 192.168.254.3:1409 len=40 id=10416 DF=1 MF=0 byte-off=0

0000-00-00 11:53:28 E |Firewall |D:19:0 TCP 38.99.76.177:80 -> 192.168.254.3:1409 len=40 id=10417 DF=1 MF=0 byte-off=0

0000-00-00 11:53:32 E |Firewall |D:19:0 TCP 38.99.76.177:80 -> 192.168.254.3:1409 len=40 id=10418 DF=1 MF=0 byte-off=0

0000-00-00 11:53:39 E |Firewall |D:19:0 TCP 38.99.76.177:80 -> 192.168.254.3:1409 len=40 id=10419 DF=1 MF=0 byte-off=0

Can anyone shed light on what this is

0000-00-00 00:54:12 E |CWMP |CWMP is attempting to connect to the ACS named http://111.111.111.111:1111/ACS-INTF.

Also this attack .. is it connected to the Firewall alarms from the two different sites?
0000-00-00 00:00:56 E |Attack Detected |TCP packet with only FIN flag set - 81.183.114.73:63706 -> 91.140.17.190:31246 len=40 id=15594

IS there any way to know if anything got through ???
IS there anything that I should be doing to tighten down my security ??

All advice gratefully recieved ..

**johnwill** · 02-03-2008, 10:17 AM

If it got through, it wouldn't be in the log.

This kind of stuff shows up all the time in the logs.

**Done_Fishin** · 02-03-2008, 12:14 PM

any idea what http://111.111.111.111:1111/ACS-INTF means .. trued to google it but came up with nothing .. doesn't look like a proper address unless its in the 127 range or maybe it's IPv6

**johnwill** · 02-04-2008, 08:52 AM

I have no idea, looks like a cryptic web address, since it's sitting behind an http://

Doctor Olds · 05-15-2009, 02:03 AM

Quote:

Originally Posted by Done_Fishin

I was checking out my router log today .. and found this

Can anyone shed light on what this is

0000-00-00 00:54:12 E |CWMP |CWMP is attempting to connect to the ACS named http://111.111.111.111:1111/ACS-INTF.

Also this attack .. is it connected to the Firewall alarms from the two different sites?
0000-00-00 00:00:56 E |Attack Detected |TCP packet with only FIN flag set - 81.183.114.73:63706 -> 91.140.17.190:31246 len=40 id=15594

IS there any way to know if anything got through ???
IS there anything that I should be doing to tighten down my security ??

All advice gratefully recieved ..

That is a normal log entry for CWMP aka TR-069 (short for Technical Report 069) aka "CPE WAN Management Protocol" (CPE -- Customer Premise Equipment) and it looks like you may have changed the real IP to all 1's, correct? If not then the ISP setup their Firmware strangely or someone else modified the ACS IP trying to stop it connecting. Either way it is ok.

You can read much more about CWMP at these links below. It is not an attack, and it is harmless as it your Modem checking in with your ISP trying to connect to a private firmware delivery/basic configuration server owned by the ISP to make sure you have their latest bug fixed/latest feature release Firmware along with the basic connection type info for the DSL's VC (Virtual Circuit) settings. That's basically it in a nut shell. It is becoming the de factor standard for ISPs and other service providers (Cell phones, Wi-Fi devices, Set Top Boxes, and much more) to keep their customers equipment updated and secured.

http://www.carricksolutions.com/TR-069/

http://en.wikipedia.org/wiki/TR-069

Quote:

TR-069 (short for Technical Report 069) is a DSL Forum (which was later renamed as Broadband Forum) technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices.

http://www.broadband-forum.org/techn...oad/TR-069.pdf

http://www.broadband-forum.org/techn...Amendment2.pdf

You can disable the CWMP agent/process if you like. Details are in the linked article below:

Disabling the CWMP agent from CLI
http://shadow.sentry.org/~trev/adsl4...mp_config.html

As to security, your log just shows packets it didn't like and dropped. Likely it was a late response to a Browser or DNS, or Email request and the NAPT Table entry had expired so the Router was not expecting a response since that port was closed recently by NAT/NAPT table timeout.

Test your Routers security responses by using these two test sites below. Set your Firewall to Off in the Modem/Router, yes Off as that only allows pings on the Routers WAN Interface and does not reduce your true security level (trust me the scan sill confirm this and also I've been using and setting up these Speedstreams since late 1999, beta tested firmware for a while when Efficient still owned them before Siemens bought them out and I own 8+ different Models including Business Class versions which I can swap out quickly for testing and configuration issues). Pings are not a real security risk even though one site (GRC.com) wants you to think that they are, but as long as your results show all Green Blocks after running the "All Service Ports Test" that is a solid determination on the status of your Routers first 1056 ports (Green aka Stealth means no response, not even a this port is closed response, just no acknowledgment

). Red Blocks are items to be concerned with as those represent a port or ports that when checked, have replied "port number x here and I am open ready to accept connections."

<li>
GRC | Shields UP! -- Internet Connection Security Analysis
https://www.grc.com/x/ne.dll?bh0bkyd2

<li> Der Keiler - Free Online-Portscanner - Using NMAP
http://www.derkeiler.com/Service/PortScan/

Regards,

Doctor Olds

**Done_Fishin** · 05-15-2009, 11:40 AM

Many, many thanks for your knowledgeable help which has confirmed my suspicions about some of the points I had raised. I had forgotten all about this topic which I started over a year ago .. but I still use the same router and the update in information is more than welcome.

The all ones address is exactly as I see it, nothing changed or hidden .. It just seems that it's trying to connect but either not allowed or the host not found, which seemed strange .. why bother ? Why not cut it out ? unless perhaps it's just there to keep the line up & running, There is a term for it which I forget now .. but I think it was a problem going back into win95/98 days when the line would suddenly stop responding until a patch was introduced

Thanks for those links , I will be investigating very shortly .

02-03-2008, 10:17 AM	#2 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,654 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Attack detected / Firewall triggered If it got through, it wouldn't be in the log. This kind of stuff shows up all the time in the logs. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

02-03-2008, 12:14 PM	#3 (permalink)
Done_Fishin Moderator Hardware Team Join Date: Oct 2006 Location: Brit living in Greece Posts: 7,472 OS: WinME, WinXP Pro SP3, Win7 Beta, Ubuntu 9.04 & Netbook Remix & CD2USB, Mepis 6.5, Fedora 10 My System	Re: Attack detected / Firewall triggered any idea what http://111.111.111.111:1111/ACS-INTF means .. trued to google it but came up with nothing .. doesn't look like a proper address unless its in the 127 range or maybe it's IPv6 __________________ . . I'm not old!! I'm age impaired .. D_F I DON'T PLAY GAMES How to mark your thread as solved HDD DIAG UTILS TSF's Photographer's Corner

02-04-2008, 08:52 AM	#4 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,654 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Attack detected / Firewall triggered I have no idea, looks like a cryptic web address, since it's sitting behind an http:// __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

05-15-2009, 11:40 AM	#6 (permalink)
Done_Fishin Moderator Hardware Team Join Date: Oct 2006 Location: Brit living in Greece Posts: 7,472 OS: WinME, WinXP Pro SP3, Win7 Beta, Ubuntu 9.04 & Netbook Remix & CD2USB, Mepis 6.5, Fedora 10 My System	Re: Attack detected / Firewall triggered Many, many thanks for your knowledgeable help which has confirmed my suspicions about some of the points I had raised. I had forgotten all about this topic which I started over a year ago .. but I still use the same router and the update in information is more than welcome. The all ones address is exactly as I see it, nothing changed or hidden .. It just seems that it's trying to connect but either not allowed or the host not found, which seemed strange .. why bother ? Why not cut it out ? unless perhaps it's just there to keep the line up & running, There is a term for it which I forget now .. but I think it was a problem going back into win95/98 days when the line would suddenly stop responding until a patch was introduced Thanks for those links , I will be investigating very shortly . __________________ . . I'm not old!! I'm age impaired .. D_F I DON'T PLAY GAMES How to mark your thread as solved HDD DIAG UTILS TSF's Photographer's Corner