Tech Support banner

1 - 11 of 11 Posts

·
Registered
Python development
Joined
·
267 Posts
Discussion Starter #1
My ISP reached out to me and said that there is a device in my network that is port scanning. They could not provide me any more details other than my public IP and the port that was scanned. They've reached out a couple times with random port numbers, I've seen 2933 and 40473 among the indicated ports. I'm not entirely sure what I should be doing to resolve this issue so I'm reaching out for some assistance / next steps.

I am trying to determine which machine within my network is port scanning. There are multiple computers, phones, TVs, etc. connected to the internet. I have a Netgear Orbi for my router.

I ran wireshark off my main desktop but that doesn't show enough information for me to really diagnose the entire network. I do see plenty of outgoing traffic but it doesn't show me which process is causing the traffic. I don't know which ports are being scanned and given that my ISP sent me multiple ports I'm under an assumption there's some sort of malicious program somewhere that's just scanning everything it can. I also ran netstat to check my traffic but I didn't see anything fishy when I did it. Everything was to a program I was running or a service something I was using needed.

Any ideas on how I can identify what's going on in my network?
 

·
Registered
BSOD Analyst Student at Sysnative com
Joined
·
298 Posts
Wireshark is one of the best diagnostic tools to use for looking at network data.

When you say device. do you mean hardware or software?

You may need to post here and let the Security Team have a look.

See this first please:
 

·
Registered
Python development
Joined
·
267 Posts
Discussion Starter #3
I have actually used Wireshark before, I'm just not quite knowledgeable enough with it to detect activity that would be considered port scanning.

When I say device I mean hardware. All I know is there appears to be traffic originating from my network that my ISP thinks is port scanning. That's most likely malware on a machine on the network (a desktop/laptop) doing something malicious (I have a hard time believing this is coming from a TV or something).

Yeah, I may need to go post there and see what they find.
 

·
Moderator , Windows Tech Team , Hardware Tech T
Operating Systems || Hardware || Most Tech Stuff
Joined
·
3,152 Posts
With Wireshark you can document only traffic that is going in and out of that particular device. The best way to do this, is to attach a router in between all the devices and then monitor the router logs, this is a little tough, but is the best way to identify which device is causing this.

Else a trial and error method, keep switching off each device and then have the ISP validate it, this is a simpler but a longer approach.
 

·
Registered
BSOD Analyst Student at Sysnative com
Joined
·
298 Posts
Computers scan for ports all the time, 24 hours a day. That being said, whatever they are picking up has either a high scan volume or certain known vulnerable ports.

That would be one thing to look for is a high volume of scanning. You might check your router logs as well. It will more than likely show blocked on those scans hopefully.

Regarding Wireshark, it would need to be run on each machine.
 

·
Registered
Python development
Joined
·
267 Posts
Discussion Starter #6
I have a Netgear Orbi and the router logs are pretty awful. I haven't really been able to find anything particularly useful looking through them. It only shows me two days worth of logs and nothing that seems to be outgoing problems from my network. I see things like SYNACK Scan, RST Scan, ACK Scan, etc from outside IPs but it's not like my router logs are telling me "prevented port scan originating from host network" or something like that.

I assume that what they saw were large amounts of scans, either scanning the same port across a large number of IPs or scanning a large number of ports across the same IP. I would think scanning the same port on the same IP many times wouldn't be useful. Looking at two emails I see 10 days between port scans, and again no destination IPs were disclosed and just a single port each time. I don't even know if it's consistent because they refused to share enough logs with me to assist. The ISP also won't be able to validate if I were to disable devices temporarily, and I would have to disable devices for weeks at a time. When I reached out to their customer support they couldn't provide anything related to validating whether I had resolved the issue or not. They simply said if I continued to do it they would take action against my account, and that it would be an automated system determining that I had done something wrong.

I could run wireshark on each machine I think might be problematic. I obviously can't run it on a TV or other similar devices. What am I even expecting to find, something sending out large amounts of UDP packets across a wide swath of IPs or ports?
 

·
Moderator , Windows Tech Team , Hardware Tech T
Operating Systems || Hardware || Most Tech Stuff
Joined
·
3,152 Posts
They usually wouldn't share info, because in this case, their assumption is that 'You' are the person doing this :S. If you can't get the router logs, then block the port that is being used to run this scan on your router. Just to have all bases covered, if you have done any nmap or port query scans or use some pen testing tools, now is a good time to come clean and fix it. (General disclaimer)

If the ISP is pushing this, I'd think they're worried more about TCP half scans rather than UDP, check for Laptops/PCs/Android devices/TV if any network/packet sniffer or port scanner is used, if so disable them. Also check your router to see any unidentified WiFi devices.
 

·
Registered
Python development
Joined
·
267 Posts
Discussion Starter #8
The port has changed each time my ISP has reached out to me, so it's hard for me to block all the ports. I did already block some, but I may take more drastic measures and block huge swaths of ports, then open them up as things aren't working. I also may take a look and see if anything is doing node discovery or something like that cause that might cause a wide array of port scanning.

Also, I definitely haven't been doing any actual port scanning activity. I used nmap/netstat on my own network during debugging just to see what was up but absolutely not on other networks. If I was doing that I definitely wouldn't be here asking about it, I'd know how to stop it.

The information from my ISP that I do have points to the scans all being on UDP. I also already took a look at devices on the network, blocked everything and identified things one by one then opened them up. A lot of devices have terrible names.

I've done a few things so we'll see if my ISP still has concerns about it or not.
 

·
Moderator , Windows Tech Team , Hardware Tech T
Operating Systems || Hardware || Most Tech Stuff
Joined
·
3,152 Posts
Ok, can you download any Network Monitoring tool (something which does topology mapping with a network discovery) and then see if you can get traffic details from them ?

Most are paid apps, so you might have to go with the trial version, but it's worth a shot.. Or use your router as the middle man and trap all the logs and then run it through splunk or kibana and see if you are able to analyze the offending port IP and mac.
 

·
Registered
Joined
·
9 Posts
Sorry, it has been a while since I have played with this stuff. One thing I recall is... when you are running the network monitoring software, you need to put your network adapter into promiscuous mode so it will receive any and all traffic on the network, not just the traffic intended for your adapter. This is needed for both wired and wireless adapters. Otherwise the monitoring software will only see traffic bound for your machine. One thing that may get in the way of viewing all traffic is a network switch. Wireshark is a good tool. I recall running it from a live disk, also from a virtual machine with VirtualBox. IIRC VB gave me the ability to define network adapters that could be used in promiscuous mode.

Draw a map of your network, wired and, wireless. Identify the devices. It may be easier to concentrate / monitor one device at a time rather than look at the complete data stream. There is a LOT of stuff that goes on in the background that you don't realize is happening.

Good luck!
 
1 - 11 of 11 Posts
Top