August 15th, 2003, 06:10 PM
I was just going throug my routers incoming access list and noticed a whole bunch of different IP's attempting to access port 13139. Theres probably about 50 of these right in a row, but from about 12 different IP's. Of course my routers been dropping these incoming IP's, but its kinda got me curious.
Has anyone else been receiving anything like this.
Maybe its some script kiddie checking to see if I have a trojan.
One more thing.
I usually recieve no alerts from my firewall since I'm behind a router, but the past couple hours I keep getting port scanned. I didn't think you could really do it since I'm on a lan and my router is the one exposed to the net. I've gone to websites where they portscan me but my firewall doesn't bring up any warnings, because they're portscanning my router, but how is it that my actual computer is being scanned from outside my lan? When I check my logs it says that at least 11 ports have been scanned.
August 15th, 2003, 06:19 PM
August 15th, 2003, 06:22 PM
looks like its a game port ...
August 16th, 2003, 02:51 AM
Ahhh. That explains it.
I've been playing Battlefield 1942 a lot and I go through gamespy to connect. Thank you for clearing that up.
Now for my second question.
How is it that my computer is being portscanned when I'm behind a router?
I didn't think you could do it.
August 16th, 2003, 03:07 AM
When you say your behind a router, do you mean your PC is assigned
an RFC1918 address(private address) and your router is performing
a PAT(port address translation). Because it matters alot...
If you are not using an RFC 1918, you can be behind 100 routers, and you'll still be scanned..
However if you are using private IP, I agree wth you .THAT IS PRETTY STRANGE...
forgot to add something else, if your connection is a wireless one, someone
might have compromised your network using tools such as netstumbler(wardriving)
August 16th, 2003, 03:38 AM
I don't know a whole lot about my router, but it is a nat router. My router has a IP of 66.xxx.xx.xxx. and my pc is 192.168.1.100. The thing is, when I go to websites to scan myself, it says that they can't scan me because it seems I'm behind a router which I am.
My connection is via landline. DSL. So I'm not a victim of wardriving.
August 16th, 2003, 04:59 AM
If your router is doing NAT versus PAT you can also be port scanned.
The difference is this:
With NAT (network address translation) your router is doing a one to one
static translation versus a dynamic one. What that means is any scans, requests, etc to your public 66.x.x.x address will automatically be forwarded to your PC. The router has no way
to know a scan from a hack or just a innocent request to what may be your web server on inside (this is ofcourse assuming your router is not set up with some filtering)
Basically with NAT, the router does a static one to one translation which means connections
CAN BE INITIATED FROM THE OUTSIDE (which also means no one else on your inside LAN other
than one and only one PC can share that 66.x.x.x public address.
PAT on the other hand occurs ONLY when connections are initiated from the inside. Dynamically the router will do a translation along with a random port number to the 66.x.x.x address. This has the advantage of many PCs on inside to share the public address.
The only draw back to PAT is that connections cannot be initiated from the outside.
(which is what you want for security purposes unless you require connections be initiated from outside to your LAN)
Also, once a session is over, PAT terminated the translation..That is why if your router is doing a PAT, there is NO way anyone can scan your 192.168.x.x address. This is an RFC address and is not routable on all BGP4 Internet routers.....
Hope this helps
The fact that you couldn't scan yourself from a web site validates that most likely your router is doing a PAT which makes it very strange that your recieving those alarms...Are there any other devices/pcs on the same LAN? I would put a protocol analyzer if you could on iside and outside of your DSL router and do a capture for more detailed analysis..
August 16th, 2003, 05:36 AM
From what you said there, it sounds like my router is PAT. Mainly because I am sharing one internet connectin with up to three computers(big network huh?) Also No matter what kind of scans I do my self against my network, I cannot see any of my computers only the public IP address which is assigned to my router.
I have network monitor inside my lan monitoring my connections, but when you say on the outside of my DSL router what do you mean?
Thanks for your help.
August 16th, 2003, 07:48 AM
I thought maybe you had what Telco calls a DSL modem (which is really a bridge) connected to a router that you may have purchased.. I thought your setup was similiar to following:
and what I meant was putting a sniffer between the router and DSL modem...
Also hust out of curiosity, when your firewall was reporting port scans, did it specify the source IP..Was it a public or private address...
August 16th, 2003, 03:59 PM
The port scan came from a public IP address.
My network IP begins with 192.x.x.x. The IP from which I was scanned was 207.x.x.x.
As far as my setup you pretty much have it right. The only things connected to my DSL modem is the phone line and a Cat 5 cabel running to my wan port on the router.
Can you recommend any good sniffers?