[Shorewall-users] Is this a DOS attack?

Wed, 01 Jan 2020 03:14:56 -0800 

Dear All,

I'm a long time user of shorewall and haven't touched my shorewall
configuration for quite a while.

My configuration is a BT Homehub 5 as my ISP access point connected to my
shorewall firewall box on eth1 (192.168.1.1).  My home network is connected
to the firewall on eth0 (192.168.0.1).

I've become interested in shorewall again because I have a logwatch task
that emails me a list of the dropped connections reported in the 'messages'
log.  At the beginning there were a few hundred of these per day; recently
there have been a few thousand; but for the last three days there have been
10s of thousands - mostly attempting to connect to port 37970.

Here's a very small sample:

   From 1.11.238.26 - 1 packet to udp(37970)
   From 1.23.252.46 - 1 packet to udp(37970)
   From 1.55.167.27 - 3 packets to tcp(8291,8728)
   From 1.158.96.85 - 1 packet to udp(37970)
   From 1.163.194.207 - 1 packet to udp(37970)
   From 1.207.85.163 - 1 packet to udp(37970)
   From 1.228.235.29 - 5 packets to udp(37970)
   From 1.246.222.76 - 1 packet to udp(5353)
   From 1.249.199.230 - 6 packets to udp(37970)
   From 2.35.226.154 - 1 packet to udp(37970)
   From 2.50.52.38 - 1 packet to udp(37970)
   From 2.58.99.205 - 1 packet to udp(37970)
   From 2.60.201.203 - 1 packet to udp(37970)
   From 2.95.4.109 - 1 packet to udp(37970)
   From 2.132.20.151 - 1 packet to udp(37970)
   From 2.132.29.40 - 1 packet to udp(37970)
   From 2.132.39.170 - 1 packet to udp(37970)
   From 2.132.63.178 - 1 packet to udp(37970)
   From 2.132.81.38 - 1 packet to udp(37970)
   From 2.132.89.183 - 1 packet to udp(37970)
   From 2.132.189.130 - 1 packet to udp(37970)
   From 2.132.191.191 - 1 packet to udp(37970)
   From 2.133.167.63 - 1 packet to udp(37970)
   From 2.135.152.127 - 3 packets to udp(37970)
   From 2.154.33.106 - 1 packet to udp(37970)
   From 2.224.243.201 - 1 packet to udp(37970)
   From 2.238.158.20 - 3 packets to udp(37970)
   From 5.3.254.40 - 1 packet to udp(37970)
   From 5.18.96.152 - 2 packets to udp(37970)
   From 5.18.98.148 - 1 packet to udp(37970)
   From 5.18.159.154 - 2 packets to udp(37970)
   From 5.18.200.31 - 1 packet to udp(37970)
   From 5.18.205.206 - 2 packets to udp(37970)
   From 5.18.206.8 - 1 packet to udp(37970)
   From 5.18.206.224 - 1 packet to udp(37970)
   From 5.18.207.197 - 1 packet to udp(37970)
   From 5.18.243.61 - 2 packets to udp(37970)
   From 5.32.144.28 - 1 packet to udp(37970)
   From 5.59.6.87 - 1 packet to udp(37970)
   From 5.59.146.111 - 1 packet to udp(37970)
   From 5.59.147.205 - 1 packet to udp(37970)
   From 5.59.149.102 - 1 packet to udp(37970)
   From 5.67.214.163 - 1 packet to udp(37970)
   From 5.68.253.119 - 1 packet to udp(37970)
   From 5.77.27.80 - 1 packet to udp(37970)
   From 5.101.48.17 - 1 packet to tcp(4145)
   From 5.129.197.88 - 1 packet to udp(37970)
   From 5.129.219.237 - 3 packets to udp(37970)
   From 5.136.98.65 - 1 packet to udp(37970)
   From 5.137.51.1 - 1 packet to udp(37970)
   From 5.138.141.203 - 2 packets to udp(37970)
   From 5.140.41.44 - 1 packet to udp(37970)
   From 5.140.48.210 - 1 packet to udp(37970)
   From 5.142.42.139 - 1 packet to udp(37970)
   From 5.142.44.66 - 1 packet to udp(37970)
   From 5.142.193.187 - 1 packet to udp(37970)
   From 5.143.188.239 - 1 packet to udp(37970)
   From 5.143.194.171 - 2 packets to udp(37970)
   From 5.153.138.226 - 1 packet to udp(37970)
   From 5.158.237.163 - 1 packet to udp(37970)
   From 5.164.145.50 - 1 packet to udp(37970)

<snipped out similar from pretty much every single subnet range>

   From 217.77.212.175 - 1 packet to udp(37970)
   From 217.107.106.164 - 2 packets to udp(37970)
   From 217.107.115.154 - 1 packet to udp(37970)
   From 217.107.124.64 - 1 packet to udp(37970)
   From 217.112.59.244 - 1 packet to udp(37970)
   From 217.113.252.40 - 1 packet to udp(37970)
   From 217.114.234.23 - 1 packet to udp(37970)
   From 217.114.236.85 - 1 packet to udp(37970)
   From 217.118.81.23 - 1 packet to udp(37970)
   From 217.118.81.238 - 2 packets to udp(37970)
   From 217.149.180.78 - 1 packet to udp(37970)
   From 217.150.73.168 - 1 packet to udp(37970)
   From 217.159.171.202 - 1 packet to udp(37970)
   From 217.250.170.80 - 1 packet to udp(37970)
   From 218.4.179.246 - 2 packets to tcp(7001)
   From 218.89.55.163 - 1 packet to tcp(59)
   From 218.173.146.249 - 2 packets to udp(37970)
   From 218.211.168.178 - 1 packet to tcp(443)
   From 219.79.69.210 - 1 packet to udp(37970)
   From 219.153.31.186 - 1 packet to tcp(6380)
   From 220.73.255.76 - 1 packet to tcp(2323)
   From 220.76.41.200 - 1 packet to udp(37970)
   From 220.116.149.125 - 1 packet to udp(37970)
   From 220.121.97.43 - 5 packets to tcp(2289,3344,54321,60000,63390)
   From 220.132.67.32 - 1 packet to tcp(88)
   From 220.143.85.216 - 1 packet to tcp(4567)
   From 220.184.254.9 - 1 packet to udp(37970)
   From 221.139.203.175 - 2 packets to udp(37970)
   From 221.150.38.118 - 1 packet to tcp(85)
   From 221.188.91.131 - 6 packets to udp(37970)
   From 221.190.124.130 - 1 packet to tcp(5500)
   From 222.107.7.34 - 19 packets to udp(37970)

I have two questions:

1. What's going on here and should I be worried?

2. Why is shorewall correctly blocking these packets but my BT Homehub
is not?  The Homehub firewall is enabled and set to drop all
unsolicited incoming traffic.


Thanks in advance and a Happy 2020 to you all.

D

Dec 29 11:06:28 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=5.251.248.53 DST=192.168.1.1 
LEN=317 TOS=0x00 PREC=0x00 TTL=116 ID=5815 PROTO=UDP SPT=42620 DPT=37970 LEN=297
Dec 29 11:06:32 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=5.251.248.53 DST=192.168.1.1 
LEN=131 TOS=0x00 PREC=0x00 TTL=116 ID=5816 PROTO=UDP SPT=42620 DPT=37970 LEN=111
Dec 29 11:07:19 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=51.159.1.46 DST=192.168.1.1 
LEN=141 TOS=0x00 PREC=0x00 TTL=52 ID=18968 DF PROTO=UDP SPT=51339 DPT=37970 
LEN=121
Dec 29 11:07:20 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=5.251.248.53 DST=192.168.1.1 
LEN=317 TOS=0x00 PREC=0x00 TTL=116 ID=5817 PROTO=UDP SPT=42620 DPT=37970 LEN=297
Dec 29 11:08:24 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=85.104.49.250 DST=192.168.1.1 
LEN=132 TOS=0x00 PREC=0x00 TTL=50 ID=40702 PROTO=UDP SPT=28563 DPT=37970 LEN=112
Dec 29 11:08:27 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=193.160.224.177 
DST=192.168.1.1 LEN=171 TOS=0x00 PREC=0x00 TTL=111 ID=2357 PROTO=UDP SPT=61317 
DPT=37970 LEN=151
Dec 29 11:08:28 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=173.212.205.73 
DST=192.168.1.1 LEN=125 TOS=0x00 PREC=0x00 TTL=52 ID=50092 DF PROTO=UDP 
SPT=51493 DPT=37970 LEN=105
Dec 29 11:08:28 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=46.0.49.86 DST=192.168.1.1 
LEN=143 TOS=0x10 PREC=0x00 TTL=117 ID=3553 PROTO=UDP SPT=6884 DPT=37970 LEN=123
Dec 29 11:08:28 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= 
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=176.36.64.211 DST=192.168.1.1 
LEN=171 TOS=0x00 PREC=0x00 TTL=116 ID=10002 PROTO=UDP SPT=49001 DPT=37970 
LEN=151
D
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to