I’m looking into some of my router’s logs, interested in the odd spikes above the background drone of getting port scanned, and noticed during about 500 port scans in about two minutes to my public IP, there is just one case of the dest_ip not being my public IP, but to an RFC1918 16bit address space that is not found in my NAT.
I’m wondering how is this possible? How is a 192.168.5.255 destination IP (UDP 138 at that) being routed to me? Is it a typical little BGP hickup? Or on the receiving end of a broadcast?
anything with a .255 is a broadcast address. So it looks like someone is trying to search for a hard coded networking device. This is just a guess though. It’s possible it could be trying to exploit your modem if it is more than just a modem.
Its a pfsense router behind a coaxial modem (I forget what brand). When I saw the IP I came to ask this question but forgot to ask a second question, if anyone knew of some good sites that keep up with scanning trends. The ports I’m getting scanned on are odd ports IMO, the ones getting the most hits are 33434, 33435, 33436, 33437, 33438, 33439, 33440, 33441, 33442 then some others at much less frequency.
So shortly after posting this my ISP service went down, it was a regional down-age. The logs show about only 20 minutes of being down and then the background noise of traffic starts up again. At 5:30 I get a huge spike of successful connections, mostly from the Netherlands, all to my wordpress server. I usually do not see spikes like that.
Anyhow, peeps if you running a pfsense build, you have great logs to look at, especially if your hosting a service. IMO spin up a Splunk server, free license and send your syslog to it (and snort) and check out the home monitor app or the pfsenes app by A3Sec.
@Dexter_Kane I’m still not getting my DMZ interface snort logs in, no reply from a pfsense forum post (maybe wasn’t detailed enough). Thats the next thing, I really want to get in tune with the various rules and how to tune them.
I still think that’s a bug, or a configuration error and not a firewall rule issue. I’ve never posted on the pfsense forums but I’ve not heard good things either.