Occasional attacks on Wireless AP

SpriteMidr

Active Member
Random question:

Is it normal to get occasional attacks detected on a home access point's firewall?

I very occasionally see logs of potential DOS and XMAS attacks. I have seen these appear for well over a year or so. Our IP is dynamically set by the ISP anyway, so it cant be potential... is this normal activity, or something to worry about?

upload_2016-4-30_20-22-52.png
 

beers

Moderator
Staff member
If it's just one packet then the NAT state likely expired or dropped for whatever reason. A lot of those log TCP session states that aren't correlated with active sessions.
 

SpriteMidr

Active Member
If it's just one packet then the NAT state likely expired or dropped for whatever reason. A lot of those log TCP session states that aren't correlated with active sessions.
I thought as much. I just wanted to make sure all the same. I am eventually gonna set an SSH server up to access from uni, so I wanted to make sure. It will use public/private key auth anyway, but still.

Cheers for the quick reply!
 

SpriteMidr

Active Member
Another related question I keep meaning to ask.

On Windows 10, I occasionally get some odd devices show up. They are often called full-ford (amazon) or Zeta (blackview). They have MAC addresses but no IP address. The router doesn't show them up and I cant access them or ping them. They show up on every Windows 10 machine I have, and I have no devices connected that are of this identification. Furthermore, I have changed the router SSID, password and added access control to a whitelist of machine MACs (not the odd ones), but they still show up...
upload_2016-5-9_17-18-1.png
This is really weird, and I cant find out much about it. I am guessing that it is just a Windows 10 "thing", as it never occurs on any other machine.

<edit>
Like, I just rebooted the router, and it disappeared. It is really weird. If there were an IP address I would be panicking but it seems to be a false thing being detected.

<edit again>

Like, now, I have full_ford by Amazon showing up instead.
upload_2016-5-9_17-28-49.png
Like, seriously, this is very odd.

<another edit>
It seems other people have the issue too. Turning WPS off seems to fix it, kicks them straight away. Seems to be something like other devices nearby looking for open APs or something, I don't know.

<final edit>
Actually, seems I still have the issue. I have tracked it down to something called WCN - Wireless Connect-Now (or wtte). It seems it is to do with peer-to-peer device discovery (like WiFi-Direct). Probably the neighbours devices being detected as existing.
 
Last edited:

Geoff

VIP Member
It seems other people have the issue too. Turning WPS off seems to fix it, kicks them straight away. Seems to be something like other devices nearby looking for open APs or something, I don't know.
WPS is awful and has lots of security vulnerabilities. You should turn it off the instant you install a new wireless router/AP.
 

Agent Smith

Well-Known Member
Random question:

Is it normal to get occasional attacks detected on a home access point's firewall?

I very occasionally see logs of potential DOS and XMAS attacks. I have seen these appear for well over a year or so. Our IP is dynamically set by the ISP anyway, so it cant be potential... is this normal activity, or something to worry about?

View attachment 7163


What firewall is this?

I looked up two of those IPs and if those are inbound I might be concerned.
 

SpriteMidr

Active Member
Just the bog standard router firewall.

It is my home connection.

Here are logs for the few days or so. I get them via email.

Any addresses blanked are my machines.

upload_2016-5-29_10-39-30.png
upload_2016-5-29_10-40-54.png
upload_2016-5-29_10-42-4.png
upload_2016-5-29_10-42-54.png

I don't run any web server or anything, it is just our home internet connection. I have DDNS set up for when I set a file server up to SSH into from uni using private/public key pairing. Have not yet set this up however.
 
Top