Occasional attacks on Wireless AP

Discussion in 'Computer Security' started by SpriteMidr, Apr 30, 2016.

  1. SpriteMidr

    SpriteMidr Active Member

    Messages:
    271
    Random question:

    Is it normal to get occasional attacks detected on a home access point's firewall?

    I very occasionally see logs of potential DOS and XMAS attacks. I have seen these appear for well over a year or so. Our IP is dynamically set by the ISP anyway, so it cant be potential... is this normal activity, or something to worry about?

    upload_2016-4-30_20-22-52.png
     
  2. beers

    beers Moderator Staff Member

    Messages:
    8,212
    If it's just one packet then the NAT state likely expired or dropped for whatever reason. A lot of those log TCP session states that aren't correlated with active sessions.
     
  3. SpriteMidr

    SpriteMidr Active Member

    Messages:
    271
    I thought as much. I just wanted to make sure all the same. I am eventually gonna set an SSH server up to access from uni, so I wanted to make sure. It will use public/private key auth anyway, but still.

    Cheers for the quick reply!
     
  4. SpriteMidr

    SpriteMidr Active Member

    Messages:
    271
    Another related question I keep meaning to ask.

    On Windows 10, I occasionally get some odd devices show up. They are often called full-ford (amazon) or Zeta (blackview). They have MAC addresses but no IP address. The router doesn't show them up and I cant access them or ping them. They show up on every Windows 10 machine I have, and I have no devices connected that are of this identification. Furthermore, I have changed the router SSID, password and added access control to a whitelist of machine MACs (not the odd ones), but they still show up...
    upload_2016-5-9_17-18-1.png
    This is really weird, and I cant find out much about it. I am guessing that it is just a Windows 10 "thing", as it never occurs on any other machine.

    <edit>
    Like, I just rebooted the router, and it disappeared. It is really weird. If there were an IP address I would be panicking but it seems to be a false thing being detected.

    <edit again>

    Like, now, I have full_ford by Amazon showing up instead.
    upload_2016-5-9_17-28-49.png
    Like, seriously, this is very odd.

    <another edit>
    It seems other people have the issue too. Turning WPS off seems to fix it, kicks them straight away. Seems to be something like other devices nearby looking for open APs or something, I don't know.

    <final edit>
    Actually, seems I still have the issue. I have tracked it down to something called WCN - Wireless Connect-Now (or wtte). It seems it is to do with peer-to-peer device discovery (like WiFi-Direct). Probably the neighbours devices being detected as existing.
     
    Last edited: May 11, 2016
  5. Geoff

    Geoff VIP Member

    Messages:
    37,673
    WPS is awful and has lots of security vulnerabilities. You should turn it off the instant you install a new wireless router/AP.
     
  6. Agent Smith

    Agent Smith Well-Known Member

    Messages:
    3,324

    What firewall is this?

    I looked up two of those IPs and if those are inbound I might be concerned.
     
  7. SpriteMidr

    SpriteMidr Active Member

    Messages:
    271
    Just the bog standard router firewall.

    It is my home connection.

    Here are logs for the few days or so. I get them via email.

    Any addresses blanked are my machines.

    upload_2016-5-29_10-39-30.png
    upload_2016-5-29_10-40-54.png
    upload_2016-5-29_10-42-4.png
    upload_2016-5-29_10-42-54.png

    I don't run any web server or anything, it is just our home internet connection. I have DDNS set up for when I set a file server up to SSH into from uni using private/public key pairing. Have not yet set this up however.
     

Share This Page