Unusual connection

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
djdeejay
DD-WRT Novice


Joined: 11 Jul 2020
Posts: 6

PostPosted: Sat Jul 11, 2020 21:53    Post subject: Unusual connection Reply with quote
I apologize if i posted this in the the wrong forum, but can someone help me understand why I might be seeing this.

I'm using the router as an AP with WPA2/AES and using the default settings.

Under active connections in the GUI I see an unknown to me source IP address of 14.240.128.1 connecting to destination IP 255.255.255.255.

I THINK I was able to make it go away by adding "iptables -A INPUT -s 14.240.128.1 -j DROP"

I also wanted to make sure all my ports were closed and visited the Shields Up website and scanned my router ports and found it was all closed up and stealth status.

I really couldn't get any concrete information on the source IP address, other than being used for spam, but not 100% sure.

Thanks in advance
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5768
Location: Romerike, Norway

PostPosted: Sun Jul 12, 2020 7:57    Post subject: Reply with quote
14.240.128.1 belongs to Vietnam Posts and Telecommunications Group.

It may be the Gateway Address of your WAN Interface.
djdeejay
DD-WRT Novice


Joined: 11 Jul 2020
Posts: 6

PostPosted: Sun Jul 12, 2020 8:56    Post subject: Reply with quote
This IP is definitely not associated with my ISP. It's also in a totally different country.

I normally log into the web interface using Firefox and this Firefox profile has no addons installed because I'm fully aware Firefox likes to connect to various IP's during startup and they check out as normal. I also ran netstat and everything looks fine.

The only thing I'm thinking is that it's some sort of spam address scanning my ISP's WAN subnet.

If you have any more ideas on what to look for, I'd really appreciate it.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5768
Location: Romerike, Norway

PostPosted: Sun Jul 12, 2020 9:39    Post subject: Reply with quote
Do you have UPnP enabled?

255.255.255.255 is broadcast. I cannot see how it's possible to send to your router without being connected to your WANS's sub-net.

What protocol and what port?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3796
Location: UK, London, just across the river..

PostPosted: Sun Jul 12, 2020 10:40    Post subject: Reply with quote
you'd need one like this
iptables -I FORWARD -s 14.240.128.1 -j DROP

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 44251 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 444406 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 44340 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 44340 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 44340 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
djdeejay
DD-WRT Novice


Joined: 11 Jul 2020
Posts: 6

PostPosted: Sun Jul 12, 2020 17:56    Post subject: Reply with quote
Alozaros wrote:
you'd need one like this
iptables -I FORWARD -s 14.240.128.1 -j DROP


In your opinion, should I even have to add to iptables if I'm using the stock iptables config and security settings? I'm trying to get a better picture of why I'm seeing this type of connection in the first place. Just to reiterate, I have no unusual connections coming from my PC and I went to Shields Up website and ran a scan with stealth mode results and no ports open. Thanks
djdeejay
DD-WRT Novice


Joined: 11 Jul 2020
Posts: 6

PostPosted: Sun Jul 12, 2020 17:58    Post subject: Reply with quote
Per Yngve Berg wrote:
Do you have UPnP enabled?

255.255.255.255 is broadcast. I cannot see how it's possible to send to your router without being connected to your WANS's sub-net.

What protocol and what port?


UPnP is disabled. I didn't do a screenshot, but I recall it was the bootps service this was trying to connect to.
djdeejay
DD-WRT Novice


Joined: 11 Jul 2020
Posts: 6

PostPosted: Mon Jul 13, 2020 17:15    Post subject: Reply with quote
It happened again. This time it's coming from a private IP address. I found out after resetting the router, using the default settings and I only connected my main computer to the router. Just to clarify, I only see this in the active connections tab and then it times out after 20 secs. I'm assuming it's coming from the cable modem. Any clues?

UDP (Source 10.xx.xx.xx) (Destination) 255.255.255.255 bootpc UNREPLIED
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 811

PostPosted: Mon Jul 13, 2020 22:46    Post subject: Reply with quote
If it is coming from a private ip address that means that one of your computers is trying to make a connection out, I am confused as to why you think it is the modem.

You need to look at your OS and track down what is making the attempt (what software/such do you have installed?) I think it is a little off the DD-WRT topic though.
djdeejay
DD-WRT Novice


Joined: 11 Jul 2020
Posts: 6

PostPosted: Tue Jul 14, 2020 1:39    Post subject: Reply with quote
I did more searching and found someone on another forum with a similar issue. Apparently, some ISP's are doing something called "squat space" in order to deal with a shortage of IPv4 addresses. I won't bore you with the details, but it's an interesting topic and I'm sure some of you are getting this, but never noticed it.

**edit***

Here's is a good article on the topic if anyone is interested.

https://teamarin.net/2015/11/23/to-squat-or-not-to-squat/
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum