Author Topic: remote scanning of ports  (Read 11050 times)

kf6c

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
    • Email
remote scanning of ports
« on: 2016-02-20, 21:18:06 »
I am getting breaks in the audio of my K30 RRC1258 set up. It appears to be due to remotes scanning the ports of 192.168.1.170 which was the IP of the Radio RRC. I have changed the IP and the port number of the 1258 but the scanning activity on 192.168.1.170 is still disrupting the audio. I no longer have any port forwarding shown for 192.168.1.170. in the router setup. I cannot find any setting on the router which can fix this problem. The router is Netgear AC1900 model R7000. I have see articals that suggest that that consumer router many not have enough security. Am I missing something, does anyone have any suggestions for solving this  or a recommended router that can prevent this scanning from braking the audio.

73 Brian KF6C

dj0qn

  • Hero Member
  • *****
  • Posts: 2223
    • View Profile
    • DJ0QN / K7DX
    • Email
Re: remote scanning of ports
« Reply #1 on: 2016-02-20, 22:20:36 »
If someone is scanning ports, then changing the internal IP number won't help, since only the external IP number
is being scanned. The port number is the important thing. I doubt that a scan alone would cause this kind of problem
and I would look elsewhere. It could be a number of things: the port number you are using has a conflict, the router has
SIP ALG enabled, another device on your network is disturbing network traffic (recently someone found a simple switch
that was defective and causing this), etc., etc. You need to use process of elimination to locate the perpetrator.

73,
Mitch DJ0QN / K7DX

kf6c

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
    • Email
Re: remote scanning of ports
« Reply #2 on: 2016-02-20, 23:45:06 »
I have changed port numbers and the 1258 IP a few times with no change in the audio problem. The problem does appear to get worse with the frequency of the scanning as indicated in the router log. As I understand you  the scanner is sending the requests to 192.168.1.170 so I have no control over that, the fact that there is nothing there is irrelevant. I have removed all other computers from the network except a 4GLTE CellSpot with no change in the problem. I have suspected the cellspot but a test with it removed an using the LTE network direct from another location still had the problem.  This morning after the system was shut down for a while the link worked fin until the scanning restarted. I have spent may hours trying all security measures and priority setting avilable on the router with no success. Jan was not able to make a good connection to the radio RCC while it was running 192.168.1.170. I have not given out the IP or port number in use now. The router han never shown an clashes in IP numbers.

Thanks for you help

73 Brian KF6c.

kf6c

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
    • Email
Re: remote scanning of ports
« Reply #3 on: 2016-02-20, 23:51:07 »
The router log is showing in excess of 5 port scans per second of 192.168.1.170

kf6c

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
    • Email
Re: remote scanning of ports
« Reply #4 on: 2016-02-21, 00:07:22 »
The scanning has stopped and the link is working fine.

dj0qn

  • Hero Member
  • *****
  • Posts: 2223
    • View Profile
    • DJ0QN / K7DX
    • Email
Re: remote scanning of ports
« Reply #5 on: 2016-02-21, 03:46:55 »
Let me try to explain what I meant before: the IP number you are referring to, 192.168.1.170, is not visible from the
internet, only within your network. All devices within your network (subnet 192.168.1.XXX) all use one, single external
IP number that is visible from the internet. In order to reach various devices within your network, each one use a port
number or numbers that are either dynamically assigned by the router, or set by the user like in this case. The router
then knows where to send the incoming packets, depending upon how the port was allocated.

If a port is being scanned, you need to look at the IP number scanning that port. If it is in the local subnet, then it is not
coming from the outside and you need to figure out the problem. If it is coming from the outside, you would need to do
a lot more investigating to figure it out why if you change the port number and it still is being scanned. In this case. make sure
the RRC is not in the DMZ, but the specific ports used are being forwarded and no more, e.g. 12000-12003 UDP. I would
also force a change in the external IP number by restarting the router, which usually works. If you are still getting port scans
coming from the outside, there is something very strange going on and I would suspect a defective router. Indeed, I have been
helping OM's solve RemoteRig performance problems for several years and several routers have had to be replaced because they
are garbage, especially cheap consumer routers such as from Comcast.

Anyway, I hope the scanning problem is now stopped.

73,
Mitch DJ0QN / K7DX


kf6c

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
    • Email
Re: remote scanning of ports
« Reply #6 on: 2016-02-21, 17:23:22 »
Thank you for taking the time to explain the issues. The problem has gone away for now but note from anything I did, however for peace of mind I need to understand what caused it.

The scanning was coming from outside the IPs were varied as shown in the part of the  log shown here:

[LAN access from remote] from 81.214.121.40:39262 to 192.168.1.170:53413, Friday, Feb 19,2016 07:16:19
[LAN access from remote] from 68.58.52.149:29680 to 192.168.1.170:12553, Friday, Feb 19,2016 07:15:37
[LAN access from remote] from 74.105.89.93:18244 to 192.168.1.170:12553, Friday, Feb 19,2016 07:13:41
[LAN access from remote] from 159.203.12.173:1612 to 192.168.1.170:22, Friday, Feb 19,2016 07:11:29
[LAN access from remote] from 82.79.50.44:53 to 192.168.1.170:42468, Friday, Feb 19,2016 07:10:51
[LAN access from remote] from 85.25.200.110:61651 to 192.168.1.170:5038, Friday, Feb 19,2016 07:09:49
[LAN access from remote] from 208.54.4.192:48611 to 192.168.1.170:53502, Friday, Feb 19,2016 07:09:34
[LAN access from remote] from 151.236.63.50:25870 to 192.168.1.170:22, Friday, Feb 19,2016 07:08:58
[LAN access from remote] from 125.64.94.200:37093 to 192.168.1.170:8000, Friday, Feb 19,2016 07:08:15
[LAN access from remote] from 185.130.5.201:47514 to 192.168.1.170:53413, Friday, Feb 19,2016 07:04:37
[LAN access from remote] from 185.40.4.185:59222 to 192.168.1.170:8484, Friday, Feb 19,2016 07:03:59
[LAN access from remote] from 50.108.24.59:29338 to 192.168.1.170:12553, Friday, Feb 19,2016 07:03:09
[LAN access from remote] from 74.105.89.93:18244 to 192.168.1.170:12553, Friday, Feb 19,2016 07:01:20

I did have DMZ enabled. I had changed the local  network number so 170 is not used locally anymore, it does not show up on the router other than in the logs.

When I looked at the log this morning there were some records with 170 in it which appears to be an Asian pacific registered addresses one is Thailand.

[LAN access from remote] from 140.205.81.52:53 to 192.168.1.170:13221, Sunday, Feb 21,2016 06:54:20
[LAN access from remote] from 140.205.81.52:53 to 192.168.1.170:13221, Sunday, Feb 21,2016 06:39:02
[LAN access from remote] from 180.183.36.210:65348 to 192.168.1.170:53930, Sunday, Feb 21,2016 06:32:58
[LAN access from remote] from 180.183.36.210:43071 to 192.168.1.170:53930, Sunday, Feb 21,2016 06:32:57

Other than these the log is mostly composed of local references.

I have made  disconnections of the modem but the external IP has not changed. I contacted the ISP provider COX and they remotely reset the modem, but this did not change the external IP and they tell me they cannot change the external IP! 

It appears to me that because the 170 address was port forwarded some scanner picked up on this and it has been distributed by some organization.

The router I have is a relatively high end consumer device but I don think it has the ability to deal with this problem.

73 Brian KF6C.


kf6c

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
    • Email
Re: remote scanning of ports
« Reply #7 on: 2016-02-25, 21:46:34 »
It turns out there appears to be a fault on the line between my house and the service pole .  I noticed I was getting very unstable readings on the link speeds with multiple consecutive tests.  The ISP, COX , sent a service tech to check the system and he found the speed varied from 100Kbps to 198Mbps.  The checks they have done indicate there is no problem in the house or at their end.
Relating the problem to scanning of the ports appears to have been just a further  degradation of an already broken system.
For now I have to wait for COX to repair the lines.

Jan (Microbit)

  • Software Developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 1832
    • View Profile
    • Email
Re: remote scanning of ports
« Reply #8 on: 2016-02-26, 08:25:36 »
That is a huge variation in speed! No wonder you are having problems!
Always include type of hard/software and version when asking for support.