Posted: 8/8/2013 12:06:17 PM EDT
|
I know that port scanning is just a fact of life but it seems like I'm getting more than my fair share. Is this normal? I'm on Cox residential "high speed" internet. This is a short excerpt from my router's log:
Aug 8 10:25:10 Xmas port scan attack from WAN (ip:74.125.224.96) detected. Aug 8 10:12:50 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:12:50 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:12:41 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:12:41 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:12:16 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:12:11 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:12:11 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:11:56 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:11:52 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:11:45 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:11:42 Xmas port scan attack from WAN (ip:184.86.221.130) detected. Aug 8 10:11:34 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:11:33 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:11:33 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:11:32 Xmas port scan attack from WAN (ip:184.86.221.138) detected. Aug 8 10:09:45 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:09:16 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:09:01 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:08:54 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:08:49 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:08:48 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:08:47 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:08:47 Xmas port scan attack from WAN (ip:184.50.27.8) detected. Aug 8 10:08:18 Xmas port scan attack from WAN (ip:96.6.122.99) detected. Aug 8 10:07:45 Xmas port scan attack from WAN (ip:31.13.77.65) detected. Aug 8 10:07:33 Xmas port scan attack from WAN (ip:96.6.122.99) detected. Aug 8 10:07:20 Xmas port scan attack from WAN (ip:108.160.162.49) detected. Aug 8 10:07:16 Xmas port scan attack from WAN (ip:31.13.77.65) detected. Aug 8 10:07:11 Xmas port scan attack from WAN (ip:96.6.122.99) detected. |
|
Quoted:
I know that port scanning is just a fact of life but it seems like I'm getting more than my fair share. Is this normal? I'm on Cox residential "high speed" internet. This is a short excerpt from my router's log: ... Aug 8 10:12:41 Xmas port scan attack from WAN (ip:184.86.221.130) detected. ... NetRange 184.84.0.0 - 184.87.255.255 CIDR 184.84.0.0/14 Name AKAMAI You might send an email to Akamai; something seems odd. |
|
I'll take false positive for $200 Alex. I've seen this a few times in the traffic logs. I'm pretty sure what you're seeing is legit traffic.
http://www.akamai.com/html/support/faq.html When you receive a QuickTime stream that is served by an Akamai via RTP/RTSP (Real Time Transport Protocol/Real Time Streaming Protocol), a contact will be made from UDP port 2000/2001 of our server to UDP ports 6970-6999 of the client. This transaction is a legitimate RTP/RTSP connection and should not be interpreted as a UDP port scan. Do you logs give you any further detail? |
|
Quoted:
No. I pretty much never use QuickTime but my instructor said that a few hundred port scans a day is normal. Not at all abnormal to see port scanning on a regular basis. There is always the possibility that you are seeing an actual port scan from what appears to be one of their IP addresses. However Akamai is used to distribute all kinds of media, software/updates etc. I'm still betting on a port scan from Akamia. Have you lit up Wireshark or other packet capture to have a better look? |