Here's the situation:
Cablem Modem Service - Toshiba Cable Modem
DLINK 624 Router - Wireless Disabled - DHCP's the live WAN IP address from ISP.
2 PCs connected to Router
For two weeks solid now I believe I have been getting port scanned relentlessly. With my DLINK router log set to save or email me the log....it fills 20 pages full of attack messages, twice a day. These incoming attacks do not stop with the PCs turned off and physically removed from the network. My DLINK router WAN light and my Toshiba Data light flash constantly, again with or without the computers hooked up to the network.
The only way I can stop the data light flashing activity is to remove the actual COAX cable from the cable modem. All flashing light activity stops between the DATA light and the WAN light on the modem and router. Obviously though, I don't have Internet access. As soon as I plug the COAX back in, the intense data activity returns and my log starts to fill back up with entries.
I have sent the router logs to my ISP customer service, and point blank, they are idiots. THREE seperate emails I had to basically state the situation until someone acknowledged that it looked like a port scan.....but as they stated, "We can see that your internet access is there and you are not being shut down". Great...thanks. Now, while it doesn't impact my service drastically, I do feel the slowdown from time to time. Quite frankly, regardless that my service isn't a total loss, just seeing the logs fill up and the lights constantly flashing makes me paranoid.
I have asked TWICE if I could have my service assigned another dynamic IP and TWICE they pointed me to their hosted Internet Speed test to see if my performance was degraded.
My question is, can I demand the ISP change my IP? Especially now that I have written proof from a technician that states he acknowledges I am most likely getting port scanned. Or is it just worth it to not waste my time and accept the fact that the Internet is an evil place and to pray my DLINK router holds out?
Here is a tiny sample from my log with my IP addressed removed:
Mar/27/2007 15:12:10
Drop ICMP packet from WAN src:200.231.139.175:8 dst:xxx.xxx.xxx.xxx:0 Rule: Default deny
Mar/27/2007 15:08:05
Drop UDP packet from WAN src:126.188.16.213:30803 dst:xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 15:07:52
Drop UDP packet from WAN src:204.16.210.62:42144 dst:xxx.xxx.xxx.xxx:1027 Rule: Default deny
Mar/27/2007 15:02:21
Drop TCP packet from WAN src:222.71.102.30:40539 dst:xxx.xxx.xxx.xxx:8000 Rule: Default deny
Mar/27/2007 14:59:02
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:56
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:53
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:51
Drop UDP packet from WAN src:194.181.249.80:19981 dst:xxx.xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 14:48:49
Drop UDP packet from WAN src:218.27.16.156:52238 dst:xxx.xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 14:48:49
Drop UDP packet from WAN src:218.27.16.156:52238 dst:xxx.xxx.xxx.xxx:1027 Rule: Default deny
Can someone clear up whethere or not that looks like port scanning?
Any input is more than welcome.
Thanks!
Cablem Modem Service - Toshiba Cable Modem
DLINK 624 Router - Wireless Disabled - DHCP's the live WAN IP address from ISP.
2 PCs connected to Router
For two weeks solid now I believe I have been getting port scanned relentlessly. With my DLINK router log set to save or email me the log....it fills 20 pages full of attack messages, twice a day. These incoming attacks do not stop with the PCs turned off and physically removed from the network. My DLINK router WAN light and my Toshiba Data light flash constantly, again with or without the computers hooked up to the network.
The only way I can stop the data light flashing activity is to remove the actual COAX cable from the cable modem. All flashing light activity stops between the DATA light and the WAN light on the modem and router. Obviously though, I don't have Internet access. As soon as I plug the COAX back in, the intense data activity returns and my log starts to fill back up with entries.
I have sent the router logs to my ISP customer service, and point blank, they are idiots. THREE seperate emails I had to basically state the situation until someone acknowledged that it looked like a port scan.....but as they stated, "We can see that your internet access is there and you are not being shut down". Great...thanks. Now, while it doesn't impact my service drastically, I do feel the slowdown from time to time. Quite frankly, regardless that my service isn't a total loss, just seeing the logs fill up and the lights constantly flashing makes me paranoid.
I have asked TWICE if I could have my service assigned another dynamic IP and TWICE they pointed me to their hosted Internet Speed test to see if my performance was degraded.
My question is, can I demand the ISP change my IP? Especially now that I have written proof from a technician that states he acknowledges I am most likely getting port scanned. Or is it just worth it to not waste my time and accept the fact that the Internet is an evil place and to pray my DLINK router holds out?
Here is a tiny sample from my log with my IP addressed removed:
Mar/27/2007 15:12:10
Drop ICMP packet from WAN src:200.231.139.175:8 dst:xxx.xxx.xxx.xxx:0 Rule: Default deny
Mar/27/2007 15:08:05
Drop UDP packet from WAN src:126.188.16.213:30803 dst:xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 15:07:52
Drop UDP packet from WAN src:204.16.210.62:42144 dst:xxx.xxx.xxx.xxx:1027 Rule: Default deny
Mar/27/2007 15:02:21
Drop TCP packet from WAN src:222.71.102.30:40539 dst:xxx.xxx.xxx.xxx:8000 Rule: Default deny
Mar/27/2007 14:59:02
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:56
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:53
Drop TCP packet from WAN src:200.3.179.234:61745 dst:xxx.xxx.xxx.xxx:2968 Rule: Default deny
Mar/27/2007 14:58:51
Drop UDP packet from WAN src:194.181.249.80:19981 dst:xxx.xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 14:48:49
Drop UDP packet from WAN src:218.27.16.156:52238 dst:xxx.xxx.xxx.xxx:1026 Rule: Default deny
Mar/27/2007 14:48:49
Drop UDP packet from WAN src:218.27.16.156:52238 dst:xxx.xxx.xxx.xxx:1027 Rule: Default deny
Can someone clear up whethere or not that looks like port scanning?
Any input is more than welcome.
Thanks!