Looking at my Firewall Events log, I see 900+ blocked intrusions.
Most (95%) but not all have a source IP address of my router, not some IP address out in the wild.
What I expect is that 99.9% of the source addresses be from outside my home network.
Details: My router is a Buffalo WZR-HP-G300NH, which is Linux based. The WAN side connects to ATT by a DSL line. The configuration is standard NAT. The LAN side address is 192.168.1.63/24.
My computer lives at 192.168.1.61/24. It runs XP SP3, Comodo V5.0.163652.1142, ICS/Firewall off.
All intrusions are TCP. Most have a source IP of 192.168.1.63, (i.e. the router) from random ports and are aimed at ports 80, 8080, 21, or 3389.
Here are a few of the other source IPs:
58.218.204.110:12200->6588,
58.218.199.147:12200->6588,
77.98.240.160:x->25904,
87.224.177.161:x->25904
Theories:
- My router is using some sort of reverse NAT, where it translates addresses of inbound messages from internet into intranet addresses, and outbound messages back to the original external addresses.
I really don’t think this is happening. Reverse NAT is uncommon, breaks too many things, and isn’t happening for all traffic. Plus the source ports probably would vary more due to translation.
-
My router is possessed (i.e. hacked by malware); it is Unix based open source, after all. I’ve reloaded the microcode and that didn’t change anything. Plus I’ve not heard of any attacks in the wild, though I didn’t go specifically searching for my router as a target.
-
Comodo is logging improperly, for example using the address of the last person to forward a packet instead of the address of the originator of the packet. Again, the behavior isn’t consistent, as occasionally I see source addresses other than the router.
Besides, this logging is a basic function of a solid product. Comodo can’t be broke.
Can I see the headers of the traffic which was logged, without firing up WireShark and looking for matching packets?
Anyone have any other ideas to explore?
Thanks!