I just checked my log, and there’s a lot of unallowed access-entries from some unknown MAC adresses.
Saturday February 09, 2008 21:23:20 Unallowed access from WLAN 00-0F-B5-D8-5F-C8
Saturday February 09, 2008 21:23:45 Unallowed access from WLAN 00-1E-4C-14-65-84
Saturday February 09, 2008 21:23:46 Unallowed access from WLAN 00-0F-CB-B4-CB-6C
Saturday February 09, 2008 21:23:50 Unallowed access from WLAN 00-1E-2A-07-8E-10
None of these are used either by me, the laptop’s built-in network card, or the wireless adapter.
I suppose they’re getting blocked, since I’m using MAC filtering. Right?
So why am I getting these unknown MAC-adresses in my routers log file?
FYI, they are assigned to Netgear, Hon-Hai, 3com, and Hon-Hai products, so probably wireless NICs. Definitely look like rejected connection attempts from unauthorized MAC addresses. Do you have a router that can do external logging? If so, you can download a free copy of WallWatcher and see a little more detail.
Looks to me like your MAC filtering is working. Do you get a lot of these? Normally they are just people looking for free wifi to use, not attackers. With an attacker, you should see some connects in the log when they work around the MAC filtering. If your network is trusted, you might think about using something a little stronger like WPA; otherwise your firewall should protect you even if someone manages to get a connection.
I have a 20 character WPA-key (should take a while to bruteforce it…) and MAC filtering.
Anyways, today I got some new entries.
Sunday February 10, 2008 15:09:44 DoS Attack type : Syn flood!!
Sunday February 10, 2008 15:12:48 DoS Attack type : Syn flood!!
Sunday February 10, 2008 15:16:14 DoS Attack type : Syn flood!!
Sunday February 10, 2008 15:19:26 DoS Attack type : Syn flood!!
Sunday February 10, 2008 15:22:15 Unrecognized attempt blocked from 220.127.116.11:1006 to 83.233.xxx.xxx UDP:21
Sunday February 10, 2008 15:22:39 DoS Attack type : Syn flood!!
WHOIS for 18.104.22.168.
Should I send a mail to abuse[at-bypass]in.bell.ca with the entries from my log?
Anyways, my router and CFP 3 seems to block the DDoS. I added a global rule in CFP 3 to block all incoming connections from 22.214.171.124, in case he/she bypasses my hardware firewall.
You should report them; might be a zombie machine. These are usually just part of the normal “internet noise” of machines randomly trying to do mischief; rather than something directed at you personally. But the owner probably doesn’t know anything about it. Your NAT/firewall should take care of all of them, since they are not a response to anything you sent out or a hole punched in the firewall for a game or such. If you are using WPA, you should not get any more connection attempts from local NICs where you can see the MACs.
I think this can be considered ‘normal’.
In my routers log I get 3-5 unknonw attempt blocked from xyz to myaddress in every minute.
In the past I used to look them up with whois but today I just don’t care. Most of them as sded have already said are just noise. But you can find interesting stuff too… My most obious catch was 5 different IP’s blocked wich were registered to the same Chinese collage. And I wasn’t browsing the net. Only the comodo forums.
And the neigbours…maybe its due to the fact that windows is configured to connect automatically to any new wireless network.
It'll only tell me what company that manfactured the network device (not their IP so I can launch a DDoS Grin).
Try scanning your wifi neighborhood to get IP’s too…suprisingly from the 3 wifi routers found in my vicinity 2 of them was not protected at all…not even the factory “admin, admin” password was changed lol. So I could log into their router and find out that the MAC’s blocked on my router are clients on the neighbors.
If you really want to see what is going on in your wireless neighborhood, get a copy of Ethereal (packet sniffer) and Airsnare (intrusion detection) to see who is looking at you. And Netstumbler, which shows access points, while airsnare & ethereal look at traffic. If you have Linux, there are a ton of other very sophisticated tools you can play with. But unless you are running a server, you don’t care about things like syn floods and ddos-you don’t have to listen to the connection attempts like a website does, just block them. All this noise is a good reason to have a router, instead of having it all end up at your software firewall.