Review of my home broadband router logs (suspicious activity?)

[Paul M. Cook]

Does this activity found accidentally in my home broadband
wireless router log seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this:
[Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file:
[LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
[LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
[LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11
[LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5
seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's
my child's Sony Playstation (which has "UPNP events" whatever they are):

[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

[ng_reader]

<snip>

> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************
>

Are you afraid of, what, exactly?

[Paul M. Cook]

On Tue, 22 Dec 2015 23:11:38 -0500, ng_reader wrote:

> Are you afraid of, what, exactly?

To answer why I ask about these activities, it's that I did not elicit
these transactions, nor do I understand them.

The IP addresses seem to belong to the following (from a whois):
--------------------------------------------------
inetnum: 93.38.176.0 - 93.38.183.255
netname: FASTWEB-DPPU
descr: Infrastructure for Fastwebs main location
descr: NAT POOL 7 for residential customer POP 4106,
country: IT
--------------------------------------------------
inetnum: 177.204/14
aut-num: AS18881
abuse-c: GOI
owner: Global Village Telecom
country: BR
--------------------------------------------------
inetnum: 101.160.0.0 - 101.191.255.255
netname: TELSTRAINTERNET50-AU
descr: Telstra
descr: Level 12, 242 Exhibition St
descr: Melbourne
descr: VIC 3000
country: AU
--------------------------------------------------
inetnum: 181.164/14
status: allocated
aut-num: N/A
owner: CABLEVISION S.A.
ownerid: AR-CASA10-LACNIC
responsible: Esteban Poggio
address: Aguero, 3440,
address: 1605 - Munro - BA
country: AR
--------------------------------------------------
inetnum: 2.133.64.0 - 2.133.71.255
netname: TALDYKMETRO
descr: JSC Kazakhtelecom, Taldykorgan
descr: Metro Ethernet Network
country: KZ
--------------------------------------------------
inetnum: 186.204/14
aut-num: AS28573
abuse-c: GRSVI
owner: CLARO S.A.
ownerid: 040.432.544/0835-06
responsible: CLARO S.A.
country: BR
--------------------------------------------------
inetnum: 148.246/16
status: allocated
aut-num: N/A
owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V.
ownerid: MX-MRTS1-LACNIC
responsible: Ana María Solorzano Luna Parra
address: Bosque de Duraznos, 55, PB, Bosques de las Lomas
address: 11700 - Miguel Hidalgo - DF
country: MX
--------------------------------------------------
inetnum: 195.67.224.0 - 195.67.255.255
netname: TELIANET
descr: TeliaSonera AB Networks
descr: ISP
country: SE
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: NTTDoCoMo
descr: NTT DOCOMO,INC.
descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome
descr: hiyoda-ku,Tokyo Japan
country: JP
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: MAPS
descr: NTT DoCoMo, Inc.
country: JP
--------------------------------------------------
inetnum: 178.116.0.0 - 178.116.255.255
netname: TELENET
descr: Telenet N.V. Residentials
remarks: INFRA-AW
country: BE
--------------------------------------------------
inetnum: 82.237.140.0 - 82.237.143.255
netname: FR-PROXAD-ADSL
descr: Proxad / Free SAS
descr: Static pool (Freebox)
descr: deu95-3 (mours)
descr: NCC#2005090519
country: FR
--------------------------------------------------
NetRange: 107.192.0.0 - 107.223.255.255
NetName: SIS-80-4-2012
NetHandle: NET-107-192-0-0-1
Parent: NET107 (NET-107-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7132
Organization: AT&T Internet Services (SIS-80)
City: Richardson
StateProv: TX
--------------------------------------------------
NetRange: 216.98.48.0 - 216.98.63.255
CIDR: 216.98.48.0/20
NetName: UBICOM
NetHandle: NET-216-98-48-0-1
Parent: NET216 (NET-216-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Ubisoft Entertainment (UBISOF-2)
--------------------------------------------------

[Tony Hwang]

Ask the kid if he is playing on line game.

[Paul M. Cook]

On Tue, 22 Dec 2015 22:00:40 -0700, Tony Hwang wrote:

> Ask the kid if he is playing on line game.

He does play online, but I don't know if *those* are
activities *he* initiated, or if they are attempts
to attack us.

[Micky]

On Wed, 23 Dec 2015 00:11:30 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Maybe you could ask him and you could also have him play a game at a
recorded time and then check your log to see if the entries are
similar.

AIUI, the average desktop gets thousands of pings a day. When I had
that famous software firewall whose name escapes me, it would record
and count them.

But thhat doesn't mean the outside ip is targeting your kid
specifically. Maybe it just goes through IP numbers consecutively,
looking for those that are unprotected.

And it doesn't mean that it can do anything to your kid's device.
Isn'tt the software in a game or insertable game hard-coded?

And it doesn't mean the pinger wants to. A lot of my pings were from
my own ISP iirc. i don't know why it was doing this when I was
already connected.

What could an outside force do to your kid? Can the game display
messages on it, like "Come to Syria and kill the infidels. Call
1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10
is not too young to talk to their children about sex, drugs, etc. are
missing the mark. What parents should do is talk during dinner to
each other about how stupid drug users are and how stupid and selfish
those who get someone pregnant when they're not married, and they can
do this when the kid is 4 and up and kids will listen to everything
their parents say. But if they are 12 and the parent is telling them
what to do, it will be for some kids a challenge to do the opposite,
because they dont' like being lectured. That's why parents should
talk to each other in front of the kids. There are adequate
conversation starters in the news.

[Paul M. Cook]

On Wed, 23 Dec 2015 04:19:59 -0800, DerbyDad03 wrote:

> It's not a question of what could be done to the device, it's whether or
> not that device is allowing access to the home's network. Once inside
> the network it may be possible to gain access to other computers.

Exactly. I'm not worried about the kid being attacked.

I'm worried about the attacker coming in through the port 9000 of the
IP address 192.168.1.5 which, at least today, is the Sony Playstation
(but it could have been any computer on the day of the attack since
I have DHCP).

Once the attacker is on the router, they can potentially get to any
computer or monitor anything or watch or whatever the reason they
got in for.

That there were *many* similar attacks at roughly the same time is
what worries me also.

But, mostly, I am just wanting to know *what* happened, which, from
the log files, I can't tell - but that's why I asked. I don't know
how to correctly *interpret* this particular set of errors.

We're all just guessing. And that's bad.

[Tony Hwang]

Playing on-line game? Kids do most of time.

[Paul M. Cook]

On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:

> Have you edited your log, here? Are there other activities not shown?
> Do you see just these sporadic accesses?

That's an excerpt only but those were the only messages listed with the
prefix of "[LAN access from remote]".

> Most routers will provide a (DHCP?) page that show where the current
> IP addresses that *it* has doled out are being used. (I suspect
> "Attached Devices" in your router).

At the moment, there are no "attached devices" with the DHCP IP
address of 192.168.1.5, and the log file doesn't say which device
in the house was 192.168.1.5 on that day.

But, looking at the log file, at some point thereafter, the
IP address of 192.168.1.5 was the MAC address which is the
Sony Playstation.

I can't tell, from the log, what device had the DHCP given
address of 192.168.1.5 on the day of the attack.

The router shows "attached devices" but it doesn't show
a history.

[Paul M. Cook]

On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

> Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.

[Micky]

On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>
>> Playing on-line game? Kids do most of time.
>
>Maybe. But is *that* what the error message says?
>
>I guess I need to *experiment*, by asking the kid to play a few
>games and then watch the router log file.

Good idea.

>What is worrisome is that some of the entries don't come from
>what I'd expect an online game to come from, e.g., Brazil,
>Mexico, Japan, France, etc.

When I went to France in 1974, I thought I could impress girls with
hershey bars and nylon stockings, but instead I couldnt' afford to eat
in a real restaurant.

(though I did eat in an expensive restaurant in Amsterdam before the
flight home, rijstafel, and it was only meal I shared with a girl I
met the previous day, and we were on the same plane the day after the
meal and we were both sick. From the expensive meal)

IOW, despite the impression we're oftren given, they have civilization
in those places, and even infra-civilization like games. I'm sure
there are gamers in all those countries, but there may also be hackers
.

[Mayayana]

That's interesting. I didn't know routers kept logs. Did
you find that by logging in to the "control panel"?

I used to get a lot of attempts to get into my computer
when I had dialup. That mostly stopped with cable, though
I have caught my cable company, RCN, trying to get
in. I have no idea why. Apparently they just go around
snooping on customers, perhaps tracking how many
machines are at each address, or some such.

First, do you have a good, long password for
your router? You should. Maybe 20 characters.

You didn't mention what computers you have.
Assuming Windows...

It's important to understand that most
Windows computers are full of holes. The default
configuration has numerous unsafe services running.
Many people now also enable remote Desktop
functionality for tech support. You should have a
firewall that blocks all incoming and asks permission
for all outgoing processes. (In many cases it's also
possible to block svchost from going out, which takes
care of most or all Microsoft spyware.)

Some may remember there was a problem with XP
in the early days. A service called Messenger (not
Windows Messenger) was running by default. It was
intended for sys admin people in corporations to be
able to pop up notices to employees on the network.
(Like "Don't forget: Company picnic on Saturday.")
It was being used to show people ads. The problem is
that Windows NT (2000/XP/Vista/7/8/10) is designed
to be a corporate workstation. It's a sieve, set up
with the assumption that the network is safe while
the users can't be trusted. If you want to set up
reasonable security see here:

http://www.blackviper.com/

You can use that site to adjust services. And get a
firewall.

I don't know much about Playstation, but that's
a good example of increasing intrusion online. Online
services and spyware operating systems are changing
the norm. Most software is now designed to call home
without asking. A few years ago that was known as
spyware. Windows 10 is a new level of spyware. It
now has a privacy policy and TOS that claim Microsoft
has a legal right to spy on virtually everything you do.
(I suspect Playstation is probably worse in that regard.)

At the same time, more people want more of those
services. Without selling out to Apple you can't get
all those nifty apps. Without selling out to Adobe you
can no longer use Photoshop without it spying on you.
The latest version is still installed on your computer,
but it's officially marketed as an online service. The
difference is not so much in the software but in the
fact that you have to accept it as spyware. MS Office
and many other programs are going the same way.
They want to steal your car and rent you a taxi.

So there may be different, conflicting concerns
for you. One concern is preventing malware/spyware
intrusion by strengthening your security. But then
there's also the issue of whether you're actually willing
and able to do that in the context of how you want
to use your connected devices. If you want to accept
and use online services then you must accept that
you're now in a shopping mall. The mall cameras,
marketing data collectors and security guards will be
watching. You're on their property, not your own.

[Micky]

On Wed, 23 Dec 2015 09:58:45 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>

>On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:
>
>> Have you edited your log, here? Are there other activities not shown?
>> Do you see just these sporadic accesses?
>
>That's an excerpt only but those were the only messages listed with the
>prefix of "[LAN access from remote]".

I thought I'd look at my log, for the first time in 8 years. The
only wireless device I use is a printer.

Dec/21/2015 18:59:18 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85
Dec/21/2015 18:59:09 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85
Dec/21/2015 18:59:04 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning? That's my time, right? or GMT?

Dec/20/2015 05:20:05 Wireless PC connected 70-3E-AC-DE-14-94
Dec/19/2015 23:51:38 Wireless PC connected A4-EE-57-E3-09-E4

Whose is this wireless PC? I have one, but haven't used it in weeks.

Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
A4-EE-57-E3-09-E4
Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

The Epson is my printer. I was probably printing the crossword
puzzle. But more Dennis!

Dec/19/2015 10:13:02 Wireless PC connected 70-3E-AC-DE-14-94
Dec/19/2015 07:51:01 DHCP lease IP 192.168.0.105 to
android_a1d17253796b3c9c 14-7D-C5-A7-E9-5C

I have a cell phone that runs android, but I don't think I've had it
on in the house on the 19th. I haven't tried to connect to wifi with
it for a year or more.

Could something like this cause interruptions in my internet, which I
get sometimes? The router light for the jack I use flickers all the
time, but sometimes no data gets dl'd. I have DSL.

Dec/16/2015 15:12:23 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2
20-A2-E4-E7-81-36

Dec/16/2015 08:49:25 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 06:25:38 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 05:27:09 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 05:26:17 Wireless PC connected A4-EE-57-E3-09-E4

Dec/13/2015 20:22:09 Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 20:21:49 Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 12:27:17 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2
20-A2-E4-E7-81-36
Dec/13/2015 12:27:16 Wireless PC connected 20-A2-E4-E7-81-36

Dec/09/2015 08:06:17 DHCP lease IP 192.168.0.106 to Sharlenes-iPad
34-C0-59-19-F9-46

Hmmm..

To send myself the log it asks for SMTP Server / IP Address .

Does that mean the smtp server is enough, or do I need its IP address
too, which I don't know?

Help says "SMTP Server - The address of the SMTP (Simple Mail Transfer
Protocol) server that will be used to send the logs." but I haven't
gotten the email I sent yet, and I should have by now.

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> To send myself the log it asks for SMTP Server / IP Address .

I saw the send-log command, but I just copy-and-pasted my
router log into a text file on the computer.

1. While looking at the router log file from within your browser:
Control-A to select all
Control-C to copy

2. Then paste that into any open text file:
Control-V to paste

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
>
> So who is Dennis? 5 in the morning?
> That's my time, right? or GMT?

I just logged into my Netgear WNDR3400v2 router, and went to the
advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is:
Current Time: Wednesday, Dec 23,2015 08:03:08

Looking at the clock, that's the local time in my time zone.

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
> Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
> Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
> A4-EE-57-E3-09-E4
> Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
> Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
>
> The Epson is my printer. I was probably printing the crossword
> puzzle. But more Dennis!

There is what appears to be an iPhone connecting to your router.

You can look up the first half of the MAC address (the OUI) to see
what kind of device it appears to be from:
https://www.adminsub.net/mac-address-finder

Denis' MAC address is the following:
(70-3E-AC) (DE-14-94)

The organizationally unique part is the first half:
(70-3E-AC)

That indeed is an Apple device OUI:
703EAC indeed resolves to "Apple, Inc."

[Paul M. Cook]

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

> That's interesting. I didn't know routers kept logs. Did
> you find that by logging in to the "control panel"?

I don't know of *any* router that does *not* keep logs.
Usually they start at reboot time, and go on forever from there.
For my Netgear router, I log in and then go to:
Advanced > Administration > Logs

> I used to get a lot of attempts to get into my computer
> when I had dialup. That mostly stopped with cable, though
> I have caught my cable company, RCN, trying to get
> in. I have no idea why. Apparently they just go around
> snooping on customers, perhaps tracking how many
> machines are at each address, or some such.

Cable should be the worst, as I understand it, since anyone
in your neighborhood on the same cable is essentially connected
to you as I understand it.

So, I'd be sure to have a router, but, as we all know, anyone
who knows what they're doing can get past our cheap routers.

> First, do you have a good, long password for
> your router? You should. Maybe 20 characters.

The thing is that most routers don't allow a password greater
than 8 characters (from my experience). Sure, they'll *let*
you type a long password - but they'll take anything (or nothing)
after the first 8 characters.

Try it. That's how "my" router works.

> You didn't mention what computers you have.
> Assuming Windows...

Oh, I have everything. Windows. Linux. OS/X. iOS, Android.
Printers. And other devices (like the playstation).

[M. Stradbury]

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

> First, do you have a good, long password for
> your router? You should. Maybe 20 characters

Which router password are you talking about?

1. The Admin password?
2. The SSID WPA2/PSK passphrase?

[Micky]

On Wed, 23 Dec 2015 10:58:58 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>
>> To send myself the log it asks for SMTP Server / IP Address .
>
>I saw the send-log command, but I just copy-and-pasted my
>router log into a text file on the computer.
>
>1. While looking at the router log file from within your browser:
> Control-A to select all

I tried that but it highlighted the whole page, not just the data.

So it was easier to use to the cursor to choose what to highlight.

My firmware is almost 11 years old. Maybe D-Link has refined it by
now.

Plus there are 20 pages of data, each requiring separate copying, so I
was hoping to get all 20 pages in one email.

And that includes only System Activity, Attacks, and Notice, not Debug
Information and Dropped Packets.

Later I will check those to see what shows up.

[Tony Hwang]

PSK? How about AES?

[Oren]

On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Personally, I would turn off DHCP and manually give each machine a
static IP number. Any outside machine connecting to your network is
being issued an IP number.

"...DHCP is a good option for easy home networking. But if you
are truly serious about network security—if you have sensitive data
residing on your network or just want to make data or identity theft
much less likely—you're probably better off sticking with disabling
DHCP and maintaining full manual control of your home network."

Two Cents.

[Micky]

On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>
>> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>>
>> So who is Dennis? 5 in the morning?
>> That's my time, right? or GMT?
>
>I just logged into my Netgear WNDR3400v2 router, and went to the
>advanced tab of Administration > Logs
>
>It says on top of the window what time it "thinks" it is:
> Current Time: Wednesday, Dec 23,2015 08:03:08

Mine doesn't show the time anywhere, but if yours shows the current
time, that's good enough for me.

I noticed that because some families have so many wireless devices,
they've redesigned routers and now many are 100 to 200 dollars. That
means I should be able to get a 2-year old one cheap. Actually I
bought cheap at a hamfest what I thought was identical, and only
noticed a year later that it was a router like mine but without the
wireless part. Now is a bad time to try it because every day I may
wish to print the crossword.

[Micky]

On Wed, 23 Dec 2015 11:07:42 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>
>> Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
>> Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
>> Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
>> A4-EE-57-E3-09-E4
>> Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>> Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>>
>> The Epson is my printer. I was probably printing the crossword
>> puzzle. But more Dennis!
>
>There is what appears to be an iPhone connecting to your router.
>
>You can look up the first half of the MAC address (the OUI) to see
>what kind of device it appears to be from:
> https://www.adminsub.net/mac-address-finder

Good to know. Thanks.

>Denis' MAC address is the following:
> (70-3E-AC) (DE-14-94)
>
>The organizationally unique part is the first half:
> (70-3E-AC)
>
>That indeed is an Apple device OUI:
> 703EAC indeed resolves to "Apple, Inc."

So that means it's an Apple device, like an iphone.

Not that it's someone working at Apple, inc.!

[Micky]

On Wed, 23 Dec 2015 10:17:10 -0500, "Mayayana"
<maya...@invalid.nospam> wrote:

> That's interesting. I didn't know routers kept logs. Did
>you find that by logging in to the "control panel"?

No, the control panel is on the computer.

You have to go to the router. The address is in the manual. In
D-link and I think maybe all of them it's http://192.168.0.1

>
> I used to get a lot of attempts to get into my computer
>when I had dialup. That mostly stopped with cable, though
>I have caught my cable company, RCN, trying to get

I had RCN too, dialup, but after years of their promising high-speed,
I decided they were kidding, so I had to go to Verizon.

They said I could have email only, with no access to the net, for 3 a
month, but then 4 months later, with no warning, they took away my
ability to send email, and because of the way Eudora is set up, it's
not totally obvious how to change the settings to send only via
Verizon. (They also did 3 other bad things to me. And currently,
if my credit card number changes and the automatic payment doesn't
work, they told me I had told them not to send either an email or a
postal mail. I never said that. So 3 times over several years
they disconnected me with no warning, and one time they threw away all
my email, including any I hadn't downloaded yet.

Later they raised it from 3 to 4 a month.

Now if they won't notify me both ways, I asked to be notified by
email, but they said they won't do that. it's an email company but
they won't notify me by email.

How has your customer service been?

>in. I have no idea why.

That's what I said in another post. I was referring to Erols/RCN.

[Mayayana]

| > First, do you have a good, long password for
| > your router? You should. Maybe 20 characters.
|
| The thing is that most routers don't allow a password greater
| than 8 characters (from my experience). Sure, they'll *let*
| you type a long password - but they'll take anything (or nothing)
| after the first 8 characters.
|
| Try it. That's how "my" router works.
|

I tried it. I entered the first 13 characters. It didn't
let me in. I've never heard of an 8-char limit.

| > You didn't mention what computers you have.
| > Assuming Windows...
|
| Oh, I have everything. Windows. Linux. OS/X. iOS, Android.
| Printers. And other devices (like the playstation).
|

I don't see any scanning or contact in my logs,
but I also only use computers, with no networking,
and get informed by my firewall about unrequested
incoming. You may not have much option with
Playstation. I assume it's not under your control.
But you should have firewalls on your computers
that will drop incoming requests. (Though that's
one of the many shortcomings of Linux in my book.
Last I checked, Linux firewalls could stop incoming
but didn't monitor outgoing.)

[Oren]

On Wed, 23 Dec 2015 09:54:05 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>Once the attacker is on the router, they can potentially get to any
>computer or monitor anything or watch or whatever the reason they
>got in for.

...and run a packet sniffer that captures passwords, network traffic,
etc. into a log file.

<http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm>

[Adrian Caspersz]

On 23/12/15 03:55, Paul M. Cook wrote:
> Does this activity found accidentally in my home broadband
> wireless router log seem suspicious to you?
>
> Here is a screenshot of the suspicious log entries:
> https://i.imgur.com/iZm1CCq.jpg
>
> When "I" log into my router, I see a line like this:
> [Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15
>
> But, I see the following (suspicious?) activity in my log file:
> [LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
> [LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
...

Informational logs, not a warning or critical error.

> [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15

> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************
>

It's how the games can only work. Your uPNP enabled router is port
forwarding that incoming traffic to a specific machine on your LAN, your
kid's playstation. It would take a flaw, or a hack, in your router for
this traffic to go anywhere else.

Personally, I wouldn't have a problem with it.

Try playing about with anything that uses peer-to-peer services like
Skype, Spotify or torrent programs and you'll see much the same logs.

Have your kid take a break from that game and you both have a read of
the following Microsoft ebook on

https://www.microsoft.com/en-gb/download/details.aspx?id=1522
or http://www.ownyourspace.net/

--
Adrian C

[Mayayana]

| > That's interesting. I didn't know routers kept logs. Did
| >you find that by logging in to the "control panel"?
|
| No, the control panel is on the computer.
|
| You have to go to the router. The address is in the manual. In
| D-link and I think maybe all of them it's http://192.168.0.1

Yes. That's what I was referring to. I think of it
as a control panel. I'm not sure whether it's called
that. My web host, too, calls it a control panel when
I log in.

| >
| > I used to get a lot of attempts to get into my computer
| >when I had dialup. That mostly stopped with cable, though
| >I have caught my cable company, RCN, trying to get
|
| I had RCN too, dialup, but after years of their promising high-speed,
| I decided they were kidding, so I had to go to Verizon.
|
| They said I could have email only, with no access to the net, for 3 a
| month, but then 4 months later, with no warning, they took away my
| ability to send email, and because of the way Eudora is set up, it's
| not totally obvious how to change the settings to send only via
| Verizon. (They also did 3 other bad things to me. And currently,
| if my credit card number changes and the automatic payment doesn't
| work, they told me I had told them not to send either an email or a
| postal mail. I never said that. So 3 times over several years
| they disconnected me with no warning, and one time they threw away all
| my email, including any I hadn't downloaded yet.
|
| Later they raised it from 3 to 4 a month.
|
| Now if they won't notify me both ways, I asked to be notified by
| email, but they said they won't do that. it's an email company but
| they won't notify me by email.
|
| How has your customer service been?
|

I've found the service to be very good.
Customer service is 24/7, and seems to be American.
Recently we got an upgraded modem because speeds
were slow, and that seems to have fixed it. In the
process they accidentally disconnected my separate
RCN phone wire. But then they came the next morning
and upgraded that as well, for free.

My only complaint is that they periodically raise the price
for no reason. But then if we call up they agree to lower it
again. ?? It seems to be the new strategy: Fleece the
customer base and then be nice to anyone who complains.
I suppose a lot of people are now on auto-payment
and don't notice.
Considering complaints I hear from customers of other
companies, I feel very content with RCN. But I never
had dialup with them.

I get ads about every two weeks for Verizon FIOS.
They have several inches of tiny fine print, in light gray,
that I can't even read with glasses on. There's no way
to find out the actual cost of the service. It's like an ad
out of a cartoon. I have no need for FIOS, anyway.
Recently a salesman came to the door. He wanted to tell
me that Verizon had some spiffy new wiring and that I
should switch. I told him how Verizon keeps sending ads
but won't even tell me what the product costs. He miled
and said, "That's why I'm here." Then I said goodbye to
him and closed the door. They must be making very big
profits to justify sending out salesmen.

But that problem is not just with Verizon. A couple of
years ago I went around to cellphone providers to find
out what a basic plan costs. ATT/Verizon/Sprint/T-Mobile.
All of them had plans starting at $40. Not one could/would
tell me what the actual bill would be after the various scam
fees and taxes were added on.

[Paul M. Cook]

On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:

> Personally, I would turn off DHCP and manually give each machine a
> static IP number.

I have never not used DHCP.

How do we do assign permanent IP addresses when devices come on and
off the network all the time?

Do we attach the IP address to the MAC address of the device?

For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE,
do we attach the IP address 192.168.1.10 to *that* MAC address from
the router?

Or, is there some other way of doing it from the device itself?

[Paul M. Cook]

On Wed, 23 Dec 2015 09:07:46 -0800, Oren wrote:

> ...and run a packet sniffer that captures passwords, network traffic,
> etc. into a log file.

I have run wifi-radar, kismet, and iwscanner, but the output is
horrendously cryptic.

I hear there is Wireshark, AirShark, netstumbler, & netcrumbler,
so, maybe one of those has easier to read output?

[Paul M. Cook]

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

> I tried that but it highlighted the whole page, not just the data.
>
> So it was easier to use to the cursor to choose what to highlight.

In any browser session, you can also use "control F" and then type
in what you're looking for.

Then select just that which you found.

F3 moves to the next find.
Shift F3 moves backward to the previous find.

[Paul M. Cook]

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

> Plus there are 20 pages of data, each requiring separate copying, so I
> was hoping to get all 20 pages in one email.

Makes sense.

Let me know if you figure out the email because I didn't figure it
out myself on mine, and my firmware is fully up to date.

[Paul M. Cook]

On Wed, 23 Dec 2015 11:24:52 -0500, Micky wrote:

> So that means it's an Apple device, like an iphone.
>
> Not that it's someone working at Apple, inc.!

If you can get an IP address like I did on my router logs,
you can run a "whois" command which will reverse IP check.

https://duckduckgo.com/?q=reverse+ip+address+lookup

If it's coming from Apple, whois will tell you that.

Of course, most of the time "I" run it, the IP address
is coming from China, but even that can be spoofed with
VPN or some other means.

[Paul M. Cook]

On Wed, 23 Dec 2015 12:03:34 -0500, Mayayana wrote:

> I tried it. I entered the first 13 characters. It didn't
> let me in. I've never heard of an 8-char limit.

Are we talking about the ROUTER "admin" password?
Or are we talking about the ESSID encryption passcode?

They're different things.
"I" was talking about the router admin password.

[Oren]

On Wed, 23 Dec 2015 12:39:11 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:
>
>> Personally, I would turn off DHCP and manually give each machine a
>> static IP number.
>
>I have never not used DHCP.
>
>How do we do assign permanent IP addresses when devices come on and
>off the network all the time?
>
>Do we attach the IP address to the MAC address of the device?
>

<https://tinyurl.com/hkqsa3t> The first link includes computers and
gaming consoles.

>For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE,
>do we attach the IP address 192.168.1.10 to *that* MAC address from
>the router?
>
>Or, is there some other way of doing it from the device itself?

Can't speak for the phone, sorry.

[Paul M. Cook]

On Wed, 23 Dec 2015 09:20:13 -0700, Tony Hwang wrote:

>> 1. The Admin password?
>> 2. The SSID WPA2/PSK passphrase?
>>
> PSK? How about AES?

I think you're talking about different things that have nothing
to do with each other.

AFAIK, WPA2 is the strongest "we" can generally get (being normal
homeowners and not corporations) on our routers.

For us, the PSK (pre-shared key) is the way "we" homeowners do
WPA2. It just is.

However, if we were a corporation, we could do more with WPA2
than pre-shared keys, which, I don't remember what it's called,
but it's some kind of rotating or assigned key that the IT
department of the company can manage (instead of the router).a

What you seem to be talking about is the difference between
various security options, such as:
* WPA-PSK [TKIP]
* WPA-PSK [AES]
* WPA-PSK [TKIP] + WPA-PSK [AES]

All of those above are WPA2/PSK.

[Oren]

On Wed, 23 Dec 2015 12:41:36 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Encrypted packets will be scrabbled, so it is even more secure...

"...Another way to protect your network traffic from being
sniffed is to use encryption such as Secure Sockets Layer (SSL) or
Transport Layer Security (TLS). Encryption doesn't prevent packet
sniffers from seeing source and destination information, but it does
encrypt the data packet's payload so that all the sniffer sees is
encrypted gibberish. Any attempt to modify or inject data into the
packets would likely fail since messing with the encrypted data would
cause errors that would be evident when the encrypted information was
decrypted at the other end."

[Mayayana]

| Are we talking about the ROUTER "admin" password?
| Or are we talking about the ESSID encryption passcode?
|
| They're different things.
| "I" was talking about the router admin password.
|

Yes. I don't know why people are making this
so complicated. There have been cases of
routers being hacked, sometimes because they're
set with default passwords that don't get
changed. Not a big issue. Just one thing to
make sure you have covered.

[Danny D.]

Micky wrote, on Wed, 23 Dec 2015 11:24:16 -0500:

> I noticed that because some families have so many wireless devices,
> they've redesigned routers and now many are 100 to 200 dollars.

You can't go wrong with almost any "ac" router nowadays.
An "ac1200" router will be just fine for almost any household.

[Danny D.]

Don Y wrote, on Wed, 23 Dec 2015 12:57:02 -0700:

> First, the SSID is effectively public. Even if you turn off SSID
> broadcasts, it's trivial to detect your SSID. So, any sort of
> access control you expect to gain from *hiding* it is laughable!
> Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't
> buy you anything.

Jeff Liebermann knows this stuff much better than I do, but here
is what he taught me.

WORSE THAN YOU SAID:

1. If you hide your SSID, then your laptop has to look for it on
purpose, which it dutifully does (that's how it finds it).
However, that also means that when you boot your laptop at
Starbucks, it *still* looks *first* for your hidden IP (because
your laptop has no idea you're at Starbucks yet). Only after
your laptop can no longer find the SSID it wanted first, does
the laptop look for *other* broadcast SSIDs.

Hence, you have *worse* privacy at a hotspot when you decide
to not broadcast your SSID at home.

MOSTLY TRUE WHAT YOU SAID:
2. Making your SSID obscure is critical if you want to stay out
of rainbow hash tables. Anyone who knows YOUR SSID already
can download a hash table that allows them to log into your
router using the SSID as a "salt".

So you really really really want to have a UNIQUE ESSID!
https://security.stackexchange.com/questions/92903/rainbow-tables-hash-tables-versus-wpa-wpa2

MORE CONSIDERATIONS:
3. In addition, you don't want your unique ESSID to pinpoint
you, so don't name it after your last name or your address.

4. One more thing, the BSSID (i.e., the MAC address) of your
router is what Google puts into its database when that
spycar drives down your road. Short of putting up a sign
saying "private road", you can't stop them from driving
past your home and gathering your BSSID and those of your
neighbors.

One thing you can do is change your ESSID to have "_nomap"
on the end of it, which Google says they won't keep. Yes,
I know, they expect the entire world to opt out manually
that way, which is silly, but that's what they do.

Otherwise, you'll need to change *both* your ESSID and
your BSSID (MAC address) periodically, so that Google
databases no longer have accurate records. (You can't
do anything about your stupid neighbors though, so,
you're already doomed.)

[Micky]

On Wed, 23 Dec 2015 12:43:31 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Well, I just googled and there is something called

SMTP Server / IP Address

How to Find My SMTP Server IP Address
http://www.ehow.com/how_5810894_smtp-server-ip-address.html
Click "Start," then "Run" and type "cmd" in the box that appears.

Press enter. A command window will appear.

Type "ping," a space and then the name of your SMTP Server. For
example, type "ping smtp.server.com" and press "Enter." The window
will then try to contact the SMTP server by the IP address. It will
say, "Pinging x.x.x.x with 32 bytes of data." The "x.x.x.x" will be
the SMTP server's IP address.


So I'm debating whether I should put [ ] around the number and then it
turns out, even without the [ ] there isn't enough room for the
entire number!! Even thnough it's the standard length 3,2,3,3 = 11
plus 3 dots. So I removed the smtp value and put only the IP
address, and sent it, and that didnt' work either.

[Sam E]

[snip]

> Encrypted packets will be scrabbled, so it is even more secure...

Scrabbled? You mean your router adds randomly-chosen letters to make new
words?

[snip]

--
2 days until the winter celebration (Friday December 25, 2015 12:00:00
AM for 1 day).

"[O]ld beliefs die hard even when demonstrably false." Edward O. Wilson,
Consilience: The Unity of Knowledge, (First edition, New York: Alfred A.
Knopf, 1998), p. 256.

[Oren]

On Wed, 23 Dec 2015 14:50:21 -0600, Sam E
<why.sho...@be.email.invalid> wrote:

>> Encrypted packets will be scrabbled, so it is even more secure...
>
>Scrabbled? You mean your router adds randomly-chosen letters to make new
>words?

My bad. I should have said gibberish that looks like Japanese
arithmetic.

[John Robertson]

On 12/23/2015 7:06 AM, Paul M. Cook wrote:
> On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>
>> Playing on-line game? Kids do most of time.
>
> Maybe. But is *that* what the error message says?
>
> I guess I need to *experiment*, by asking the kid to play a few
> games and then watch the router log file.
>
> What is worrisome is that some of the entries don't come from
> what I'd expect an online game to come from, e.g., Brazil,
> Mexico, Japan, France, etc.
>
>

Turn OFF PING BACK.

In case it isn't already off. Then ask your IP for a new address - which
can be as simple as turning off your broadband router for five minutes.

John :-#)#

--
(Please post followups or tech inquiries to the USENET newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
(604)872-5757 or Fax 872-2010 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."

[Tony Hwang]

John Robertson wrote:
> On 12/23/2015 7:06 AM, Paul M. Cook wrote:
>> On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>>
>>> Playing on-line game? Kids do most of time.
>>
>> Maybe. But is *that* what the error message says?
>>
>> I guess I need to *experiment*, by asking the kid to play a few
>> games and then watch the router log file.
>>
>> What is worrisome is that some of the entries don't come from
>> what I'd expect an online game to come from, e.g., Brazil,
>> Mexico, Japan, France, etc.
>>
>>
>
> Turn OFF PING BACK.
>
> In case it isn't already off. Then ask your IP for a new address - which
> can be as simple as turning off your broadband router for five minutes.
>
> John :-#)#
>

If you are worried, block the port and see what happens.

[ssinzig]

Paul M. Cook wrote:
> Does this activity found accidentally in my home broadband wireless
> router log seem suspicious to you?
>
> Here is a screenshot of the suspicious log entries:
> https://i.imgur.com/iZm1CCq.jpg
>
> When "I" log into my router, I see a line like this: [Admin login]
> from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15
>
> But, I see the following (suspicious?) activity in my log file: [LAN
> access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000,
> Saturday, Dec 19,2015 06:42:41 [LAN access from remote] from
> 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015

> 06:41:54 [LAN access from remote] from 101.176.44.21:1026 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
> remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:19 [LAN access from remote] from 2.133.67.47:11233 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
> remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:19 [LAN access from remote] from 148.246.193.87:9000 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
> remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:16 [LAN access from remote] from 1.78.16.174:47891 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from
> remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:16 [LAN access from remote] from 82.237.141.86:9000 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from
> remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:11 [LAN access from remote] from 216.98.48.95:11020 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31
>
> I don't know what this really means: "LAN access from remote".
>
> Looking at the router wired & wireless list of devices, 192.168.1.5
> seems to not be attached at the moment.
>
> But, looking back, I can determine (from the MAC address) that it's
> my child's Sony Playstation (which has "UPNP events" whatever they
> are):
>
> [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday,
> Dec 19,2015 06:32:28 [DHCP IP: (192.168.1.5)] to MAC address
> F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18 [DHCP IP:
> (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015
> 16:17:47 [UPnP set event: Public_UPNP_C3] from source 192.168.1.5,

> Tuesday, Dec 22,2015 16:46:15
> ***************************************************************** Can
> you advise me whether I should be worried that there are many LAN
> accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************
>

You are seeing outside devices the "[LAN access from remote] from
93.38.179.187:9000" part, using port 9000 the ":9000 " part and trying
to connect to your child's sony playstation. Presumably he or she is
playing a game on-line and there is some sort of interactive content,
maybe voice or video message chat or something.

Since your router appears to support UPNP, it is probably automatically
opening connections on this port to allow network traffic like I
described above (some sort of online in-game chat or something).

I don't think it is something to be too concerned about, but if you are
concerned about this type of network traffic, you could either disable
UPNP on your router or maybe disable port 9000 in the firewall rules (if
the router supports this) of course this may disable the online gaming
capability of the sony playstation, much to your childs' dismay.

Video games consoles that connect to the internet are likely sending all
sorts of traffic back and forth through your router. You might try
looking up what types of services typically use port 9000. I bet you
find that it is a typical port used by sony playstions for on-line
gaming. As everything from refrigerators to thermostats go online there
will be much more unidentifiable traffic going through our routers.


Best of luck,

S Sinzig.

[Paul M. Cook]

On Wed, 23 Dec 2015 17:22:30 -0500, ssinzig wrote:

> I don't think it is something to be too concerned about, but if you are
> concerned about this type of network traffic, you could either disable
> UPNP on your router or maybe disable port 9000 in the firewall rules

I disabled UPNP.
I'll tell the kid to watch out for stuff not working.

[Micky]

On Wed, 23 Dec 2015 11:24:16 -0500, Micky <NONONO...@bigfoot.com>
wrote:

>On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmc...@gte.net>
>wrote:
>
>>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>>
>>> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>>> 70-3E-AC-DE-14-94
>>> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>>> 70-3E-AC-DE-14-94
>>>
>>> So who is Dennis? 5 in the morning?
>>> That's my time, right? or GMT?
>>
>>I just logged into my Netgear WNDR3400v2 router, and went to the
>>advanced tab of Administration > Logs
>>
>>It says on top of the window what time it "thinks" it is:
>> Current Time: Wednesday, Dec 23,2015 08:03:08
>
>Mine doesn't show the time anywhere, but if yours shows the current
>time, that's good enough for me.

I figured out a way to verify the time zone, and that's to watch the
log for a new event, or to create a new event, like by trying to send
an email (since I have all 5 kinds of events checked now).

So I did that a couple hours ago and the time that showed in the log
was 7 minutes later than the current time!

I went out for a couple hours and when I tried it just now, the time
the log showed was 11 minutes later than the current time.

Put that in your pipe and smoke it.

>>Looking at the clock, that's the local time in my time zone.

[Oscar]

On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:

> I went out for a couple hours and when I tried it just now, the time
> the log showed was 11 minutes later than the current time.

How do you know which one was right?

This is the current time...

http://www.time.gov/

[Micky]

On Wed, 23 Dec 2015 23:50:41 -0000 (UTC), Oscar <os...@notme.invalid>
wrote:

>On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:
>
>> I went out for a couple hours and when I tried it just now, the time
>> the log showed was 11 minutes later than the current time.
>
>How do you know which one was right?

The current time was my computer which has maybe never been wrong, but
I checked it with my atomic clock, satellite clock whatever it is.

So, how was it 7 minutes later in the log than in reality? Later
meaning it had not yet reached that time.

And why did that change to 11 minutes?

[Adrian Caspersz]

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

--
Adrian C

[Tony Hwang]

Some one is connceting to one of your device connected. (192.168.1.5
what is this in your family?) using port 9000. You can trace route the
other ip address to see what or who this belongs to. Trace route is a
DOS command.

[Paul M. Cook]

On Thu, 24 Dec 2015 14:56:48 -0600, Mark Lloyd wrote:

> Yes, it will. The point of what I posted is that SSID blocking is NOT
> useless. I didn't say anything about it being better than anything else.

Seems to me, that's a lousy tradeoff.

1. You turn off SSID broadcast at home, but that doesn't deter anyone
who knows what he's doing (since your laptop & phone has to broadcast
your hidden SSID to the router, since the router isn't broadcasting
the SSID to the laptop & phone).

2. And, since your laptop or phone doesn't know when it's at home or
at a local hotspot, your laptop and phone end up broadcasting your
SSID to the whole world when you're away from home.

Seems to me, that's a lousy tradeoff.

It's not privacy.
It's just stupidity.

Or ignorance.

[Paul M. Cook]

On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:

> Some one is connceting to one of your device connected. (

> what is this in your family?) using port 9000. You can trace route the
> other ip address to see what or who this belongs to. Trace route is a
> DOS command.

The 192.168.1.5 IP address belonged to the Sony Playstation.
So, for some reason, the port 9000 was being used.

What does this mean though?
Is this correct?

Assuming my static public IP address was 1.2.3.4, does this mean that someone,
on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
hit my router and then the router "port forwarded" it to the Sony Playstation at
192.168.1.5 at port 9000?

[Paul M. Cook]

On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:

> I suspect he'll tell you first ...
>
> If you are that worried about it, why not put the Playstation in your
> DMZ and firewall everything else reaching your LAN? Your kid would get
> better gameplay that way.

I've heard the word "DMZ" for years, but I really don't know what it is.
So, AFAIK, I don't even *have* a DMZ.

My router is set up like most home routers, which is to say the only
thing that is not default is the SSID login/password and admin login/password.

[Tony Hwang]

Hiding SSID increases security? Wrong. Not much really.
Modem/router combo is always worse than separate router.
Put the supplied modem in bridge mode and use your own router.
If you can't or ISP won't put in to bridge mode for you , there is
another way using DMZ in your modem. I have only DOCIS III cable modem,
my router at present is Linksys EA8500 which never went down since
I first boot in summer time. Very stable router.

[Paul M. Cook]

On Thu, 24 Dec 2015 21:49:08 -0700, Don Y wrote:

> An SSID that's not being broadcast will not disclose your AP when
> you're not using it. But, it doesn't buy you much of anything.

I think we're sort of saying the same thing, but, I don't know if
we agree on the broadcast details.

We both agree that telling your ROUTER not to broadcast the SSID
is a false security measure.

But, fact is, you *must* broadcast your SSID somehow.

a. So, either the router broadcasts your SSID.
b. Or your mobile device broadcasts your SSID.

Here's how I understand it to work:

1. Let's assume your SSID is "DonY".
2. Let's assume you told your router *not* to broadcast your SSID.
3. Guess what happens when you boot your laptop?
a. Your laptop shouts out "Hey DonY, are you there?"
b. Your router answers "Yes. I am here. I was being quiet".
c. Your laptop connects to your router by that so-called hidden SSID.

Now, guess what your cellphone does?
HINT: Same thing.

So, guess what happens when you boot your laptop at a starbucks?
HINT: Your laptop shouts out "Hey DonY, are you here?"

So, in effect, an SSID that is not being broadcast *by your router*
at home, is broadcast *by your laptop* both at home, and at Starbucks.

If I'm wrong - someone will explain where - but that's how I understand it.

a. Either the router broadcasts the SSID,
b. Or the device does.

[Tony Hwang]

Lots of Googling. Practice makes perfection. Port can be open or closed.
When you close a port, something may not work because some ports are
used ad default for certain things. ip address is just like unique
address, port is like a gate. Even if you are knocking on the right
address, if gate is not open, you can't get in(or communicate)
Sounds like you are just using the router with default settings.
Do you use ad blocker, pop up blocker, etc. on your browser or
router?You use W10?

[Adrian Caspersz]

Well, out of the box is not going to do what you want.

However the WNDR3400v2 does support DMZ configuration. There's loads of
netgear, web site and youtube resources to help you do this.

But you must worry about other things. Are you sure letting a child play
some of these (mostly violent) video games is a sensible introduction to
becoming an adult?

--
Adrian C

[ssinzig]

DMZ = "De-Militarized Zone" it is the name given to a port on your
router that can be configured to be completely OPEN to the internet, no
firewall, no port blocking, nothing. This may be advantageous for
someone running a particular type of server on their home network - an
FTP server or Web Server or something that they want to expose to the
internet so that it can be accessed from the outside. In such
configurations that device usually will have a software type firewall
installed to prevent hackers from gaining access.

Most routers I have seen include this feature and it has is uses, but it
must be used with extreme caution!

S Sinzig.

[Unquestionably Confused]

On 12/24/2015 11:03 PM, Paul M. Cook wrote:
> On Thu, 24 Dec 2015 21:49:08 -0700, Don Y wrote:
>
>> An SSID that's not being broadcast will not disclose your AP when
>> you're not using it. But, it doesn't buy you much of anything.
>
> I think we're sort of saying the same thing, but, I don't know if
> we agree on the broadcast details.
>
> We both agree that telling your ROUTER not to broadcast the SSID
> is a false security measure.
>
> But, fact is, you *must* broadcast your SSID somehow.
>
> a. So, either the router broadcasts your SSID.
> b. Or your mobile device broadcasts your SSID.
>
> Here's how I understand it to work:
>
> 1. Let's assume your SSID is "DonY".
> 2. Let's assume you told your router *not* to broadcast your SSID.
> 3. Guess what happens when you boot your laptop?
> a. Your laptop shouts out "Hey DonY, are you there?"
> b. Your router answers "Yes. I am here. I was being quiet".
> c. Your laptop connects to your router by that so-called hidden SSID.
>
> Now, guess what your cellphone does?
> HINT: Same thing.
>
> So, guess what happens when you boot your laptop at a starbucks?
> HINT: Your laptop shouts out "Hey DonY, are you here?"
>
> So, in effect, an SSID that is not being broadcast *by your router*
> at home, is broadcast *by your laptop* both at home, and at Starbucks.

Okay, I understand that explanation. Now please tell me how my iPad or
laptop broadcasting my home SSID willy nilly at the Starbucks or the
passenger terminal at SFO or PHX is going to compromise my home network?

Not saying it couldn't be done but... Talk about freakin' remote...<g>

I don't bother to hide my SSID at home. Anyone who cares to clone a MAC
address to by-pass the MAC filter and decrypt a 26 alpha-numeric pass
phrase can have it. Good luck with that

[ssinzig]

In short, yes. Your game console or computer or whatever needs to
"talk" to another computer on the internet, in this case is uses Port
9000. The router opens Port 9000 and the packets get through to that
other computer out there on the internet. To reply, that other computer
only knows your static public IP, ie. "1.2.3.4" and sends its packets
back to you at that IP on the same port, 9000. Your router receives
these packets, and does NAT (Network address translation) translating
the packets from 1.2.3.4:9000 (Your public IP) to 192.168.1.5:9000 your
private home network IP and sending them there.
This happens all time when you are accessing the web, either through
HTTP, FTP, SSL, whatever. They all use their own specific ports, (ie
HTTP is usually port 80, FTP 20 or 21, etc.)

S Sinzig.

[Colonel Edmund J. Burke]

On 12/22/2015 7:55 PM, Paul M. Cook wrote:
> Does this activity found accidentally in my home broadband
> wireless router log seem suspicious to you?

Who the fuck knows or really cares?
It's all just fucking numbers, you arsehole.

[Oren]

On Fri, 25 Dec 2015 13:31:01 -0500, ssinzig <ssi...@outlook.com>
wrote:

>DMZ = "De-Militarized Zone" it is the name given to a port on your
>router that can be configured to be completely OPEN to the internet, no
>firewall, no port blocking, nothing. This may be advantageous for
>someone running a particular type of server on their home network - an
>FTP server or Web Server or something that they want to expose to the
>internet so that it can be accessed from the outside. In such
>configurations that device usually will have a software type firewall
>installed to prevent hackers from gaining access.
>
>Most routers I have seen include this feature and it has is uses, but it
>must be used with extreme caution!

True; however, some ISP's will block some ports. Mine blocks FTP
20/21, Web server 80 and another I can't think off at the moment.

[Mark Lloyd]

[snip]

> Hiding SSID increases security? Wrong. Not much really.

Not much, but not none either. Consider that most people won't know
there's a network there.

> Modem/router combo is always worse than separate router.

I've never had a combination, but agree that it would be less secure.

> Put the supplied modem in bridge mode and use your own router.
> If you can't or ISP won't put in to bridge mode for you , there is
> another way using DMZ in your modem. I have only DOCIS III cable modem,
> my router at present is Linksys EA8500 which never went down since
> I first boot in summer time. Very stable router.

I had DOCSIS II until June, when my ISP increased the speed to 50Mbps
which is too fast for a single channel so I had to get a new modem. I
needed a new router too, but that (thankfully) was a completely separate
thing.

--
Currently: happy holidays (Friday December 25, 2015 12:00:00 AM for 1
day).

Mark Lloyd
http://notstupid.us/

"The dogma of the divinity of Jesus should have died on the cross, when
the man of Nazareth gave up the ghost." [Lemuel K. Washburn, _Is The
Bible Worth Reading And Other Essays_]

[Mark Lloyd]

On 12/24/2015 11:03 PM, Paul M. Cook wrote:

[snip]

> a. Either the router broadcasts the SSID,
> b. Or the device does.

If your router is broadcasting the SSID, EVERY wireless device in range
will receive it and most will show it to the user.

Compare this to what happens when your device is broadcasting it. Will
others even see that?

[whit3rd]

On Thursday, December 24, 2015 at 8:35:57 PM UTC-8, Paul M. Cook wrote:
> On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:
>
> > Some one is connceting to one of your device connected. (
> > what is this in your family?) using port 9000.

> The 192.168.1.5 IP address belonged to the Sony Playstation.
> So, for some reason, the port 9000 was being used.

Right. The router is accepting back-traffic to one device (the Playstation)
on that one port.

> Assuming my static public IP address was 1.2.3.4, does this mean that someone,
> on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
> hit my router and then the router "port forwarded" it to the Sony Playstation at
> 192.168.1.5 at port 9000?

Basically, yes. As long as it's ONLY talking to the Playstation, that probably means
that a game is soliciting the feedback (and not that anyone is
trying to attack your network). There's nothing special about '9000', it's
possible that other games use other ports.

[Paul M. Cook]

On Fri, 25 Dec 2015 12:34:13 -0600, Unquestionably Confused wrote:

> Okay, I understand that explanation. Now please tell me how my iPad or
> laptop broadcasting my home SSID willy nilly at the Starbucks or the
> passenger terminal at SFO or PHX is going to compromise my home network?
>
> Not saying it couldn't be done but... Talk about freakin' remote...<g>

Security is a thousand good practices, just like grammar is, or
cleanliness or politeness or class. They're all a thousand little things.

SSID good practices are what we're talking about here.

There are a few problems with the scenario you proposed, but I have to
manually *insert* an attacker who cares, in order for it to matter.

For example, let's say you're cheating on your wife, and, let's say,
you connected to your girlfriend's SSID, called "GIRLFRIEND" and,
let's say, for now, she's *not* hiding her SSID. Guess what?

Your laptop (or phone) *still* has a record of that connection, which,
if your wife cared to snoop, can see by looking at your laptop or phone.

Now, let's say, for argument's sake, that your wife doesn't have physical
access to your laptop or phone, but, your girlfriend told her router
to not broadcast her SSID, but that you connected to her SSID.

Guess what?

When you're at home, your laptop or phone first shouts out "Hey GIRLFRIEND,
are you there?" and only when the router doesn't respond to that request,
does your laptop or phone bother to go down the list of other stored or
located SSIDs.

> I don't bother to hide my SSID at home. Anyone who cares to clone a MAC
> address to by-pass the MAC filter and decrypt a 26 alpha-numeric pass

> phrase can have it. Good luck with that.

It's actually easier than that *if* you use an existing SSID and password
since the rainbow tables will already have the hash value stored.

I'm not saying "I" care to to that, but someone might.
As always, security is a thousand little things done right.

[Paul M. Cook]

On Fri, 25 Dec 2015 13:51:02 -0600, Mark Lloyd wrote:

> If your router is broadcasting the SSID, EVERY wireless device in range
> will receive it and most will show it to the user.
>
> Compare this to what happens when your device is broadcasting it. Will
> others even see that?

Fair enough point.

Security is a thousand little things, all put together.

[Paul M. Cook]

On Thu, 24 Dec 2015 22:18:59 -0700, Don Y wrote:

> If you have a good passphrase *and* good encryption, this doesn't
> buy him anything. It's like knowing you have an email address
> at gmail.com (because he saw one of your messages in someone's
> inbox -- assuming you don't correspond with him!) but not knowing
> what your password is!
>
> The real risk is that you can leave security off (weak passphrase)
> and his knowledge of the SSID now lets him get past that (ineffective)
> hiding of the network name!

Depends on what you mean by "good" passphrase because you don't need
*any* passphrase to break into WPA2/PSK encryption because the "salt"
is known (it's the SSID!) and if you use an *existing* passphrase,
you're already doomed.

https://security.stackexchange.com/questions/92903/rainbow-tables-hash-tables-versus-wpa-wpa2

So, you have to substitute *unique* for "good", and only then the
rainbow table hack won't work to break into your router.

[Paul M. Cook]

On Fri, 25 Dec 2015 13:39:04 -0600, Mark Lloyd wrote:

>> Hiding SSID increases security? Wrong. Not much really.
>
> Not much, but not none either. Consider that most people won't know
> there's a network there

Just remember that there are negative security ramifications at Starbucks
when you decide not to broadcast your SSID at home.

If you're OK with that tradeoff, then you're fine.

If you're unaware of that tradoff - then - you need to understand it.

[Paul M. Cook]

On Fri, 25 Dec 2015 08:45:23 +0000, Adrian Caspersz wrote:

> But you must worry about other things. Are you sure letting a child play
> some of these (mostly violent) video games is a sensible introduction to
> becoming an adult?

Every boy (practically) in the USA plays those violent games.

[Adrian Caspersz]

If you don't have much control what he does on the internet, then
perhaps you might feel more secure getting yourself a different ISP.

That can't cost that much.

--
Adrian C

[Micky]

On Wed, 23 Dec 2015 18:19:36 -0500, Micky <NONONO...@bigfoot.com>
wrote:

>On Wed, 23 Dec 2015 11:24:16 -0500, Micky <NONONO...@bigfoot.com>
>wrote:
>
>>On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmc...@gte.net>
>>wrote:
>>
>>>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>>>
>>>> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>>>> 70-3E-AC-DE-14-94
>>>> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>>>> 70-3E-AC-DE-14-94
>>>>
>>>> So who is Dennis? 5 in the morning?
>>>> That's my time, right? or GMT?
>>>
>>>I just logged into my Netgear WNDR3400v2 router, and went to the
>>>advanced tab of Administration > Logs
>>>
>>>It says on top of the window what time it "thinks" it is:
>>> Current Time: Wednesday, Dec 23,2015 08:03:08
>>
>>Mine doesn't show the time anywhere, but if yours shows the current
>>time, that's good enough for me.
>
>I figured out a way to verify the time zone, and that's to watch the
>log for a new event, or to create a new event, like by trying to send
>an email (since I have all 5 kinds of events checked now).
>
>So I did that a couple hours ago and the time that showed in the log
>was 7 minutes later than the current time!

>
>I went out for a couple hours and when I tried it just now, the time
>the log showed was 11 minutes later than the current time.
>

>Put that in your pipe and smoke it.

I found the answer to this, where the computer boys play.

The router has its own clock, which can be wrong, like anything else.

To keep it correct, it has two possibilities.
Automatic (Automatic time update with pre-defined NTP servers or
enter customized NTP)
Manual is the alternative, but I have Automatic checked.

I don't have anything in the customized NTP field and I have the
interval for Automatic as 24 hours, the default, so that lets it get
wronger and wronger for 24 hours until it gets corrected.

If the log were important, I could set the interval at as little as
one hour. (it goes up to 72.) But I'll let it stay at 24. I'm glad
to know how it can be wrong, when other times are a lot closer.

It's a shame I can't use this to peer into the future.

>>>Looking at the clock, that's the local time in my time zone.

[Jeroni Paul]

Paul M. Cook wrote:
> Security is a thousand little things, all put together.

Instead of hidding the SSID I use an intermediate solution: increase the beacon transmission interval time. This setting is usually found in the Advanced tab of many home routers and sets the time elapsed between SSID broadcasts.

By default it is 100ms, using longer times stops some devices from seeing the network and reduces the chance a pass-by car or walker sees it. It requires some testing to find the longest time that will work with the intended devices.
It also reduces electrosmog and intereference with other wifi or analog video senders (a transmission every 100 ms is very annoying but every 5000ms goes unnoticed).

Up to 20000ms (20 seconds) has worked successfully with some laptops - at turn on it requires some wait up to one minute until they see the network, then they work fine as usual and no dropped connections. Some devices will not see the network no matter how long you wait even if you had it set up before. Some devices see the network but drop the connection frequently.

5000ms (5 seconds) works fine with most devices and reduces dropped connections, still a few devices (one laptop and a D-link wifi repeater) do not see the network.

1000ms (1 second) seems the best compromise between compatibility and electrosmog/interference. No problems found with any device.

[Paul M. Cook]

On Fri, 25 Dec 2015 23:12:49 +0000, Adrian Caspersz wrote:

> If you don't have much control what he does on the internet, then
> perhaps you might feel more secure getting yourself a different ISP.
>
> That can't cost that much.

I have no idea what that advice is trying to tell me.

[Adrian Caspersz]

Oh well. Bye.

--
Adrian C

[Paul M. Cook]

On Sat, 26 Dec 2015 09:19:18 -0500, Micky wrote:

>>If there is already one AP on channel 1, 6, or 11, then you already have
> What's an AP?

Heh heh ... An access point (AP) is just, for your purposes, an SSID.
So, if your neighbor's SSID is "NEIGHBOR1" and on channel 1, then that's
his "AP".

If another neighbor's SSID is "NEIGHBOR6",and on channel 6 then that's
his "AP".

If there's nothing on channel 11, then you should put your router on
channel 6.

However, if you have 5GHz available, then almost any 5GHz channel will
be better because there will be no interference.

>>a problem because your router is wasting time throwing away packets that
>>are meant for someone else.
>
> An AP means there are dropped packets?

Each device you have is listening for an access point based on the
channel first (because that's how radios work).

If your neighbor is on the same channel, your device first receives
both his and your packets, but soon figures out which are from him and
which are from you, and then drops those packets from him.

But that takes time. So, it slows you down.

>>In any apartment complex, you'll find *tons* of APs on 1, 3, and 11.
>>Most homeowners too.
>
> I don't live in an apartment, but it still sounds like 6 is good
> becaus it's not 1, 3, or 11. ??

oops. I meant 1, 6, or 11. That "3" was a typo.

> I said Thanks to be polite, but I really don't want to bother with
> cell phone apps. I might be short of memory already.

Without knowing what channels are used around you, you're flying blind.

You "can" get the signal strength from the basic operating system,
no matter which platform you have, but it takes knowing which
buttons to press.

> I just didn't understand why it used to be 11, but after upgrading the
> firmware, it's 6. The modem didn't survey for congestion, did it?

You mean router, not modem.
Some "do" run a survey to see which channel is least congested.
Many don't.

Here's my advice:

1. Run a survey on your computer or cellphone
2. Use an empty 5GHz channel (which will be easy to find).
3. If you don't have 5GHz, then use the least congested 2.4GHz channel.
If possible, use 1, 6, or 11 if they're not already being used.

[Paul M. Cook]

On Sat, 26 Dec 2015 12:39:07 -0500, Paul M. Cook wrote:

> If there's nothing on channel 11, then you should put your router on
> channel 6.

Typos again.

If there's nothing on channel 11, then you should put your router on

channel *11*.

[Micky]

Thanks again.


On Sat, 26 Dec 2015 12:39:07 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

[Tony Hwang]

There is parental control feature, several blocking method for certain
ip address or MAC address, etc. with router firmware. Some times 3rd
party firmware is more robust. dd-wrt is one example.

[Paul M. Cook]

Thanks to everyone here, below is a summary I wrote of my current
understanding of just the UPnP versus Port Forwarding issue for
setting up the Transmission bittorrent client on Linux (Ubuntu) for
optimal speed.

It's written in my words, so, if there are errors in my understanding,
I'm fine with you pointing them out!

My summary of what was learned in this thread about UPnP & Port Forwarding

(0) The way things work is that an incoming request to WAN external IP
1.2.3.4 on port 12345 hits the SOHO router. Without port forwarding,
the SOHO router will drop that request (or any request to
any port).

But, with port forwarding, the router sees the external port WAN
request for 1.2.3.4:43101 and it forwards that external port to
a static LAN internal port of 192.168.1.10:43101, which the
Transmission client is listening on for upload requests (which
apparently require both TCP & UDP messages).

(Transmission settings are in $HOME/.config/transmission/settings.json)

(1) Since bittorrent maintains two download queues, the first priority
going to those who are uploading data and the second going to those
who are not uploading data, if I'm not uploading data, then I will
only download data when the first queue is empty.

(2) That means two different things if I don't open a port to the world:
- For those people with public sockets, I will be in the first
queue because they can get data from me even though I don't
have a public socket myself.
- For those people without public sockets, I will be in the
second queue because, to them, I'm not uploading any data
because I don't have a public upload socket open.

(3) Overall, not opening a port will probably increase my download
times (depending on a combination of how many other people have
public sockets open and on how full that first queue is).

(4) The *easiest* way to open a port for those external clients who
do not have a public socket is to simply turn on UPnP on both
the SOHO router and in Transmission. Optionally, if UPnP is
turned on in Transmission, I can set Transmission to use a
random port each time the application is started.

(5) The *safest* way to open a port is to turn off UPnP in both the
SOHO router and in the Transmission app, and just manually
forward a port in the router & set that same port in Transmission.
Pick a random port between 49152 & 65535. The default is 51413.
https://trac.transmissionbt.com/wiki/PortForwardingGuide

However, there are a bunch of things you have to do in order
to accomplish that task:
(a) You'll need to have your computer on a static IP address
on the LAN (e.g., 192.168.1.10).
This can be set (based on the computer wlan0 MAC address)
by the router, or, this can be set on the Ubuntu computer.
(b) You'll need to select an unused external/internal port set
to forward UDP & TCP packets to (e.g., port 51413)
(This port needs to be between 1025 and 65535.)
(c) You'll want to doublecheck your /etc/services files to ensure
whatever port you chose is not being otherwise used.
In my case, there are no ports in /etc/services between
port 27374 & 30865, and only 3 ports higher than 30865
{57000,60177,60179}, so, all other ports are fair game.
Application = trans

NOTE: There are other things you can set to improve Transmission speeds!
http://falkhusemann.de/blog/2012/07/transmission-utp-and-udp-buffer-optimizations/

REFERENCES:
http://portforward.com/help/portforwarding.htm
http://portforward.com/english/routers/port_forwarding
http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm
http://techsupportalert.com/content/optimizing-transmission-bittorrent-client-speed.htm
https://trac.transmissionbt.com/wiki/PortClosed