Review of my home broadband router logs (suspicious activity?)

[Paul M. Cook]

Does this activity found accidentally in my home broadband
wireless router log seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this:
[Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file:
[LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
[LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
[LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11
[LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5
seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's
my child's Sony Playstation (which has "UPNP events" whatever they are):

[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

[ng_reader]

<snip>

> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************
>

Are you afraid of, what, exactly?

[Paul M. Cook]

On Tue, 22 Dec 2015 23:11:38 -0500, ng_reader wrote:

> Are you afraid of, what, exactly?

To answer why I ask about these activities, it's that I did not elicit
these transactions, nor do I understand them.

The IP addresses seem to belong to the following (from a whois):
--------------------------------------------------
inetnum: 93.38.176.0 - 93.38.183.255
netname: FASTWEB-DPPU
descr: Infrastructure for Fastwebs main location
descr: NAT POOL 7 for residential customer POP 4106,
country: IT
--------------------------------------------------
inetnum: 177.204/14
aut-num: AS18881
abuse-c: GOI
owner: Global Village Telecom
country: BR
--------------------------------------------------
inetnum: 101.160.0.0 - 101.191.255.255
netname: TELSTRAINTERNET50-AU
descr: Telstra
descr: Level 12, 242 Exhibition St
descr: Melbourne
descr: VIC 3000
country: AU
--------------------------------------------------
inetnum: 181.164/14
status: allocated
aut-num: N/A
owner: CABLEVISION S.A.
ownerid: AR-CASA10-LACNIC
responsible: Esteban Poggio
address: Aguero, 3440,
address: 1605 - Munro - BA
country: AR
--------------------------------------------------
inetnum: 2.133.64.0 - 2.133.71.255
netname: TALDYKMETRO
descr: JSC Kazakhtelecom, Taldykorgan
descr: Metro Ethernet Network
country: KZ
--------------------------------------------------
inetnum: 186.204/14
aut-num: AS28573
abuse-c: GRSVI
owner: CLARO S.A.
ownerid: 040.432.544/0835-06
responsible: CLARO S.A.
country: BR
--------------------------------------------------
inetnum: 148.246/16
status: allocated
aut-num: N/A
owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V.
ownerid: MX-MRTS1-LACNIC
responsible: Ana María Solorzano Luna Parra
address: Bosque de Duraznos, 55, PB, Bosques de las Lomas
address: 11700 - Miguel Hidalgo - DF
country: MX
--------------------------------------------------
inetnum: 195.67.224.0 - 195.67.255.255
netname: TELIANET
descr: TeliaSonera AB Networks
descr: ISP
country: SE
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: NTTDoCoMo
descr: NTT DOCOMO,INC.
descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome
descr: hiyoda-ku,Tokyo Japan
country: JP
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: MAPS
descr: NTT DoCoMo, Inc.
country: JP
--------------------------------------------------
inetnum: 178.116.0.0 - 178.116.255.255
netname: TELENET
descr: Telenet N.V. Residentials
remarks: INFRA-AW
country: BE
--------------------------------------------------
inetnum: 82.237.140.0 - 82.237.143.255
netname: FR-PROXAD-ADSL
descr: Proxad / Free SAS
descr: Static pool (Freebox)
descr: deu95-3 (mours)
descr: NCC#2005090519
country: FR
--------------------------------------------------
NetRange: 107.192.0.0 - 107.223.255.255
NetName: SIS-80-4-2012
NetHandle: NET-107-192-0-0-1
Parent: NET107 (NET-107-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7132
Organization: AT&T Internet Services (SIS-80)
City: Richardson
StateProv: TX
--------------------------------------------------
NetRange: 216.98.48.0 - 216.98.63.255
CIDR: 216.98.48.0/20
NetName: UBICOM
NetHandle: NET-216-98-48-0-1
Parent: NET216 (NET-216-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Ubisoft Entertainment (UBISOF-2)
--------------------------------------------------

[Tony Hwang]

Ask the kid if he is playing on line game.

[Paul M. Cook]

On Tue, 22 Dec 2015 22:00:40 -0700, Tony Hwang wrote:

> Ask the kid if he is playing on line game.

He does play online, but I don't know if *those* are
activities *he* initiated, or if they are attempts
to attack us.

[Don Y]

On 12/22/2015 8:55 PM, Paul M. Cook wrote:
> Does this activity found accidentally in my home broadband
> wireless router log seem suspicious to you?
>
> Here is a screenshot of the suspicious log entries:
> https://i.imgur.com/iZm1CCq.jpg
>
> When "I" log into my router, I see a line like this:
> [Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15
>
> But, I see the following (suspicious?) activity in my log file:

Have you edited your log, here? Are there other activities not shown?
Do you see just these sporadic accesses?

> [LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
> [LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
> [LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
> [LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
> [LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
> [LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
> [LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
> [LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
> [LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
> [LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
> [LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
> [LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11
> [LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31
>
> I don't know what this really means: "LAN access from remote".

(your) LAN (is being) access(ed) from a remote device. The first address
listed in each of these lines (the one that is NOT 192.168.1.5) represents
the "remote" device. The device on *your* LAN is the second address
listed (192.168.1.5).

> Looking at the router wired & wireless list of devices, 192.168.1.5
> seems to not be attached at the moment.

Chances are, it's a DHCP assigned IP address. If <whatever> doesn't
reconnect to the router within the lease time, the IP address may get
reallocated to some other device. 192.168/16 (i.e., 192.168.xxx.yyy)
is a private network address -- damn near everyone here is using
the same address (but *behind* a router/NATd of some sort). So,
the IP addresses of all of your "computers" will be in that same
general range.

Most routers will provide a (DHCP?) page that show where the current
IP addresses that *it* has doled out are being used. (I suspect
"Attached Devices" in your router).

> But, looking back, I can determine (from the MAC address) that it's
> my child's Sony Playstation (which has "UPNP events" whatever they are):
>
> [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28
> [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18

This is the DHCP request *from* the F8:D0:AC:B1:D4:A3 device being satisfied by
the router with the issuance/renewal of a lease (usually good for 24 hours;
longer if the device renews the request) on the IP address 192.168.1.5

> [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47
> [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************

You want to look at the IP's in question. As 9000 is not a privileged
port, it's possible any application can be using it, friend or foe:

<http://www.speedguide.net/port.php?port=9000>

If you feel ambitious, you can install a rule to block inbound/outbound
connections to/from that port and see if <something> that you WANT
suddenly stops working. Probably under "Security"?

[Don Y]

They are attempted connections from the outside (remote)
*to* your (his) machine. Whether they have effectively been
prompted by his actions is another issue.

[Micky]

On Wed, 23 Dec 2015 00:11:30 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Maybe you could ask him and you could also have him play a game at a
recorded time and then check your log to see if the entries are
similar.

AIUI, the average desktop gets thousands of pings a day. When I had
that famous software firewall whose name escapes me, it would record
and count them.

But thhat doesn't mean the outside ip is targeting your kid
specifically. Maybe it just goes through IP numbers consecutively,
looking for those that are unprotected.

And it doesn't mean that it can do anything to your kid's device.
Isn'tt the software in a game or insertable game hard-coded?

And it doesn't mean the pinger wants to. A lot of my pings were from
my own ISP iirc. i don't know why it was doing this when I was
already connected.

What could an outside force do to your kid? Can the game display
messages on it, like "Come to Syria and kill the infidels. Call
1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10
is not too young to talk to their children about sex, drugs, etc. are
missing the mark. What parents should do is talk during dinner to
each other about how stupid drug users are and how stupid and selfish
those who get someone pregnant when they're not married, and they can
do this when the kid is 4 and up and kids will listen to everything
their parents say. But if they are 12 and the parent is telling them
what to do, it will be for some kids a challenge to do the opposite,
because they dont' like being lectured. That's why parents should
talk to each other in front of the kids. There are adequate
conversation starters in the news.

[DerbyDad03]

On Wednesday, December 23, 2015 at 3:39:07 AM UTC-5, Micky wrote:
> On Wed, 23 Dec 2015 00:11:30 -0500, "Paul M. Cook" <pmc...@gte.net>
> wrote:
>
> >On Tue, 22 Dec 2015 22:00:40 -0700, Tony Hwang wrote:
> >
> >> Ask the kid if he is playing on line game.
> >
> >He does play online, but I don't know if *those* are
> >activities *he* initiated, or if they are attempts
> >to attack us.
>
> Maybe you could ask him and you could also have him play a game at a
> recorded time and then check your log to see if the entries are
> similar.
>
> AIUI, the average desktop gets thousands of pings a day. When I had
> that famous software firewall whose name escapes me, it would record
> and count them.
>
> But thhat doesn't mean the outside ip is targeting your kid
> specifically. Maybe it just goes through IP numbers consecutively,
> looking for those that are unprotected.

Targeting the home network for use by a hacker is an important
consideration. It' snot just about the people, it's also about the
equipment.

>
> And it doesn't mean that it can do anything to your kid's device.
> Isn'tt the software in a game or insertable game hard-coded?

It's not a question of what could be done to the device, it's whether or
not that device is allowing access to the home's network. Once inside
the network it may be possible to gain access to other computers.

I'm not saying it's possible, I'm just pointing out that the access issue
may not be related only to the device used for the access.

>
> And it doesn't mean the pinger wants to. A lot of my pings were from
> my own ISP iirc. i don't know why it was doing this when I was
> already connected.
>
> What could an outside force do to your kid? Can the game display
> messages on it, like "Come to Syria and kill the infidels. Call
> 1-800-KIL-L-INF".

One of the known "access" points to the kiddies is via the chat feature of
on-line games. In many cases it is impossible to track these conversations
or monitor them for keywords like in an email, phone call, etc.

[Stormin Mormon]

I confess. I was parking in your driveway,
and playing video games. It's all my fault.

--
.
Christopher A. Young
learn more about Jesus
. www.lds.org
.
.

[Paul M. Cook]

On Wed, 23 Dec 2015 04:19:59 -0800, DerbyDad03 wrote:

> It's not a question of what could be done to the device, it's whether or
> not that device is allowing access to the home's network. Once inside
> the network it may be possible to gain access to other computers.

Exactly. I'm not worried about the kid being attacked.

I'm worried about the attacker coming in through the port 9000 of the
IP address 192.168.1.5 which, at least today, is the Sony Playstation
(but it could have been any computer on the day of the attack since
I have DHCP).

Once the attacker is on the router, they can potentially get to any
computer or monitor anything or watch or whatever the reason they
got in for.

That there were *many* similar attacks at roughly the same time is
what worries me also.

But, mostly, I am just wanting to know *what* happened, which, from
the log files, I can't tell - but that's why I asked. I don't know
how to correctly *interpret* this particular set of errors.

We're all just guessing. And that's bad.

[Tony Hwang]

Playing on-line game? Kids do most of time.

[Paul M. Cook]

On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:

> Have you edited your log, here? Are there other activities not shown?
> Do you see just these sporadic accesses?

That's an excerpt only but those were the only messages listed with the
prefix of "[LAN access from remote]".

> Most routers will provide a (DHCP?) page that show where the current
> IP addresses that *it* has doled out are being used. (I suspect
> "Attached Devices" in your router).

At the moment, there are no "attached devices" with the DHCP IP
address of 192.168.1.5, and the log file doesn't say which device
in the house was 192.168.1.5 on that day.

But, looking at the log file, at some point thereafter, the
IP address of 192.168.1.5 was the MAC address which is the
Sony Playstation.

I can't tell, from the log, what device had the DHCP given
address of 192.168.1.5 on the day of the attack.

The router shows "attached devices" but it doesn't show
a history.

[Paul M. Cook]

On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

> Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.

[Ed Pawlowski]

On 12/23/2015 3:39 AM, Micky wrote:

> What could an outside force do to your kid? Can the game display
> messages on it, like "Come to Syria and kill the infidels. Call
> 1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10
> is not too young to talk to their children about sex, drugs, etc. are
> missing the mark. What parents should do is talk during dinner to
> each other about how stupid drug users are and how stupid and selfish
> those who get someone pregnant when they're not married, and they can
> do this when the kid is 4 and up and kids will listen to everything
> their parents say. But if they are 12 and the parent is telling them
> what to do, it will be for some kids a challenge to do the opposite,
> because they dont' like being lectured. That's why parents should
> talk to each other in front of the kids. There are adequate
> conversation starters in the news.
>
>

You have a good point.
When my son was in his late teens my wife was cleaning in his bedroom
and found condoms. She said I should have a talk with our son. I
replied, "I did and evidently he listened".

[Micky]

On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>
>> Playing on-line game? Kids do most of time.
>
>Maybe. But is *that* what the error message says?
>
>I guess I need to *experiment*, by asking the kid to play a few
>games and then watch the router log file.

Good idea.

>What is worrisome is that some of the entries don't come from
>what I'd expect an online game to come from, e.g., Brazil,
>Mexico, Japan, France, etc.

When I went to France in 1974, I thought I could impress girls with
hershey bars and nylon stockings, but instead I couldnt' afford to eat
in a real restaurant.

(though I did eat in an expensive restaurant in Amsterdam before the
flight home, rijstafel, and it was only meal I shared with a girl I
met the previous day, and we were on the same plane the day after the
meal and we were both sick. From the expensive meal)

IOW, despite the impression we're oftren given, they have civilization
in those places, and even infra-civilization like games. I'm sure
there are gamers in all those countries, but there may also be hackers
.

[Mayayana]

That's interesting. I didn't know routers kept logs. Did
you find that by logging in to the "control panel"?

I used to get a lot of attempts to get into my computer
when I had dialup. That mostly stopped with cable, though
I have caught my cable company, RCN, trying to get
in. I have no idea why. Apparently they just go around
snooping on customers, perhaps tracking how many
machines are at each address, or some such.

First, do you have a good, long password for
your router? You should. Maybe 20 characters.

You didn't mention what computers you have.
Assuming Windows...

It's important to understand that most
Windows computers are full of holes. The default
configuration has numerous unsafe services running.
Many people now also enable remote Desktop
functionality for tech support. You should have a
firewall that blocks all incoming and asks permission
for all outgoing processes. (In many cases it's also
possible to block svchost from going out, which takes
care of most or all Microsoft spyware.)

Some may remember there was a problem with XP
in the early days. A service called Messenger (not
Windows Messenger) was running by default. It was
intended for sys admin people in corporations to be
able to pop up notices to employees on the network.
(Like "Don't forget: Company picnic on Saturday.")
It was being used to show people ads. The problem is
that Windows NT (2000/XP/Vista/7/8/10) is designed
to be a corporate workstation. It's a sieve, set up
with the assumption that the network is safe while
the users can't be trusted. If you want to set up
reasonable security see here:

http://www.blackviper.com/

You can use that site to adjust services. And get a
firewall.

I don't know much about Playstation, but that's
a good example of increasing intrusion online. Online
services and spyware operating systems are changing
the norm. Most software is now designed to call home
without asking. A few years ago that was known as
spyware. Windows 10 is a new level of spyware. It
now has a privacy policy and TOS that claim Microsoft
has a legal right to spy on virtually everything you do.
(I suspect Playstation is probably worse in that regard.)

At the same time, more people want more of those
services. Without selling out to Apple you can't get
all those nifty apps. Without selling out to Adobe you
can no longer use Photoshop without it spying on you.
The latest version is still installed on your computer,
but it's officially marketed as an online service. The
difference is not so much in the software but in the
fact that you have to accept it as spyware. MS Office
and many other programs are going the same way.
They want to steal your car and rent you a taxi.

So there may be different, conflicting concerns
for you. One concern is preventing malware/spyware
intrusion by strengthening your security. But then
there's also the issue of whether you're actually willing
and able to do that in the context of how you want
to use your connected devices. If you want to accept
and use online services then you must accept that
you're now in a shopping mall. The mall cameras,
marketing data collectors and security guards will be
watching. You're on their property, not your own.

[Micky]

On Wed, 23 Dec 2015 09:58:45 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>

>On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:
>
>> Have you edited your log, here? Are there other activities not shown?
>> Do you see just these sporadic accesses?
>
>That's an excerpt only but those were the only messages listed with the
>prefix of "[LAN access from remote]".

I thought I'd look at my log, for the first time in 8 years. The
only wireless device I use is a printer.

Dec/21/2015 18:59:18 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85
Dec/21/2015 18:59:09 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85
Dec/21/2015 18:59:04 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning? That's my time, right? or GMT?

Dec/20/2015 05:20:05 Wireless PC connected 70-3E-AC-DE-14-94
Dec/19/2015 23:51:38 Wireless PC connected A4-EE-57-E3-09-E4

Whose is this wireless PC? I have one, but haven't used it in weeks.

Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
A4-EE-57-E3-09-E4
Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

The Epson is my printer. I was probably printing the crossword
puzzle. But more Dennis!

Dec/19/2015 10:13:02 Wireless PC connected 70-3E-AC-DE-14-94
Dec/19/2015 07:51:01 DHCP lease IP 192.168.0.105 to
android_a1d17253796b3c9c 14-7D-C5-A7-E9-5C

I have a cell phone that runs android, but I don't think I've had it
on in the house on the 19th. I haven't tried to connect to wifi with
it for a year or more.

Could something like this cause interruptions in my internet, which I
get sometimes? The router light for the jack I use flickers all the
time, but sometimes no data gets dl'd. I have DSL.

Dec/16/2015 15:12:23 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2
20-A2-E4-E7-81-36

Dec/16/2015 08:49:25 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 06:25:38 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 05:27:09 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 05:26:17 Wireless PC connected A4-EE-57-E3-09-E4

Dec/13/2015 20:22:09 Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 20:21:49 Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 12:27:17 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2
20-A2-E4-E7-81-36
Dec/13/2015 12:27:16 Wireless PC connected 20-A2-E4-E7-81-36

Dec/09/2015 08:06:17 DHCP lease IP 192.168.0.106 to Sharlenes-iPad
34-C0-59-19-F9-46

Hmmm..

To send myself the log it asks for SMTP Server / IP Address .

Does that mean the smtp server is enough, or do I need its IP address
too, which I don't know?

Help says "SMTP Server - The address of the SMTP (Simple Mail Transfer
Protocol) server that will be used to send the logs." but I haven't
gotten the email I sent yet, and I should have by now.

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> To send myself the log it asks for SMTP Server / IP Address .

I saw the send-log command, but I just copy-and-pasted my
router log into a text file on the computer.

1. While looking at the router log file from within your browser:
Control-A to select all
Control-C to copy

2. Then paste that into any open text file:
Control-V to paste

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
>
> So who is Dennis? 5 in the morning?
> That's my time, right? or GMT?

I just logged into my Netgear WNDR3400v2 router, and went to the
advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is:
Current Time: Wednesday, Dec 23,2015 08:03:08

Looking at the clock, that's the local time in my time zone.

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
> Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
> Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
> A4-EE-57-E3-09-E4
> Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
> Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
> 70-3E-AC-DE-14-94
>
> The Epson is my printer. I was probably printing the crossword
> puzzle. But more Dennis!

There is what appears to be an iPhone connecting to your router.

You can look up the first half of the MAC address (the OUI) to see
what kind of device it appears to be from:
https://www.adminsub.net/mac-address-finder

Denis' MAC address is the following:
(70-3E-AC) (DE-14-94)

The organizationally unique part is the first half:
(70-3E-AC)

That indeed is an Apple device OUI:
703EAC indeed resolves to "Apple, Inc."

[Paul M. Cook]

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

> That's interesting. I didn't know routers kept logs. Did
> you find that by logging in to the "control panel"?

I don't know of *any* router that does *not* keep logs.
Usually they start at reboot time, and go on forever from there.
For my Netgear router, I log in and then go to:
Advanced > Administration > Logs

> I used to get a lot of attempts to get into my computer
> when I had dialup. That mostly stopped with cable, though
> I have caught my cable company, RCN, trying to get
> in. I have no idea why. Apparently they just go around
> snooping on customers, perhaps tracking how many
> machines are at each address, or some such.

Cable should be the worst, as I understand it, since anyone
in your neighborhood on the same cable is essentially connected
to you as I understand it.

So, I'd be sure to have a router, but, as we all know, anyone
who knows what they're doing can get past our cheap routers.

> First, do you have a good, long password for
> your router? You should. Maybe 20 characters.

The thing is that most routers don't allow a password greater
than 8 characters (from my experience). Sure, they'll *let*
you type a long password - but they'll take anything (or nothing)
after the first 8 characters.

Try it. That's how "my" router works.

> You didn't mention what computers you have.
> Assuming Windows...

Oh, I have everything. Windows. Linux. OS/X. iOS, Android.
Printers. And other devices (like the playstation).

[M. Stradbury]

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

> First, do you have a good, long password for
> your router? You should. Maybe 20 characters

Which router password are you talking about?

1. The Admin password?
2. The SSID WPA2/PSK passphrase?

[Micky]

On Wed, 23 Dec 2015 10:58:58 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>
>> To send myself the log it asks for SMTP Server / IP Address .
>
>I saw the send-log command, but I just copy-and-pasted my
>router log into a text file on the computer.
>
>1. While looking at the router log file from within your browser:
> Control-A to select all

I tried that but it highlighted the whole page, not just the data.

So it was easier to use to the cursor to choose what to highlight.

My firmware is almost 11 years old. Maybe D-Link has refined it by
now.

Plus there are 20 pages of data, each requiring separate copying, so I
was hoping to get all 20 pages in one email.

And that includes only System Activity, Attacks, and Notice, not Debug
Information and Dropped Packets.

Later I will check those to see what shows up.

[Tony Hwang]

PSK? How about AES?

[Oren]

On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Personally, I would turn off DHCP and manually give each machine a
static IP number. Any outside machine connecting to your network is
being issued an IP number.

"...DHCP is a good option for easy home networking. But if you
are truly serious about network security—if you have sensitive data
residing on your network or just want to make data or identity theft
much less likely—you're probably better off sticking with disabling
DHCP and maintaining full manual control of your home network."

Two Cents.

[Micky]

On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>
>> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>>
>> So who is Dennis? 5 in the morning?
>> That's my time, right? or GMT?
>
>I just logged into my Netgear WNDR3400v2 router, and went to the
>advanced tab of Administration > Logs
>
>It says on top of the window what time it "thinks" it is:
> Current Time: Wednesday, Dec 23,2015 08:03:08

Mine doesn't show the time anywhere, but if yours shows the current
time, that's good enough for me.

I noticed that because some families have so many wireless devices,
they've redesigned routers and now many are 100 to 200 dollars. That
means I should be able to get a 2-year old one cheap. Actually I
bought cheap at a hamfest what I thought was identical, and only
noticed a year later that it was a router like mine but without the
wireless part. Now is a bad time to try it because every day I may
wish to print the crossword.

[Micky]

On Wed, 23 Dec 2015 11:07:42 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>
>> Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
>> Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
>> Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
>> A4-EE-57-E3-09-E4
>> Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>> Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>> 70-3E-AC-DE-14-94
>>
>> The Epson is my printer. I was probably printing the crossword
>> puzzle. But more Dennis!
>
>There is what appears to be an iPhone connecting to your router.
>
>You can look up the first half of the MAC address (the OUI) to see
>what kind of device it appears to be from:
> https://www.adminsub.net/mac-address-finder

Good to know. Thanks.

>Denis' MAC address is the following:
> (70-3E-AC) (DE-14-94)
>
>The organizationally unique part is the first half:
> (70-3E-AC)
>
>That indeed is an Apple device OUI:
> 703EAC indeed resolves to "Apple, Inc."

So that means it's an Apple device, like an iphone.

Not that it's someone working at Apple, inc.!

[Micky]

On Wed, 23 Dec 2015 10:17:10 -0500, "Mayayana"
<maya...@invalid.nospam> wrote:

> That's interesting. I didn't know routers kept logs. Did
>you find that by logging in to the "control panel"?

No, the control panel is on the computer.

You have to go to the router. The address is in the manual. In
D-link and I think maybe all of them it's http://192.168.0.1

>
> I used to get a lot of attempts to get into my computer
>when I had dialup. That mostly stopped with cable, though
>I have caught my cable company, RCN, trying to get

I had RCN too, dialup, but after years of their promising high-speed,
I decided they were kidding, so I had to go to Verizon.

They said I could have email only, with no access to the net, for 3 a
month, but then 4 months later, with no warning, they took away my
ability to send email, and because of the way Eudora is set up, it's
not totally obvious how to change the settings to send only via
Verizon. (They also did 3 other bad things to me. And currently,
if my credit card number changes and the automatic payment doesn't
work, they told me I had told them not to send either an email or a
postal mail. I never said that. So 3 times over several years
they disconnected me with no warning, and one time they threw away all
my email, including any I hadn't downloaded yet.

Later they raised it from 3 to 4 a month.

Now if they won't notify me both ways, I asked to be notified by
email, but they said they won't do that. it's an email company but
they won't notify me by email.

How has your customer service been?

>in. I have no idea why.

That's what I said in another post. I was referring to Erols/RCN.

[Mayayana]

| > First, do you have a good, long password for
| > your router? You should. Maybe 20 characters.
|
| The thing is that most routers don't allow a password greater
| than 8 characters (from my experience). Sure, they'll *let*
| you type a long password - but they'll take anything (or nothing)
| after the first 8 characters.
|
| Try it. That's how "my" router works.
|

I tried it. I entered the first 13 characters. It didn't
let me in. I've never heard of an 8-char limit.

| > You didn't mention what computers you have.
| > Assuming Windows...
|
| Oh, I have everything. Windows. Linux. OS/X. iOS, Android.
| Printers. And other devices (like the playstation).
|

I don't see any scanning or contact in my logs,
but I also only use computers, with no networking,
and get informed by my firewall about unrequested
incoming. You may not have much option with
Playstation. I assume it's not under your control.
But you should have firewalls on your computers
that will drop incoming requests. (Though that's
one of the many shortcomings of Linux in my book.
Last I checked, Linux firewalls could stop incoming
but didn't monitor outgoing.)

[Oren]

On Wed, 23 Dec 2015 09:54:05 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>Once the attacker is on the router, they can potentially get to any
>computer or monitor anything or watch or whatever the reason they
>got in for.

...and run a packet sniffer that captures passwords, network traffic,
etc. into a log file.

<http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm>

[Adrian Caspersz]

On 23/12/15 03:55, Paul M. Cook wrote:
> Does this activity found accidentally in my home broadband
> wireless router log seem suspicious to you?
>
> Here is a screenshot of the suspicious log entries:
> https://i.imgur.com/iZm1CCq.jpg
>
> When "I" log into my router, I see a line like this:
> [Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15
>
> But, I see the following (suspicious?) activity in my log file:
> [LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
> [LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
...

Informational logs, not a warning or critical error.

> [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************
>

It's how the games can only work. Your uPNP enabled router is port
forwarding that incoming traffic to a specific machine on your LAN, your
kid's playstation. It would take a flaw, or a hack, in your router for
this traffic to go anywhere else.

Personally, I wouldn't have a problem with it.

Try playing about with anything that uses peer-to-peer services like
Skype, Spotify or torrent programs and you'll see much the same logs.

Have your kid take a break from that game and you both have a read of
the following Microsoft ebook on

https://www.microsoft.com/en-gb/download/details.aspx?id=1522
or http://www.ownyourspace.net/

--
Adrian C

[Mayayana]

| > That's interesting. I didn't know routers kept logs. Did
| >you find that by logging in to the "control panel"?
|
| No, the control panel is on the computer.
|
| You have to go to the router. The address is in the manual. In
| D-link and I think maybe all of them it's http://192.168.0.1

Yes. That's what I was referring to. I think of it
as a control panel. I'm not sure whether it's called
that. My web host, too, calls it a control panel when
I log in.

| >
| > I used to get a lot of attempts to get into my computer
| >when I had dialup. That mostly stopped with cable, though
| >I have caught my cable company, RCN, trying to get
|
| I had RCN too, dialup, but after years of their promising high-speed,
| I decided they were kidding, so I had to go to Verizon.
|
| They said I could have email only, with no access to the net, for 3 a
| month, but then 4 months later, with no warning, they took away my
| ability to send email, and because of the way Eudora is set up, it's
| not totally obvious how to change the settings to send only via
| Verizon. (They also did 3 other bad things to me. And currently,
| if my credit card number changes and the automatic payment doesn't
| work, they told me I had told them not to send either an email or a
| postal mail. I never said that. So 3 times over several years
| they disconnected me with no warning, and one time they threw away all
| my email, including any I hadn't downloaded yet.
|
| Later they raised it from 3 to 4 a month.
|
| Now if they won't notify me both ways, I asked to be notified by
| email, but they said they won't do that. it's an email company but
| they won't notify me by email.
|
| How has your customer service been?
|

I've found the service to be very good.
Customer service is 24/7, and seems to be American.
Recently we got an upgraded modem because speeds
were slow, and that seems to have fixed it. In the
process they accidentally disconnected my separate
RCN phone wire. But then they came the next morning
and upgraded that as well, for free.

My only complaint is that they periodically raise the price
for no reason. But then if we call up they agree to lower it
again. ?? It seems to be the new strategy: Fleece the
customer base and then be nice to anyone who complains.
I suppose a lot of people are now on auto-payment
and don't notice.
Considering complaints I hear from customers of other
companies, I feel very content with RCN. But I never
had dialup with them.

I get ads about every two weeks for Verizon FIOS.
They have several inches of tiny fine print, in light gray,
that I can't even read with glasses on. There's no way
to find out the actual cost of the service. It's like an ad
out of a cartoon. I have no need for FIOS, anyway.
Recently a salesman came to the door. He wanted to tell
me that Verizon had some spiffy new wiring and that I
should switch. I told him how Verizon keeps sending ads
but won't even tell me what the product costs. He miled
and said, "That's why I'm here." Then I said goodbye to
him and closed the door. They must be making very big
profits to justify sending out salesmen.

But that problem is not just with Verizon. A couple of
years ago I went around to cellphone providers to find
out what a basic plan costs. ATT/Verizon/Sprint/T-Mobile.
All of them had plans starting at $40. Not one could/would
tell me what the actual bill would be after the various scam
fees and taxes were added on.

[Paul M. Cook]

On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:

> Personally, I would turn off DHCP and manually give each machine a
> static IP number.

I have never not used DHCP.

How do we do assign permanent IP addresses when devices come on and
off the network all the time?

Do we attach the IP address to the MAC address of the device?

For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE,
do we attach the IP address 192.168.1.10 to *that* MAC address from
the router?

Or, is there some other way of doing it from the device itself?

[Paul M. Cook]

On Wed, 23 Dec 2015 09:07:46 -0800, Oren wrote:

> ...and run a packet sniffer that captures passwords, network traffic,
> etc. into a log file.

I have run wifi-radar, kismet, and iwscanner, but the output is
horrendously cryptic.

I hear there is Wireshark, AirShark, netstumbler, & netcrumbler,
so, maybe one of those has easier to read output?

[Paul M. Cook]

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

> I tried that but it highlighted the whole page, not just the data.
>
> So it was easier to use to the cursor to choose what to highlight.

In any browser session, you can also use "control F" and then type
in what you're looking for.

Then select just that which you found.

F3 moves to the next find.
Shift F3 moves backward to the previous find.

[Paul M. Cook]

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

> Plus there are 20 pages of data, each requiring separate copying, so I
> was hoping to get all 20 pages in one email.

Makes sense.

Let me know if you figure out the email because I didn't figure it
out myself on mine, and my firmware is fully up to date.

[Paul M. Cook]

On Wed, 23 Dec 2015 11:24:52 -0500, Micky wrote:

> So that means it's an Apple device, like an iphone.
>
> Not that it's someone working at Apple, inc.!

If you can get an IP address like I did on my router logs,
you can run a "whois" command which will reverse IP check.

https://duckduckgo.com/?q=reverse+ip+address+lookup

If it's coming from Apple, whois will tell you that.

Of course, most of the time "I" run it, the IP address
is coming from China, but even that can be spoofed with
VPN or some other means.

[Paul M. Cook]

On Wed, 23 Dec 2015 12:03:34 -0500, Mayayana wrote:

> I tried it. I entered the first 13 characters. It didn't
> let me in. I've never heard of an 8-char limit.

Are we talking about the ROUTER "admin" password?
Or are we talking about the ESSID encryption passcode?

They're different things.
"I" was talking about the router admin password.

[Oren]

On Wed, 23 Dec 2015 12:39:11 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

>On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:
>
>> Personally, I would turn off DHCP and manually give each machine a
>> static IP number.
>
>I have never not used DHCP.
>
>How do we do assign permanent IP addresses when devices come on and
>off the network all the time?
>
>Do we attach the IP address to the MAC address of the device?
>

<https://tinyurl.com/hkqsa3t> The first link includes computers and
gaming consoles.

>For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE,
>do we attach the IP address 192.168.1.10 to *that* MAC address from
>the router?
>
>Or, is there some other way of doing it from the device itself?

Can't speak for the phone, sorry.

[Paul M. Cook]

On Wed, 23 Dec 2015 09:20:13 -0700, Tony Hwang wrote:

>> 1. The Admin password?
>> 2. The SSID WPA2/PSK passphrase?
>>
> PSK? How about AES?

I think you're talking about different things that have nothing
to do with each other.

AFAIK, WPA2 is the strongest "we" can generally get (being normal
homeowners and not corporations) on our routers.

For us, the PSK (pre-shared key) is the way "we" homeowners do
WPA2. It just is.

However, if we were a corporation, we could do more with WPA2
than pre-shared keys, which, I don't remember what it's called,
but it's some kind of rotating or assigned key that the IT
department of the company can manage (instead of the router).a

What you seem to be talking about is the difference between
various security options, such as:
* WPA-PSK [TKIP]
* WPA-PSK [AES]
* WPA-PSK [TKIP] + WPA-PSK [AES]

All of those above are WPA2/PSK.

[Unquestionably Confused]

On 12/23/2015 9:09 AM, Ed Pawlowski wrote:
> On 12/23/2015 3:39 AM, Micky wrote:
>
>> What could an outside force do to your kid? Can the game display

[snip]

>> their parents say. But if they are 12 and the parent is telling them
>> what to do, it will be for some kids a challenge to do the opposite,
>> because they dont' like being lectured. That's why parents should
>> talk to each other in front of the kids. There are adequate
>> conversation starters in the news.
>>
>>
>
> You have a good point.
> When my son was in his late teens my wife was cleaning in his bedroom
> and found condoms. She said I should have a talk with our son. I
> replied, "I did and evidently he listened".

LOL!

Aw, c'mon, Ed, don't be a spoilsport. Won't you share her response to
that "perfect squelch" with us?

[Oren]

On Wed, 23 Dec 2015 12:41:36 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Encrypted packets will be scrabbled, so it is even more secure...

"...Another way to protect your network traffic from being
sniffed is to use encryption such as Secure Sockets Layer (SSL) or
Transport Layer Security (TLS). Encryption doesn't prevent packet
sniffers from seeing source and destination information, but it does
encrypt the data packet's payload so that all the sniffer sees is
encrypted gibberish. Any attempt to modify or inject data into the
packets would likely fail since messing with the encrypted data would
cause errors that would be evident when the encrypted information was
decrypted at the other end."

[Don Y]

On 12/23/2015 7:54 AM, Paul M. Cook wrote:
> On Wed, 23 Dec 2015 04:19:59 -0800, DerbyDad03 wrote:
>
>> It's not a question of what could be done to the device, it's whether or
>> not that device is allowing access to the home's network. Once inside
>> the network it may be possible to gain access to other computers.
>
> Exactly. I'm not worried about the kid being attacked.
>
> I'm worried about the attacker coming in through the port 9000 of the
> IP address 192.168.1.5 which, at least today, is the Sony Playstation
> (but it could have been any computer on the day of the attack since
> I have DHCP).

>
> Once the attacker is on the router, they can potentially get to any
> computer or monitor anything or watch or whatever the reason they
> got in for.

Your attack surface is *anything* that can be exposed and/or
infiltrated from the outside.

There may be an exploit *on* the PlayStation that is being
probed (or, actively being USED!). If <something> can get
a foothold, anywhere, then it can advance from there further
into your internet.

Your son's -- along with your own -- activities OUTSIDE your
personal internet make your "public" IP address (the one on the
upstream side of your router) visible to external entities.

[unless you are double NAT'ed by your upstream provider]

Anything that your "house" (network) talks to now knows where
you are. Likewise for anything you talk *through* (e.g.,
any of your provider's equipment, any other routers on
The Internet, etc.). You've in effect, said, "Here We Are!"

This is just common sense: if you wanted something *from*
something (else) on The Internet, you had to contact that
<something> and, in doing so, provide a means by which it could
deliver a REPLY to *you* (and not your neighbor, the guy down the
block, etc.)

> That there were *many* similar attacks at roughly the same time is
> what worries me also.

They may not be "attacks". They may be *probes* -- machines trying to
connect to the machine in question to determine if an exploit is
"available", there ("Hmmm... let me see if I can infiltrate this
particular machine at this particular IP address by taking advantage
of a BUG that exists in its software; a bug that I can tickle by
doing THIS!...")

It may also be "normal operation" for some application that is
running on that machine. Or, that *was* running, there.

You'd actually have to use a packet sniffer to examine the
actual messages being sent to the machine/port in question
and hope to recognize them as hostile or benign.

Of course, if the messages originate at HackersRUs.com, that
cold give you a heads up! :>

> But, mostly, I am just wanting to know *what* happened, which, from
> the log files, I can't tell - but that's why I asked. I don't know
> how to correctly *interpret* this particular set of errors.

Some possible scenarios (without examining the IP's in detail) without
trying to be exhaustive nor in any particular order:

- Someone (your son?) is participating in an online, multiagent activity
(e.g., game) and the nature of the activity requires others to share
information about each participant's actions, etc.

This can be done with a large, single-server that handles every player
currently engaged in that activity. Each person (player) connects to that
server and learns what is happening in the activity, interacts with
that server which, in turn, informs the other players of his activities
while informing *him* of their activities.

This would manifest (in your logs) as lots of traffic to a single IP;
the IP of the "server" for that activity (game).

But, this sort of approach doesn't "scale well". It requires a single
server to handle all of the activities of EVERYONE participating in
that shared event! As more folks want to participate, things can get
sluggish -- more work for the server in the same amount of time!

This can be alleviated, to some extent, by hiding a BUNCH of servers
behind a single address (a "cluster") and *internally* splitting
out the work to different physical machines. This is how google
can appear to be so fast -- there are literally thousands of machines
handling all those requests yet giving the illusion of a single one!

But, it still funnels all network traffic to a single point. So,
makes the "shared activity" more vulnerable to network congestion.
A bottleneck at any point is reflected back to the participants
as a "pause"/hiccup in normal operation. For an INTERACTIVE activity,
this is highly undesireable. You don't want the activity to appear
to progress in fits and spurts!

And, it's not very reliable: the server crashes (or, it's single
external contact point) and the world ends!

So, you *distribute* the activity to other servers -- potentially
in physically distant locations! They talk with each other
(directly or indirectly) to coordinate their knowledge of
The Activity and also communicate with the participants to
inform them of the current state of the activity as well as
get input regarding their desired actions.

This could explain why several different IP's are connecting to your
machine -- each trying to update some information about your
actions *or* update the software in your machine regarding their
"models" of the current state of the activity, from their individual
points of view.

They may simply be trying to determine if you're "still playing".

- Something has made some *other* thing aware of your presence
and that other thing has informed still others of your location.
E.g., you connected to an application's server and it has told
other entities about your whereabouts -- for whatever purpose.
They are then attempting to connect to an application in your
machine (one that is expected to be listening on port 9000)
to offer their services. E.g., they may be "advertising"
shared activities (see above) that are currently happening on
their servers so you can opt to join in.

- Something is aware of your presence and is trying to probe a
potential weakness/exploit on your system by connecting to some
buggy software that is currently listening on port 9000. Based
on how/if you respond to its probes, it may refine its probes
to more specifically target your particular version of said
software ("Ah, he's running version XYZ! That one has patched
this old bug but hasn't, yet, patched this *new* bug! Let me
try to get in using this OTHER trick...")

- Something is just hammering away at everything it finds in
the hope that it encounters something that it can use (abuse).
This, for example, is how spam works: send it to EVERYONE and
hope *someone* is foolish enough to reply!

- Something in your machine (malware?) is reaching out and INVITING
others to connect to it -- for whatever purpose. It may be
part of a distributed command and control cluster that is delivering
SPAM to folks. Or, actively targeting a defense contractor. Or...

> We're all just guessing. And that's bad.

That's why network security is hard! Most folks don't have the
tools *or* the expertise to understand what is happening. Nor
the vigilance to catch it *as* it is happening!

Next time you grumble about some highly publicized "breach",
imagine what it's like for the security folks at some of these
"ripe targets" trying to sort through millions of contacts
each hour and determine which are malicious vs. benign!

[Don Y]

On 12/23/2015 9:22 AM, Oren wrote:
> On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmc...@gte.net>
> wrote:
>
>> On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>>
>>> Playing on-line game? Kids do most of time.
>>
>> Maybe. But is *that* what the error message says?
>>
>> I guess I need to *experiment*, by asking the kid to play a few
>> games and then watch the router log file.
>>
>> What is worrisome is that some of the entries don't come from
>> what I'd expect an online game to come from, e.g., Brazil,
>> Mexico, Japan, France, etc.
>>
>
> Personally, I would turn off DHCP and manually give each machine a
> static IP number. Any outside machine connecting to your network is
> being issued an IP number.

No. The (local) DHCP service is not "offered" on the upstream ports.
I.e., the physical connections to the router determine what services
are available to that physical connection. So, a DHCP request won't
be "seen" coming in on the upstream port.

Additionally, DHCP is UDP-based. Most providers won't route
unsolicited UDP through to their clients. Otherwise, all of
the "lightweight" protocols would flood The Internet with
messages that are meaningless in a global sense (*my* machine
wouldn't understand some UDP traffic intended for one of *your*
private address machines so why expose that message to me?)

[Oren]

https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>

[Terry Coombs]

Probably similar to my mother's response when she found out Dad's last bit
of advice as I was leaving for boot camp - "If you dip the wick don't
dribble any wax." - which I made even worse by laughing at her ...

--
Snag

[Mayayana]

| Are we talking about the ROUTER "admin" password?
| Or are we talking about the ESSID encryption passcode?
|
| They're different things.
| "I" was talking about the router admin password.
|

Yes. I don't know why people are making this
so complicated. There have been cases of
routers being hacked, sometimes because they're
set with default passwords that don't get
changed. Not a big issue. Just one thing to
make sure you have covered.

[Oren]

On Wed, 23 Dec 2015 10:09:49 -0500, Ed Pawlowski <e...@snet.net> wrote:

>On 12/23/2015 3:39 AM, Micky wrote:
>
>> What could an outside force do to your kid? Can the game display

>> messages on it, like "Come to Syria and kill the infidels. Call
>> 1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10
>> is not too young to talk to their children about sex, drugs, etc. are
>> missing the mark. What parents should do is talk during dinner to
>> each other about how stupid drug users are and how stupid and selfish
>> those who get someone pregnant when they're not married, and they can
>> do this when the kid is 4 and up and kids will listen to everything

>> their parents say. But if they are 12 and the parent is telling them
>> what to do, it will be for some kids a challenge to do the opposite,
>> because they dont' like being lectured. That's why parents should
>> talk to each other in front of the kids. There are adequate
>> conversation starters in the news.
>>
>>
>
>You have a good point.
>When my son was in his late teens my wife was cleaning in his bedroom
>and found condoms. She said I should have a talk with our son. I
>replied, "I did and evidently he listened".

"... every one you miss is one you don't get." :)

[Don Y]

IP addresses are assigned to the devices and "told" to the outside world
whenever a device tries to communicate. Each message essentially says,
"Hi, I am A.B.C.D trying to contact E.F.G.H on port X". The network
"fabric" (routers, etc.) arranges for the message to be delivered to
the *expected* home of E.F.G.H (the fabric is SMART!). When E.F.G.H
receives the message, it creates a reply that essentially says, "Hi,
A.B.C.D, this is E.F.G.H responding to your request..."

DHCP is a hack that allows addresses to be DYNAMICALLY (the D in DHCP)
assigned *from* an external agency (the DHCP server inside your router,
in this case). This allows the client machines to be ignorant of
their actual IP addresses and makes address management a bit easier.

[Imagine if you wanted to rearrange the addresses that you'd assigned to
machines. You wouldn't want to walk up to each individual machine
and invoke it's "setup" program, type in a new FIXED address/netmask
(gateway, name server, etc. -- lots of things involved besides just
IP address!) and then record all of this on a tattered scrap of paper
(to ensure you don't screw up and assign the same address to two
different machines!!).]

DHCP lets you create "pools" of addresses (your pool is probably something
like 192.168.1.1 through 192.168.1.100 -- or some other arbitrary upper
limit) and have "something" (the DHCP service) keep track of which ones
are currently in use along with which machines are using each of them.
It does this by accepting a DHCP *request* from each machine/client
and, if "unused" addresses remain in the pool, it picks one of those
and assigns it to that client -- informing the client of this
assignment in its reply *to* the client: "Your IP address will
currently be A.B.C.D. Please make a note of it!"

Each assignment is accompanied by a "lease time" -- i.e., this is
yours for, AT MOST, X hours (typically 24). If you intend to
keep it beyond that time, you'd best RENEW your lease or I am
liable to give it out to some other client who comes along
tomorrow!

This greatly simplifies network management. Connect a client
to the network, tell it to use DHCP and then walk away!

It also lets you connect more devices to your network than
you have addresses available -- by allowing addresses to be
REUSED. (but, the maximum number of machines AT ANY INSTANT
is still determined by the number of available IP's)

The alternative is to go to each individual machine (PC, game
console, printer, VoIP phone, etc.) on the network and
manually specify these parameters (IP address, netmask,
gateway, name server(s), etc.). And, in doing so, making
sure you don't create any conflicts (two machines with
the same IP address, incompatible netmasks, DNS servers
that are unreachable, etc.).

OTOH, by doing so, you *know* where each machine is "located"
on the network! A.B.C.D is the PC. A.B.C.E is the Smart TV.
A.B.C.F is the game console. So, you don't have to ask
<something> (the DHCP server) "where is the game console,
today?" before trying to talk to it.

Taken a step further, you can then assign names to each of these
predefined IP addresses. For example, my printers are named
Curly, Larry, Moe, Shemp and Joe. Each has a label affixed
to the front in case I forget which is which. And, my *name*
server (DNS) knows that Curly is 10.0.1.101, Larry is 10.0.1.102,
etc. If I want to send something to the Phaser 8200DP (Shemp),
I can just refer to it by name -- instead of having to remember
an P address *or* "lookup" it's CURRENT IP address.

But, when I bring a new printer (for example) into the house,
I have to find a spot for it in the IP addresses (and come up
with a name that I'll be able to remember -- I've run out
of Stooges! :> )

[Don Y]

The vulnerabilities in DHCP (as well as many other internet protocols)
are on the *local* side. I.e., something *inside* your network
can exploit holes in the protocols.

For example, I can put a machine on my network that *pretends* to
be some other machine and there is no way that any of the rest of
the network will be able to recognize this!

If someone in a crowded room shouts "Oren" and someone ELSE answers,
how does the original party know that it's NOT you? There are no
authentication mechanisms built into the protocol; no credentials
that a concerned party could verify.

So, if that impersonated machine happens to provide some key
*service* (like DHCP), then it can provide a *compromised*
service and none of its clients would be the wiser! (the
first guy to respond to a request is the response that gets
used!)

DHCP does more than just assign an IP address to each client.
It also tells them where other services (e.g., DNS) are
located. So, I can tell "you" that the DNS (name service)
resides at some OTHER address than the address you SHOULD
be using. So, when you try to go to "google.com", the
server that converts "google.com" into an IP address
instead directs you to a server at HackersRUs which masquerades
as google or just blatantly attacks your browser (or whatever
else was trying to connect to google.com).

By hard-coding IP addresses, netmasks, gateways, DNS services,
etc. you raise the bar for an attacker (who is already *inside*
your network).

[Don Y]

On 12/23/2015 7:58 AM, Paul M. Cook wrote:

> I can't tell, from the log, what device had the DHCP given
> address of 192.168.1.5 on the day of the attack.
>
> The router shows "attached devices" but it doesn't show
> a history.

Sometimes there are two different places to look:
- the DHCP page will tell you CURRENT lease holders
- the log will often include "informational" messages
telling you when leases were assigned

The buffer available for a log may not be deep enough to "go back far
enough" to see some old events (depends on how much "traffic"
got injected into the log in the time since the lease was "logged").

Also, some devices allow you to specify which *types* of messages
you want to see in your log.

The actual lease holder is only of minor importance; it tells
you *what* device was targeted or involved in the exchange.
The actual nature of the transaction is still indeterminate;
it can be a legitimate application *or* an exploit running
on *anything*!

(E.g., Philips has some high end color-adjustable LED light
bulbs that can be attacked, remotely. Would you think of
them as a likely "target" on your network? :> )

[Oren]

My point was that I "personally" do not use DHCP on my home machines.
I manually give them a non-routable IP number. You will not be issued
an IP from my router if you try to get in from a parked car outside.
Plus you need a password (serial number of the router) to connect.

...."raise the bar for an attacker".

[Danny D.]

Micky wrote, on Wed, 23 Dec 2015 11:24:16 -0500:

> I noticed that because some families have so many wireless devices,
> they've redesigned routers and now many are 100 to 200 dollars.

You can't go wrong with almost any "ac" router nowadays.
An "ac1200" router will be just fine for almost any household.

[Don Y]

On 12/23/2015 9:15 AM, M. Stradbury wrote:

> On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:
>
>> First, do you have a good, long password for
>> your router? You should. Maybe 20 characters
>

> Which router password are you talking about?

>
> 1. The Admin password?
> 2. The SSID WPA2/PSK passphrase?

There are several issues.

First, the SSID is effectively public. Even if you turn off SSID
broadcasts, it's trivial to detect your SSID. So, any sort of
access control you expect to gain from *hiding* it is laughable!
Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't
buy you anything.

The administrator's password is used to access the configuration
parameters (usually via a web interface) in the router/appliance.
So, if it is guessable (e.g., left at the default setting),
then anyone determined to do so can access that page and
reconfigure the router to their goals. (details omitted, here).

Some routers also have provisions for *remote* administration.
I.e., they expose the web interface to the outside world so
some remote agency can manage the router on your behalf
(think "cable modem"). Leaving this access "enabled" exposes
more attack surface to "the outside"; folks you probably trust
a lot less than the ones sitting in your bedrooms, office, etc.!

The "shared secret" passkey is, in theory, confidential -- assuming
the router's configuration pages can't be accessed! However,
a determined adversary can get past this, as well. There are
(paid) services that will deliver you the secret passphrase for
some given "sniffed" traffic in 24 hours (48 if you want to
save a few dollars). As most folks don't change their passphrases
often (every day?), this is a viable attack vector (is your
stuff "worth" $X of someone else's money??)

If you have *physical* access to a device (router/appliance/PC/etc.)
then the bar is much lower. E.g., it's usually pretty trivial to
go poking around someone's "locked" PC.

Moral: don't put anything valuable anyplace folks can get to it!

[Don Y]

> ....."raise the bar for an attacker".

I have the radios in my routers disabled. The only way onto my network
is by being inside the house.

My new "switch" goes even farther and puts a dedicated packet filter
(like a single port firewall) on *each* connection to the switch.
So, if you're sitting in the guest bedroom, you can talk to the
outside world but nothing else in the house!

[Danny D.]

Don Y wrote, on Wed, 23 Dec 2015 12:57:02 -0700:

> First, the SSID is effectively public. Even if you turn off SSID
> broadcasts, it's trivial to detect your SSID. So, any sort of
> access control you expect to gain from *hiding* it is laughable!
> Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't
> buy you anything.

Jeff Liebermann knows this stuff much better than I do, but here
is what he taught me.

WORSE THAN YOU SAID:

1. If you hide your SSID, then your laptop has to look for it on
purpose, which it dutifully does (that's how it finds it).
However, that also means that when you boot your laptop at
Starbucks, it *still* looks *first* for your hidden IP (because
your laptop has no idea you're at Starbucks yet). Only after
your laptop can no longer find the SSID it wanted first, does
the laptop look for *other* broadcast SSIDs.

Hence, you have *worse* privacy at a hotspot when you decide
to not broadcast your SSID at home.

MOSTLY TRUE WHAT YOU SAID:
2. Making your SSID obscure is critical if you want to stay out
of rainbow hash tables. Anyone who knows YOUR SSID already
can download a hash table that allows them to log into your
router using the SSID as a "salt".

So you really really really want to have a UNIQUE ESSID!
https://security.stackexchange.com/questions/92903/rainbow-tables-hash-tables-versus-wpa-wpa2

MORE CONSIDERATIONS:
3. In addition, you don't want your unique ESSID to pinpoint
you, so don't name it after your last name or your address.

4. One more thing, the BSSID (i.e., the MAC address) of your
router is what Google puts into its database when that
spycar drives down your road. Short of putting up a sign
saying "private road", you can't stop them from driving
past your home and gathering your BSSID and those of your
neighbors.

One thing you can do is change your ESSID to have "_nomap"
on the end of it, which Google says they won't keep. Yes,
I know, they expect the entire world to opt out manually
that way, which is silly, but that's what they do.

Otherwise, you'll need to change *both* your ESSID and
your BSSID (MAC address) periodically, so that Google
databases no longer have accurate records. (You can't
do anything about your stupid neighbors though, so,
you're already doomed.)

[Don Y]

On 12/23/2015 1:06 PM, Danny D. wrote:

[big snip]

> Otherwise, you'll need to change *both* your ESSID and
> your BSSID (MAC address) periodically, so that Google
> databases no longer have accurate records. (You can't
> do anything about your stupid neighbors though, so,
> you're already doomed.)

There are no free lunches. Said another way, there's no
such thing as "win/win".

Wireless makes life easier for users -- no cords, etc.
As such, it comes with a cost (privacy, vulnerability
to DoS, eavesdropping, etc.).

I have three wireless access points scattered around the
house (typically affixed to the ceilings in closets so
they are unobtrusive yet give me good coverage, if
needed). The radios in each are always "OFF". Every
machine, here, uses a hardwired network drop (I have
72 of them; 24 are "available" for devices/48 are
dedicated to specific devices -- and that doesn't count
the network switches *in* individual rooms that act
as port multipliers). They exist primarily for "guests"
who are willing to expose their traffic for the
convenience of not being tethered to a particular network
drop (though you can "plug in" virtually anywhere in
the house with a 10 ft patch cord!).

I have my own OUI so that gives me a bit of obscurity
but, by the same token, uniquely identifies *my* stuff!
(in the privacy world, you want to be COMMONPLACE,
*not* unique! :> )

I've given serious consideration to painting the interior
walls with aluminized paint to block "RF leakage" but
fear that may eventually result in a problem -- someone
trying to dial 911 from a cell phone and getting "no signal",
etc.

So, the wireless appliances that I've been developing
use proprietary protocols -- google can sniff away
and not be able to identify anything (other than
"something wacky happening in this vicinity"). Fortunately,
this isn't done to confound google but, rather, to offer
capabilities that existing protocols *don't* offer!
(As such, it's not a "wasted effort" but, rather, an
"essential effort")

[Micky]

On Wed, 23 Dec 2015 12:43:31 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Well, I just googled and there is something called
SMTP Server / IP Address


How to Find My SMTP Server IP Address
http://www.ehow.com/how_5810894_smtp-server-ip-address.html
Click "Start," then "Run" and type "cmd" in the box that appears.

Press enter. A command window will appear.

Type "ping," a space and then the name of your SMTP Server. For
example, type "ping smtp.server.com" and press "Enter." The window
will then try to contact the SMTP server by the IP address. It will
say, "Pinging x.x.x.x with 32 bytes of data." The "x.x.x.x" will be
the SMTP server's IP address.


So I'm debating whether I should put [ ] around the number and then it
turns out, even without the [ ] there isn't enough room for the
entire number!! Even thnough it's the standard length 3,2,3,3 = 11
plus 3 dots. So I removed the smtp value and put only the IP
address, and sent it, and that didnt' work either.

[Sam E]

[snip]

> Encrypted packets will be scrabbled, so it is even more secure...

Scrabbled? You mean your router adds randomly-chosen letters to make new
words?

[snip]

--
2 days until the winter celebration (Friday December 25, 2015 12:00:00
AM for 1 day).

"[O]ld beliefs die hard even when demonstrably false." Edward O. Wilson,
Consilience: The Unity of Knowledge, (First edition, New York: Alfred A.
Knopf, 1998), p. 256.

[Mark Lloyd]

On 12/23/2015 01:57 PM, Don Y wrote:

[snip]

> First, the SSID is effectively public. Even if you turn off SSID
> broadcasts, it's trivial to detect your SSID. So, any sort of
> access control you expect to gain from *hiding* it is laughable!
> Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't
> buy you anything.

SSID blocking will still deter the 99% (or more) of people who don't
know how to detect it, or don't even know there's a network there.
Still, I don't consider it worthwhile (security / usability tradeoff),
and would not use it if better security is available.

[snip]

--
2 days until the winter celebration (Friday December 25, 2015 12:00:00
AM for 1 day).

Mark Lloyd
http://notstupid.us/

"An idea is an eye given by God for the seeing of God. Some of these
eyes we cannot bear to look out of, we blind them as quickly as
possible." [Russell Hoban, "Pilgermann"]

[Mark Lloyd]

[snip]

> I have the radios in my routers disabled. The only way onto my network
> is by being inside the house.

There used to be several wireless networks around here where the SSID,
password, and router password were left at the default. It appeared that
those people never used WiFi.

> My new "switch" goes even farther and puts a dedicated packet filter
> (like a single port firewall) on *each* connection to the switch.
> So, if you're sitting in the guest bedroom, you can talk to the
> outside world but nothing else in the house!
>

[Oren]

On Wed, 23 Dec 2015 14:50:21 -0600, Sam E
<why.sho...@be.email.invalid> wrote:

>> Encrypted packets will be scrabbled, so it is even more secure...
>
>Scrabbled? You mean your router adds randomly-chosen letters to make new
>words?

My bad. I should have said gibberish that looks like Japanese
arithmetic.

[Oren]

On Wed, 23 Dec 2015 13:01:30 -0700, Don Y

....for this house I even turn off Net BIOS and remote access on
machines, too.

[Don Y]

On 12/23/2015 2:01 PM, Mark Lloyd wrote:
> [snip]
>
>> I have the radios in my routers disabled. The only way onto my network
>> is by being inside the house.
>
> There used to be several wireless networks around here where the SSID,
> password, and router password were left at the default. It appeared that those
> people never used WiFi.

Yup. And the vendors were stpid and put defaults in place that made those
wireless services available, by default! Why not simply require the
user to set a password/SSID/whatever BEFORE the service is enabled?

Likewise, why have every unit use the dame default *channels*?
Why not pick those at random? Or, survey the environment and
pick the least *congested* channels??

I have a little WiFi sniffer -- the size of a thumb drive -- that I've
carried around the neighborhood from time to time. It's battery
powered (recharges through a USB port AS a "thumb drive") and has
a small display plus a button or two to cycle through the displays.
Just wander around "sniffing" which neighbors have wireless routers
enabled, what their SSID's are, any other aspects of "advertisements",
etc. Gives me something to do on an otherwise boring circuit around
the neighborhood!

[Oren]

On Wed, 23 Dec 2015 14:58:31 -0600, Mark Lloyd <n...@mail.invalid>
wrote:

>SSID blocking will still deter the 99% (or more) of people who don't
>know how to detect it, or don't even know there's a network there.
>Still, I don't consider it worthwhile (security / usability tradeoff),
>and would not use it if better security is available.

SSID:

FBI Surveillance Van One

Press Alt-4 to Connect

Wireless G Spot

[Don Y]

On 12/23/2015 1:58 PM, Mark Lloyd wrote:
> On 12/23/2015 01:57 PM, Don Y wrote:
>
> [snip]
>
>> First, the SSID is effectively public. Even if you turn off SSID
>> broadcasts, it's trivial to detect your SSID. So, any sort of
>> access control you expect to gain from *hiding* it is laughable!
>> Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't
>> buy you anything.
>
> SSID blocking will still deter the 99% (or more) of people who don't know how
> to detect it, or don't even know there's a network there. Still, I don't

Yes. But so will a passphrase.

> consider it worthwhile (security / usability tradeoff), and would not use it if
> better security is available.

I find looking at SSID's that folks have chosen to be entertaining
(using my little WiFi sniffer mentioned elsewhere).

"Penny's_Room"
"Cornali_WiFi"
"SSID-123"
"MrStudley"
etc.

People don't think about the sorts of information they "leak" with these
voluntary choices!

My best friend in school had a license plate:
FML mdd
First Middle Last initial
BIRTH mONTH ddAY

Really? So, you want everyone to know who you are and your birthdate?
Give me a couple of tries and I can probably guess the year -- from
your appearance and other things you leak about yourself! :<

[John Robertson]

On 12/23/2015 7:06 AM, Paul M. Cook wrote:
> On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>
>> Playing on-line game? Kids do most of time.
>
> Maybe. But is *that* what the error message says?
>
> I guess I need to *experiment*, by asking the kid to play a few
> games and then watch the router log file.
>
> What is worrisome is that some of the entries don't come from
> what I'd expect an online game to come from, e.g., Brazil,
> Mexico, Japan, France, etc.
>
>

Turn OFF PING BACK.

In case it isn't already off. Then ask your IP for a new address - which
can be as simple as turning off your broadband router for five minutes.

John :-#)#

--
(Please post followups or tech inquiries to the USENET newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
(604)872-5757 or Fax 872-2010 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."

[Tony Hwang]

John Robertson wrote:
> On 12/23/2015 7:06 AM, Paul M. Cook wrote:
>> On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:
>>
>>> Playing on-line game? Kids do most of time.
>>
>> Maybe. But is *that* what the error message says?
>>
>> I guess I need to *experiment*, by asking the kid to play a few
>> games and then watch the router log file.
>>
>> What is worrisome is that some of the entries don't come from
>> what I'd expect an online game to come from, e.g., Brazil,
>> Mexico, Japan, France, etc.
>>
>>
>
> Turn OFF PING BACK.
>
> In case it isn't already off. Then ask your IP for a new address - which
> can be as simple as turning off your broadband router for five minutes.
>
> John :-#)#
>

If you are worried, block the port and see what happens.

[ssinzig]

Paul M. Cook wrote:
> Does this activity found accidentally in my home broadband wireless
> router log seem suspicious to you?
>
> Here is a screenshot of the suspicious log entries:
> https://i.imgur.com/iZm1CCq.jpg
>
> When "I" log into my router, I see a line like this: [Admin login]
> from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15
>
> But, I see the following (suspicious?) activity in my log file: [LAN
> access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000,
> Saturday, Dec 19,2015 06:42:41 [LAN access from remote] from
> 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015
> 06:41:54 [LAN access from remote] from 101.176.44.21:1026 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
> remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:19 [LAN access from remote] from 2.133.67.47:11233 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
> remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:19 [LAN access from remote] from 148.246.193.87:9000 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
> remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:16 [LAN access from remote] from 1.78.16.174:47891 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from
> remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:16 [LAN access from remote] from 82.237.141.86:9000 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from
> remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec
> 19,2015 06:34:11 [LAN access from remote] from 216.98.48.95:11020 to
> 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31
>
> I don't know what this really means: "LAN access from remote".
>
> Looking at the router wired & wireless list of devices, 192.168.1.5
> seems to not be attached at the moment.
>
> But, looking back, I can determine (from the MAC address) that it's
> my child's Sony Playstation (which has "UPNP events" whatever they
> are):
>
> [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday,
> Dec 19,2015 06:32:28 [DHCP IP: (192.168.1.5)] to MAC address
> F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18 [DHCP IP:
> (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015
> 16:17:47 [UPnP set event: Public_UPNP_C3] from source 192.168.1.5,
> Tuesday, Dec 22,2015 16:46:15
> ***************************************************************** Can
> you advise me whether I should be worried that there are many LAN
> accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************
>


You are seeing outside devices the "[LAN access from remote] from
93.38.179.187:9000" part, using port 9000 the ":9000 " part and trying
to connect to your child's sony playstation. Presumably he or she is
playing a game on-line and there is some sort of interactive content,
maybe voice or video message chat or something.

Since your router appears to support UPNP, it is probably automatically
opening connections on this port to allow network traffic like I
described above (some sort of online in-game chat or something).

I don't think it is something to be too concerned about, but if you are
concerned about this type of network traffic, you could either disable
UPNP on your router or maybe disable port 9000 in the firewall rules (if
the router supports this) of course this may disable the online gaming
capability of the sony playstation, much to your childs' dismay.

Video games consoles that connect to the internet are likely sending all
sorts of traffic back and forth through your router. You might try
looking up what types of services typically use port 9000. I bet you
find that it is a typical port used by sony playstions for on-line
gaming. As everything from refrigerators to thermostats go online there
will be much more unidentifiable traffic going through our routers.


Best of luck,

S Sinzig.

[Uncle Monster]

I've read that women have a G spot. Does that mean you must have the correct password in order to connect with them? ⊙.☉

[8~{} Uncle Puzzled Monster

[Paul M. Cook]

On Wed, 23 Dec 2015 17:22:30 -0500, ssinzig wrote:

> I don't think it is something to be too concerned about, but if you are
> concerned about this type of network traffic, you could either disable
> UPNP on your router or maybe disable port 9000 in the firewall rules

I disabled UPNP.
I'll tell the kid to watch out for stuff not working.

[Oren]

On Wed, 23 Dec 2015 14:26:50 -0800 (PST), Uncle Monster
<uncl...@gmail.com> wrote:

>> SSID:
>>
>> FBI Surveillance Van One
>>
>> Press Alt-4 to Connect
>>
>> Wireless G Spot
>

>I've read that women have a G spot. Does that mean you must have the correct password in order to connect with them? ?.?
>
>[8~{} Uncle Puzzled Monster

Is that like the "giddy up" button?

[Micky]

On Wed, 23 Dec 2015 11:24:16 -0500, Micky <NONONO...@bigfoot.com>
wrote:

>On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmc...@gte.net>
>wrote:
>
>>On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:
>>
>>> Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>>> 70-3E-AC-DE-14-94
>>> Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
>>> 70-3E-AC-DE-14-94
>>>
>>> So who is Dennis? 5 in the morning?
>>> That's my time, right? or GMT?
>>
>>I just logged into my Netgear WNDR3400v2 router, and went to the
>>advanced tab of Administration > Logs
>>
>>It says on top of the window what time it "thinks" it is:
>> Current Time: Wednesday, Dec 23,2015 08:03:08
>
>Mine doesn't show the time anywhere, but if yours shows the current
>time, that's good enough for me.

I figured out a way to verify the time zone, and that's to watch the
log for a new event, or to create a new event, like by trying to send
an email (since I have all 5 kinds of events checked now).

So I did that a couple hours ago and the time that showed in the log
was 7 minutes later than the current time!

I went out for a couple hours and when I tried it just now, the time
the log showed was 11 minutes later than the current time.

Put that in your pipe and smoke it.

>>Looking at the clock, that's the local time in my time zone.

[Oscar]

On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:

> I went out for a couple hours and when I tried it just now, the time
> the log showed was 11 minutes later than the current time.

How do you know which one was right?

This is the current time...

http://www.time.gov/

[Micky]

On Wed, 23 Dec 2015 23:50:41 -0000 (UTC), Oscar <os...@notme.invalid>
wrote:

>On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:
>
>> I went out for a couple hours and when I tried it just now, the time
>> the log showed was 11 minutes later than the current time.
>
>How do you know which one was right?

The current time was my computer which has maybe never been wrong, but
I checked it with my atomic clock, satellite clock whatever it is.

So, how was it 7 minutes later in the log than in reality? Later
meaning it had not yet reached that time.

And why did that change to 11 minutes?

[Uncle Monster]

Yea, it's supposed to make them very giddy when pressed. ヽ(^o^)ノ

[8~{} Uncle Woopy Monster

[Oren]

On Wed, 23 Dec 2015 17:17:04 -0800 (PST), Uncle Monster
<uncl...@gmail.com> wrote:

>> >> Wireless G Spot
>> >
>> >I've read that women have a G spot. Does that mean you must have the correct password in order to connect with them? ?.?
>> >
>> >[8~{} Uncle Puzzled Monster
>>
>> Is that like the "giddy up" button?
>

>Yea, it's supposed to make them very giddy when pressed. ?(^o^)?
>
>[8~{} Uncle Woopy Monster

Thought so. Like the hooray bone when bumpin' uglies.

[Micky]

On Wed, 23 Dec 2015 12:35:09 -0700, Don Y
<blocked...@foo.invalid> wrote:

>On 12/23/2015 7:58 AM, Paul M. Cook wrote:
>
>> I can't tell, from the log, what device had the DHCP given
>> address of 192.168.1.5 on the day of the attack.
>>
>> The router shows "attached devices" but it doesn't show
>> a history.
>
>Sometimes there are two different places to look:
>- the DHCP page will tell you CURRENT lease holders
>- the log will often include "informational" messages
> telling you when leases were assigned
>
>The buffer available for a log may not be deep enough to "go back far
>enough" to see some old events (depends on how much "traffic"
>got injected into the log in the time since the lease was "logged").
>
>Also, some devices allow you to specify which *types* of messages
>you want to see in your log.
>
>The actual lease holder is only of minor importance; it tells
>you *what* device was targeted or involved in the exchange.
>The actual nature of the transaction is still indeterminate;
>it can be a legitimate application *or* an exploit running
>on *anything*!
>
>(E.g., Philips has some high end color-adjustable LED light
>bulbs that can be attacked, remotely. Would you think of
>them as a likely "target" on your network? :> )

I've always hated colored light bulbs, ever since my pet rabbit Snooky
was attacked by a gang of them.

[Micky]

On Wed, 23 Dec 2015 12:27:36 -0600, "Terry Coombs" <snag...@msn.com>
wrote:

>Unquestionably Confused wrote:
>> On 12/23/2015 9:09 AM, Ed Pawlowski wrote:
>>> On 12/23/2015 3:39 AM, Micky wrote:
>>>
>>>> What could an outside force do to your kid? Can the game display
>>
>> [snip]
>>
>>>> their parents say. But if they are 12 and the parent is telling
>>>> them what to do, it will be for some kids a challenge to do the
>>>> opposite, because they dont' like being lectured. That's why
>>>> parents should talk to each other in front of the kids. There are
>>>> adequate conversation starters in the news.
>>>>
>>>>
>>>
>>> You have a good point.
>>> When my son was in his late teens my wife was cleaning in his bedroom
>>> and found condoms. She said I should have a talk with our son. I
>>> replied, "I did and evidently he listened".
>>
>> LOL!
>>
>> Aw, c'mon, Ed, don't be a spoilsport. Won't you share her response to
>> that "perfect squelch" with us?
>
> Probably similar to my mother's response when she found out Dad's last bit
>of advice as I was leaving for boot camp - "If you dip the wick don't
>dribble any wax." - which I made even worse by laughing at her ...

My father died when I was little** but one of the last things my
motehr said before I went off to college was, The girl has more to
lose than the boy does by getting pregnant so it's at least half her
responsibility not to get pregnant.

But a couple years later when it came up that I had had sex with
girls, she sounded disapproving. Huh? So what did your advice
mean? I don't remember if I reminded her of what she's said.


**And my uncle had a total of one conversation more than 2 sentences
with me from the time I was 10, when we moved to his city, until 18,
and that was by accident. Even less in other years.

[Adrian Caspersz]

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

--
Adrian C

[Don Y]

So, you open the doors to anything that wants access to that piece of kit?
Then, wonder if any exploits will be launched from *there* into the rest of
your network?

Principle of Least Privilege/authority should apply to EVERYTHING.
Yeah, that makes it a bit more tedious to do things *right*. And
so do the lines on the roadway interfere with "driving wherever
you want"!

[Mark Lloyd]

On 12/23/2015 02:32 PM, Don Y wrote:

[snip]

> Wireless makes life easier for users -- no cords, etc.
> As such, it comes with a cost (privacy, vulnerability
> to DoS, eavesdropping, etc.).

And Don't forget complexity (two transceivers, RF link, etc..) means
Wireless is a lot more complex than a few copper wires. More to go wrong.

That's why I know there's something wrong when people just say they want
WiFi for something like a desktop PC, printer, or DVR where wired is
nearly always a better choice.

[snip]

--
1 day until the winter celebration (Friday December 25, 2015 12:00:00 AM

for 1 day).

Mark Lloyd
http://notstupid.us/

"Heaven might be defined as a place men avoid." -- Henry David Thoreau
(1817-1862), Excursions, 1863

[Mark Lloyd]

On 12/23/2015 03:38 PM, Don Y wrote:

[snip]

> Yes. But so will a passphrase.

Yes, it will. The point of what I posted is that SSID blocking is NOT
useless. I didn't say anything about it being better than anything else.

>> consider it worthwhile (security / usability tradeoff), and would not
>> use it if
>> better security is available.
>
> I find looking at SSID's that folks have chosen to be entertaining
> (using my little WiFi sniffer mentioned elsewhere).
>
> "Penny's_Room"
> "Cornali_WiFi"
> "SSID-123"
> "MrStudley"
> etc.
>

Here, I have (current SSID list):

notstupid1
AlsoNotTheWifiYou'reLookingFor
Cisco80710
FBI Surveillance
Karma WiFi


I know I'm missing some since this isn'a a dual-band WiFi card.

[snip]

--
1 day until the winter celebration (Friday December 25, 2015 12:00:00 AM

for 1 day).

Mark Lloyd
http://notstupid.us/

[Don Y]

On 12/24/2015 1:45 PM, Mark Lloyd wrote:
> On 12/23/2015 02:32 PM, Don Y wrote:
>
> [snip]
>
>> Wireless makes life easier for users -- no cords, etc.
>> As such, it comes with a cost (privacy, vulnerability
>> to DoS, eavesdropping, etc.).
>
> And Don't forget complexity (two transceivers, RF link, etc..) means Wireless
> is a lot more complex than a few copper wires. More to go wrong.
>
> That's why I know there's something wrong when people just say they want WiFi
> for something like a desktop PC, printer, or DVR where wired is nearly always a
> better choice.

Neighbor's alarm system is wireless. This, of course, makes sense
from the standpoint of the folks who want to sell the *service*
("Only $29.95/month -- in perpetuity!") and want to keep the
"cost of admission" (installation) low -- soas not to discourage
potential suckers ^H^H^H customers; stringing wire to every door
and window would quickly eat any profit they might glean in the
following *decade*!

OK, so I'm sure (?) the system designers put some effort into
dealing with "loss of connectivity" -- i.e., if they don't get
a periodic "report" from each node, they probably err on the
side that there *might* be a break-in.

[The approach of sitting passively and waiting for a sensor to
signal an *exception* is too easily hacked; you want positive
confirmation that "all is well" in addition to "exception"
reporting]

And, I'm sure they figure any "outages" in the normal course of events
are few and far between. "Noise" that they can ignore or absorb
as part of the cost of doing business...

So, what happens if someone sits out front in their vehicle and
jams the band these devices communicate over? (wouldn't be hard
to determine) Doesn't enter the property. Just sits nearby
and mucks with the operation of the system. Does it report an
intrusion attempt? Does it just set a flag for the homeowner
("Check sensors")?

What happens if you do this every day? When does the nuisance
factor (assume the police are NOT notified of each of these
"alarms", just the homeowner) cause the homeowner to abandon
the system? I.e., an adversary has compromised their "investment"
without putting himself at risk...

I have a PLC modem that I use, in a pinch, to avoid running a
cable from <someplace> to <someplace else>. Plug the transceivers
into the wall socket "here" and "there"; plug the two devices into
the two transceivers and, magic! Exploit the power line to connect
A to B.

But, I'd never rely on it -- anymore than I'd rely on wireless.
(there are lots of limitations) It's not a "closed" system.

[Don Y]

On 12/24/2015 1:56 PM, Mark Lloyd wrote:
> On 12/23/2015 03:38 PM, Don Y wrote:
>
>> Yes. But so will a passphrase.
>
> Yes, it will. The point of what I posted is that SSID blocking is NOT useless.
> I didn't say anything about it being better than anything else.

I'm averse to anything that doesn't *really* address problems.
If it only deals with some of them, then it's a false sense of
security; you never know when/if someone "smart" is going to
come along and catch you with your pants around your ankles!

>>> consider it worthwhile (security / usability tradeoff), and would not
>>> use it if
>>> better security is available.
>>
>> I find looking at SSID's that folks have chosen to be entertaining
>> (using my little WiFi sniffer mentioned elsewhere).
>>
>> "Penny's_Room"
>> "Cornali_WiFi"
>> "SSID-123"
>> "MrStudley"
>> etc.
>
> Here, I have (current SSID list):
>
> notstupid1
> AlsoNotTheWifiYou'reLookingFor
> Cisco80710
> FBI Surveillance
> Karma WiFi
>
> I know I'm missing some since this isn'a a dual-band WiFi card.

My favorite is "Free WiFi".

Really?? (not!)

Time to get busy crafting SWMBO's XMAS card. She didn't appreciate
the humor in last year's so I'll have to be a bit more careful! :<

Holly Hapidays!

[Tony Hwang]

Some one is connceting to one of your device connected. (192.168.1.5
what is this in your family?) using port 9000. You can trace route the
other ip address to see what or who this belongs to. Trace route is a
DOS command.

[Micky]

On Wed, 23 Dec 2015 12:57:02 -0700, Don Y
<blocked...@foo.invalid> wrote:

>
>Some routers also have provisions for *remote* administration.
>I.e., they expose the web interface to the outside world so
>some remote agency can manage the router on your behalf
>(think "cable modem"). Leaving this access "enabled" exposes
>more attack surface to "the outside"; folks you probably trust
>a lot less than the ones sitting in your bedrooms, office, etc.!

Does this mean I'm better off with
the DSL modem that Verizon gave me and my own wireless router

than with
the combination modem/router that they've been giving out more
recently?

Do I have more security with the first setup?

I have one of the latter too, after a friend's house was hit by nearby
lightning, and she thought the router was no good, and they sent her a
new one before I got involved, but I think it was only the power
adapter, which had an open primary. I was saving it in case my own
router broke.

[Paul M. Cook]

On Thu, 24 Dec 2015 14:56:48 -0600, Mark Lloyd wrote:

> Yes, it will. The point of what I posted is that SSID blocking is NOT
> useless. I didn't say anything about it being better than anything else.

Seems to me, that's a lousy tradeoff.

1. You turn off SSID broadcast at home, but that doesn't deter anyone
who knows what he's doing (since your laptop & phone has to broadcast
your hidden SSID to the router, since the router isn't broadcasting
the SSID to the laptop & phone).

2. And, since your laptop or phone doesn't know when it's at home or
at a local hotspot, your laptop and phone end up broadcasting your
SSID to the whole world when you're away from home.

Seems to me, that's a lousy tradeoff.

It's not privacy.
It's just stupidity.

Or ignorance.

[Paul M. Cook]

On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:

> Some one is connceting to one of your device connected. (

> what is this in your family?) using port 9000. You can trace route the
> other ip address to see what or who this belongs to. Trace route is a
> DOS command.

The 192.168.1.5 IP address belonged to the Sony Playstation.
So, for some reason, the port 9000 was being used.

What does this mean though?
Is this correct?

Assuming my static public IP address was 1.2.3.4, does this mean that someone,
on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
hit my router and then the router "port forwarded" it to the Sony Playstation at
192.168.1.5 at port 9000?

[Paul M. Cook]

On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:

> I suspect he'll tell you first ...
>
> If you are that worried about it, why not put the Playstation in your
> DMZ and firewall everything else reaching your LAN? Your kid would get
> better gameplay that way.

I've heard the word "DMZ" for years, but I really don't know what it is.
So, AFAIK, I don't even *have* a DMZ.

My router is set up like most home routers, which is to say the only
thing that is not default is the SSID login/password and admin login/password.

[Tony Hwang]

Hiding SSID increases security? Wrong. Not much really.
Modem/router combo is always worse than separate router.
Put the supplied modem in bridge mode and use your own router.
If you can't or ISP won't put in to bridge mode for you , there is
another way using DMZ in your modem. I have only DOCIS III cable modem,
my router at present is Linksys EA8500 which never went down since
I first boot in summer time. Very stable router.

[Don Y]

An SSID that's not being broadcast will not disclose your AP when
you're not using it.

But, it doesn't buy you much of anything. It's like "being clever"
and NOT hiding your spare key under the door mat -- but, instead,
hiding it in a FAKE ROCK conspicuously placed BESIDES your door mat!

Or, like locking all the doors to your house but leaving the windows
open -- thinking that folks will ONLY check for accessible DOORS...

[Don Y]

On 12/24/2015 9:36 PM, Paul M. Cook wrote:
> On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:
>
>> I suspect he'll tell you first ...
>>
>> If you are that worried about it, why not put the Playstation in your
>> DMZ and firewall everything else reaching your LAN? Your kid would get
>> better gameplay that way.
>
> I've heard the word "DMZ" for years, but I really don't know what it is.
> So, AFAIK, I don't even *have* a DMZ.

The DMZ (play on the term "DeMilitarized Zone") is like connecting your
device directly to The Internet -- no packet filtering/firewall rules
applied to the traffic going to/from the device. Those mechanisms
are applied to clients that are NOT in the DMZ.

This is OK for a trusted device. Or, a SACRIFICIAL device (one that
you don't care about its integrity). On some routers, you can achieve
a tad extra performance (throughput) as there is less scrutiny of
the traffic to/from the device).

But, my philosophy is to err on the side of clamping down "too much"
rather than "too little" (or, in the case of DMZ, not at all!)

[Paul M. Cook]

On Thu, 24 Dec 2015 21:49:08 -0700, Don Y wrote:

> An SSID that's not being broadcast will not disclose your AP when
> you're not using it. But, it doesn't buy you much of anything.

I think we're sort of saying the same thing, but, I don't know if
we agree on the broadcast details.

We both agree that telling your ROUTER not to broadcast the SSID
is a false security measure.

But, fact is, you *must* broadcast your SSID somehow.

a. So, either the router broadcasts your SSID.
b. Or your mobile device broadcasts your SSID.

Here's how I understand it to work:

1. Let's assume your SSID is "DonY".
2. Let's assume you told your router *not* to broadcast your SSID.
3. Guess what happens when you boot your laptop?
a. Your laptop shouts out "Hey DonY, are you there?"
b. Your router answers "Yes. I am here. I was being quiet".
c. Your laptop connects to your router by that so-called hidden SSID.

Now, guess what your cellphone does?
HINT: Same thing.

So, guess what happens when you boot your laptop at a starbucks?
HINT: Your laptop shouts out "Hey DonY, are you here?"

So, in effect, an SSID that is not being broadcast *by your router*
at home, is broadcast *by your laptop* both at home, and at Starbucks.

If I'm wrong - someone will explain where - but that's how I understand it.

a. Either the router broadcasts the SSID,
b. Or the device does.

[Don Y]

On 12/24/2015 9:35 PM, Paul M. Cook wrote:
> On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:
>
>> Some one is connceting to one of your device connected. (
>> what is this in your family?) using port 9000. You can trace route the
>> other ip address to see what or who this belongs to. Trace route is a
>> DOS command.
>
> The 192.168.1.5 IP address belonged to the Sony Playstation.
> So, for some reason, the port 9000 was being used.

No, it means someone was *trying* to connect to port 9000 on the Playstation.
If there isn't anything on the Playstation "listening" on port 9000, the
connection will be refused/dropped. Note that the port on the remote
device can be anything! It needn't be "9000". Ports are just sort of
"circuits" and the device can either use a specific one *or* just use
the next one that is CURRENTLY available.

Like when you make a call from your employer; most of the time, the PBX
just gives you "an outside line"... you have no idea *which* line it
will give you. And, you don't care!

OTOH, you *do* care about which line (telephone number) you *call*!

> What does this mean though?
> Is this correct?
>
> Assuming my static public IP address was 1.2.3.4, does this mean that someone,
> on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
> hit my router and then the router "port forwarded" it to the Sony Playstation at
> 192.168.1.5 at port 9000?

Essentially, yes. In detail... not so much. :>

The router performs Network Address Translation (NAT). "You" (your entire
"house") have a single externally visible IP address assigned by your ISP.
(it may be constant or may change from day to day; it also may be a PRIVATE
address... one that *I* can't see "from here" because it is hiding behind
some other NAT mechanism!)

Each of the machines inside your home have their own IP addresses
ASSIGNED BY YOUR ROUTER (the DHCP service running therein). These
are called "private addresses" and they are very specific. E.g.,
192.168.xxx.yyy in your case. NOWHERE on The Internet will you find
a machine with one of these addresses! Verbotten!

Because of this, your machines can talk to each other with these
private addresses -- and *my* machines, here, can safely use the
exact same addresses without any conflict!

[IP addresses that are VISIBLE on The Internet must be UNIQUE; no two
machines can have the same IP address, there! But, there aren't
enough addresses to handle all of the potential "connections" to
The Internet. So, you put a box (router) between YOUR "internet"
and The Internet which allows you to create an isolated address
domain -- the addresses on YOUR internet are never seen by anyone
outside of your house!]

When one of your machines wants to connect to the outside world
(e.g., to visit google.com), the NAT software in the router
takes the incoming connection from your computer -- let's say
it's that playstation at 192.168.1.5 -- and TRANSLATES it to
a connection that the *router* originates, using the adddress
that your ISP assigned to you (which technically has been
assigned to the "out-side" of your router!).

When traffic comes back on that connection *to* the router
(because the router is the originating entity, as far as
google is concerned), the router massages the message and
passes it on to your playstation -- at 192.168.1.5.

At the same time, your PC (using <whatever> *private* IP address
the router has assigned to your PC) can also be trying to connect
to google.com -- or anything else! The NAT software plays it's
translation game and creates ANOTHER connection from the router
to google.com. And, the reply that comes from google gets
routed back to the PC, not the playstation.

Every connection is defined by a bunch of numbers: the IP address
of the originator, the port number that is being used, the protocol,
the IP address of the targeted device and the port on the targeted
device. The router keeps track of all of this and magically tricks
each party -- the "inside" device and the "outside" device -- to
think that they are talking directly to each other WITHOUT it's
presence in the middle!

[Don Y]

On 12/24/2015 10:03 PM, Paul M. Cook wrote:
> On Thu, 24 Dec 2015 21:49:08 -0700, Don Y wrote:
>
>> An SSID that's not being broadcast will not disclose your AP when
>> you're not using it. But, it doesn't buy you much of anything.
>
> I think we're sort of saying the same thing, but, I don't know if
> we agree on the broadcast details.
>
> We both agree that telling your ROUTER not to broadcast the SSID
> is a false security measure.
>
> But, fact is, you *must* broadcast your SSID somehow.
>
> a. So, either the router broadcasts your SSID.
> b. Or your mobile device broadcasts your SSID.
>
> Here's how I understand it to work:
>
> 1. Let's assume your SSID is "DonY".
> 2. Let's assume you told your router *not* to broadcast your SSID.
> 3. Guess what happens when you boot your laptop?
> a. Your laptop shouts out "Hey DonY, are you there?"
> b. Your router answers "Yes. I am here. I was being quiet".
> c. Your laptop connects to your router by that so-called hidden SSID.

Yes. But, you can often configure a device (laptop) NOT to
"shout it out" but, rather, *look* for it. If it doesn't "see"
it (because it's not being broadcast), then your device says the
network is unavailable.

Once you have a connection established, clever software can
snoop on the traffic -- even if it is encrypted -- and "notice"
that there are messages being exchanged between two devices
using the SSID "DonY".

So, the information is ALWAYS there, just harder to find
(but not REALLY hard!)

> Now, guess what your cellphone does?
> HINT: Same thing.
>
> So, guess what happens when you boot your laptop at a starbucks?
> HINT: Your laptop shouts out "Hey DonY, are you here?"
>
> So, in effect, an SSID that is not being broadcast *by your router*
> at home, is broadcast *by your laptop* both at home, and at Starbucks.

Correct. If your neighbor was sitting at a table at Starbucks
and snooping the messages being broadcast, he would know that
he could return to your home and expect to find "DonY" -- even
if the SSID was turned off.

If you have a good passphrase *and* good encryption, this doesn't
buy him anything. It's like knowing you have an email address
at gmail.com (because he saw one of your messages in someone's
inbox -- assuming you don't correspond with him!) but not knowing
what your password is!

The real risk is that you can leave security off (weak passphrase)
and his knowledge of the SSID now lets him get past that (ineffective)
hiding of the network name!

[Tony Hwang]

Lots of Googling. Practice makes perfection. Port can be open or closed.
When you close a port, something may not work because some ports are
used ad default for certain things. ip address is just like unique
address, port is like a gate. Even if you are knocking on the right
address, if gate is not open, you can't get in(or communicate)
Sounds like you are just using the router with default settings.
Do you use ad blocker, pop up blocker, etc. on your browser or
router?You use W10?

[Tony Hwang]

Regardless, WiFi sniffing tool can see every thing. Run some thing like
Acrylic(freeware) inSSIDer( need paid version to see -AC mode signals),etc.
BTW, port 9000 is common default port for CS listener. Device does not,
router does. Device is behind router on your intranet(home network)
If security is a concern use LAN port(much better), no WiFi. If you
don't have enough LAN ports, use switch box(dumb or managed one). Run
CAT cables in your house. And move up to UTM class router(stiff learning
curve)

[Don Y]

On 12/24/2015 11:17 PM, Tony Hwang wrote:

> Regardless, WiFi sniffing tool can see every thing. Run some thing like
> Acrylic(freeware) inSSIDer( need paid version to see -AC mode signals),etc.

A packet sniffer won't be able to see the encrypted traffic (in
plaintext form). I.e., good passphrase/key is where you want to
make your investment (assuming you're NOT using WEP).

And, as I mentioned elsewhere, you can capture a bunch of packets
and email them to a service that will "crack" them and provide
you with the key.
<http://www.infosecurity-magazine.com/news/wifi-cracking-service-breaks-wpa-passwords-in-20/>
among others (you get what you pay for)

> BTW, port 9000 is common default port for CS listener. Device does not,
> router does. Device is behind router on your intranet(home network)

The log indicates port 9000 on the playstation is being targeted.
No idea if there is a process running on the playstation with port
9000 open; I suspect there are no tools on the playstation to expose
this level of detail.

> If security is a concern use LAN port(much better), no WiFi. If you don't have
> enough LAN ports, use switch box(dumb or managed one). Run CAT cables in your
> house. And move up to UTM class router(stiff learning curve)

Exactly. I have at least two "uncommitted" drops in every room
(except bathrooms). In several of those rooms, one of the drops
will feed a local switch. E.g., I have a 24 port switch servicing
the (24!) devices in the office, a 16 port switch servicing the
(8) devices in my bedroom, a four port switch servicing the
devices in the dining room, etc. They're all tied together with
the 72 port switch in the equipment cupboard.