Network under attack

[ignotiev]

According to my router's logs, my network is under attack. Here are some sample messages from the log:

# Time Message Source Destination Note

34 2009-12-09 18:09:19 ports scan UDP (L to L/ZW) (Repeated: 2) 192.168.1.110:22936 255.255.255.255:2801 ATTACK

35 2009-12-09 18:08:51 ports scan UDP (L to L/ZW) 0.0.0.0:68 255.255.255.255:67 ATTACK

36 2009-12-09 18:08:34 ports scan UDP (L to L/ZW) 0.0.0.0:68 255.255.255.255:67 ATTACK

37 2009-12-09 18:08:27 ports scan UDP (L to L/ZW) (Repeated: 4) 192.168.1.110:22936 255.255.255.255:2778 ATTACK

I'm also getting the following messages that also appear suspicious:

55 2009-12-09 17:57:28 Firewall default policy: TCP (W1 to W1/ZW) 189.75.112.219:1176 67.51.157.27:445 ACCESS DROPPED

56 2009-12-09 17:57:25 Firewall default policy: TCP (W1 to W1/ZW) 189.75.112.219:1176 67.51.157.27:445 ACCESS DROPPED

The router we are using is a ZyXell ZyWALL 2WG.

I've done some googling, but the information that I get is well above my skill level and experience (honestly, I'm probably not even qualified to configure a router this sophisticated, much less monitor it). Fortunately, our organization doesn't have any data that we could consider sensitive or mission critical, so we don't have much to lose from this activity, but I would like to know more about what's going on and how to stop it if at all possible.

Let me know if you need any more information.

Thanks

 

[Modelworks]

I'm assuming you didn't leave the box with a default admin/password and are using something with mixed letters and numbers . If you have don't worry about it. If I worried every time my firewall got a hit from something like that I would be busy 24/7 tacking down ip.

It looks like someone looking for open windows shares.

 

[cmetz]

The first four log messages are your firewall labeling INTERNAL traffic as attacks.

The first and fourth ones may be an internal infected machine, see Google. Or they may be normal ephemeral port broadcast traffic.
The second and third are DHCP (why is your router calling that an attack?).

Those suspicious connection attempts? That's just the background noise of the public Internet, and why you have a firewall in the first place. There are tons of systems out there doing random scans of random IP addresses for various reasons, mostly malicious. It's not you.

 

[Pheran]

Lines 35 and 36 look like plain old DHCP broadcasts to me, I have no idea why your router is labeling that as "ATTACK".

 

[ViviTheMage]

Don't worry about it, they are 'bouncing'

Like model said, if you worried about every 'attack' you'd spend your whole down tracing down what/why/who.

 

[ignotiev]

Thanks for everyone's help. I will ask my router's manufacturer why messages 35 and 36 are showing up as attacks. It may be the same reason why 192.168.1.110 appears to be attacking me. I've determined that this is my shared drive. It's a buffalo link station that needed to be re-imaged after a failed attempt to modify its operating system. I suspect that one of two things has happened. That the image that we pulled has a bot/virus or that it has a mis-configured component that is showing up as an attack.