[Renamed] Issues with DIR-655 connection

[Markbnj]

Saw some occasional lag and disconnects earlier this evening, and then got kicked off of a game I was playing a couple of times. Started looking more closely. The router (DLink DIR-655) was acting strange, taking a long time to connect, randomly deciding it had to measure the connect speed again in the middle of an admin request. Got the logs opened and saw a ton of blocked connection requests. They're all to port 6881 and coming from various dynamically assigned addresses, including some on Comcast's network, and also from offshore. I presume these are bots, but I have no idea why they would have suddenly targeted my home office network connection.

Here's some examples from the log, which I already sent to Comcast.

Blocked incoming UDP packet from 200.105.98.140:6881 to xxx.xxx.xxx.xxx:6881
Blocked incoming UDP packet from 74.12.109.235:6881 to xxx.xxx.xxx.xxx:6881
Blocked incoming UDP packet from 72.145.219.133:6881 to xxx.xxx.xxx.xxx:6881
incoming TCP connection request from 98.252.94.115:50751 to xxx.xxx.xxx.xxx:6881

Anyone got any ideas? 6881 appears to be associated with some BT clients. I don't use torrents nor do I have the client installed, and there is nothing listening on 6881 on my end. Anyone else seen anything like this recently?

Update

I renamed the thread because I no longer think the blocked connection requests have any relation to the performance issues I'm seeing. Please see recent posts for more info.

 

[Red Squirrel]

Did your IP change by chance? Could be whoever had that IP was using torrents.

I find when I mass download torrents, it takes a while for the traffic to stop even after I close my client as I'm getting lot of connection requests and what not. It's low in terms of actual data but it's still a lot of packets.

 

[Markbnj]

Did your IP change by chance? Could be whoever had that IP was using torrents.

I find when I mass download torrents, it takes a while for the traffic to stop even after I close my client as I'm getting lot of connection requests and what not. It's low in terms of actual data but it's still a lot of packets.

Yeah that's a possibility I hadn't thought of. I'll track it tomorrow and see if it tails off. I don't know if the request volume (4-6 per second) is enough to be causing the router and connection issues. It was one of the better consumer grade routers a few years back, but it is getting pretty old I guess. Might be time to look at replacing it.

 

[VulgarDisplay]

I noticed some odd things on my comcast 2 days ago myself. Huge lag spikes and completely losing connectivity for about 3 hours straight.

 

[Lean L]

What kind of programming mod uses a consumer router? Get pfsense / smoothwall / monowall / sophos utm (This one is REALLY difficult to configure but damned if any unapproved packet gets past it).

You can run a dev box on the same hardware if you virtualize.

 

[John Connor]

Use the MAC address clone feature in to router and change the MAC address's last 3 groups and save. Then reset the modem. You should now have a new IP address.

 

[John Connor]

72.145.219.133 and 98.252.94.115 are pingable. I wonder if you could hack them. LOL

 

[Markbnj]

What kind of programming mod uses a consumer router? Get pfsense / smoothwall / monowall / sophos utm (This one is REALLY difficult to configure but damned if any unapproved packet gets past it).

You can run a dev box on the same hardware if you virtualize.

I don't really have time for that, and that DIR-655 has been phenomenal for five years or more.

 

[Markbnj]

Still happening this morning, although now they are hitting different ports. Last night it was all 6881. The request volume is spikey. Sometimes there will be five or six requests in a minute, and then none for a minute or two. Anyway, much lower volume than last night, and the router appears to be dealing with it.

12:07:04 Blocked incoming TCP connection request from 72.191.215.85:53072 to xxx.xxx.xxx.xxx:80
12:07:01 Blocked incoming UDP packet from 178.187.250.139:21892 to xxx.xxx.xxx.xxx:443
12:07:01 Blocked incoming TCP connection request from 178.187.250.139:3714 to xxx.xxx.xxx.xxx:443
12:07:01 Blocked incoming UDP packet from 95.42.192.76:43961 to xxx.xxx.xxx.xxx:59034
12:07:01 Blocked incoming TCP connection request from 95.42.192.76:12068 to xxx.xxx.xxx.xxx:59034
12:07:01 Blocked incoming UDP packet from 72.191.215.85:7783 to xxx.xxx.xxx.xxx:80
12:07:01 Blocked incoming TCP connection request from 72.191.215.85:53072 to xxx.xxx.xxx.xxx:80
12:07:00 Blocked incoming TCP connection request from 141.212.121.42:36902 to xxx.xxx.xxx.xxx:443
12:06:31 Blocked incoming UDP packet from 174.89.172.5:6881 to xxx.xxx.xxx.xxx:6881
12:06:09 Blocked incoming UDP packet from 76.241.145.64:6881 to xxx.xxx.xxx.xxx:6881
12:04:44 Blocked incoming UDP packet from 98.87.190.225:6881 to xxx.xxx.xxx.xxx:6881

 

[randay]

its just the nsa, nothing to worry about.

 

[JEDIYoda]

Dos attack.....

 

[OCGuy]

Are you making this thread so you have a defense when the party van shows up?

 

[SagaLore]

Anyone got any ideas? 6881 appears to be associated with some BT clients. I don't use torrents nor do I have the client installed, and there is nothing listening on 6881 on my end. Anyone else seen anything like this recently?

You may be compromised and what you're seeing is a side effect - you could be in the peer list for some torrent network.

Do you have logging enabled for allowed outbound traffic?

 

[SagaLore]

Still happening this morning, although now they are hitting different ports. Last night it was all 6881. The request volume is spikey. Sometimes there will be five or six requests in a minute, and then none for a minute or two. Anyway, much lower volume than last night, and the router appears to be dealing with it.

12:07:04 Blocked incoming TCP connection request from 72.191.215.85:53072 to xxx.xxx.xxx.xxx:80
12:07:01 Blocked incoming UDP packet from 178.187.250.139:21892 to xxx.xxx.xxx.xxx:443
12:07:01 Blocked incoming TCP connection request from 178.187.250.139:3714 to xxx.xxx.xxx.xxx:443
12:07:01 Blocked incoming UDP packet from 95.42.192.76:43961 to xxx.xxx.xxx.xxx:59034
12:07:01 Blocked incoming TCP connection request from 95.42.192.76:12068 to xxx.xxx.xxx.xxx:59034
12:07:01 Blocked incoming UDP packet from 72.191.215.85:7783 to xxx.xxx.xxx.xxx:80
12:07:01 Blocked incoming TCP connection request from 72.191.215.85:53072 to xxx.xxx.xxx.xxx:80
12:07:00 Blocked incoming TCP connection request from 141.212.121.42:36902 to xxx.xxx.xxx.xxx:443
12:06:31 Blocked incoming UDP packet from 174.89.172.5:6881 to xxx.xxx.xxx.xxx:6881
12:06:09 Blocked incoming UDP packet from 76.241.145.64:6881 to xxx.xxx.xxx.xxx:6881
12:04:44 Blocked incoming UDP packet from 98.87.190.225:6881 to xxx.xxx.xxx.xxx:6881

Ah, ports are changing.

Do you have Skype installed?

 

[zinfamous]

My router also pooped out 2 nights ago, suddenly, and seems to have reset the admin account. I'm also Comcast

I'm an idiot when it comes to IT stuff, so no idea how that happened. The modem is fine, but both of my devices are approaching 10 years old, most likely. Still, I've never had issue with them...
do I need to be checking some sort of loggy thing like in the OP to see if Russians and/or Eric Holder have been up in my business?

 

[Markbnj]

Ah, ports are changing.

Do you have Skype installed?

I do, and that's also an interesting thought, but iirc Skype isn't peer-to-peer anymore. MS changed the architecture to a client/server model, or at least effectively did that by pulling all the nodes in-house. So I am not sure why I would see these inbound requests because of Skype. If they were all coming from MS ips that would make some sense, but then I would expect Skype to be broken.

According to docs Skype uses a random port above 1024 as well as 80 and 443, so this _could_ be Skype traffic but I am still skeptical it actually is, and that wouldn't explain the attempts to connect to 6881.

This should probably get moved to Networking at this point.

 

[unokitty]

Anyone got any ideas?

Port Details: Port 6881


Help! Under Constant Attack on TCP & UDP Port 6881

 

[Markbnj]

Port Details: Port 6881


Help! Under Constant Attack on TCP & UDP Port 6881

Interesting, thanks. Makes me wonder if one of my kids is running a torrent client. Think I shall do some wiresharking.

 

[Lean L]

I don't really have time for that, and that DIR-655 has been phenomenal for five years or more.

I wish people would simply say things like 'I don't want to'. It's pretty acceptable.

GL then, know that attacks will always happen, you just have to prevent intrusions and keep the network speed up.

 

[Markbnj]

I wish people would simply say things like 'I don't want to'. It's pretty acceptable.

GL then, know that attacks will always happen, you just have to prevent intrusions and keep the network speed up.

Ha, well I actually always thought it was more adult to have a reason . Seriously, the DIR-655 has been great in my SOHO application. I'm sure I could find a better one, and given its age I may soon have to do that, but for the moment I have to triage my time pretty aggressively. Things that seem to work drop to the bottom of the list pretty rapidly.

 

[JackMDS]

Open any log of a Router on an Internet cable connection and you will find entries like this.

It has to do with the Node structure nature of the installations.

It is similar to the traffic on your neighborhood roads, you look through the Window you see it.

If you have personal concern download this run it and see what is actually getting to your computer.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

The relevant info to such issue is in the Remote Address and remote port columns.

 

[Markbnj]

Open any log of a Router on an Internet cable connection and you will find entries like this.

It has to do with the Node structure nature of the installations.

It is similar to the traffic on your neighborhood roads, you look through the Window you see it.

If you have personal concern download this run it and see what is actually getting to your computer.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

The relevant info to such issue is in the Remote Address and remote port columns.

Not sure I understand, Jack. Are you saying I am seeing traffic that is flowing by on the network but not affecting my LAN? Because what I am seeing are specific connection attempts to the external IP of my router on various ports.

TCPView is a great program. I'm very confident that there is no suspicious traffic to/from my personal system.

What I have is some odd performance issues that I thought _might_ have been related to those connection attempts I referenced, however I am fairly certain at this point they are not.

Here's what I have so far:

Router is a Dlink DIR-655
Speakeasy test via wired LAN side: 1.5 - 3 mbps down, 5.0-6.0 up.
Speakeasy test via wireless side: 20-25 mbps down, 5.0-6.0 up.
Pings from local machine on wired LAN to comcast gateway: 9-15ms, 0-1.5% packet loss.
Pings from router to comcast gateway: 9-12ms, 8-11% loss
Pings from wireless client to comcast gateway: 10-14ms, 0-1% loss.

So, doesn't really make a lot of sense to me. The wired LAN side is obviously having a problem. I tested that from two seperate clients plugged into different ports. Using my smartphone connected to the wireless side I get 10x the throughput.

The ping tests are the oddest thing: I'm seeing a little loss via wireless and my local wired machine, and then when I run the ping in the router toolset to the same gateway I'm getting 11%? Maybe the router software is just not reporting the right value.

At this point about all I can come up with is it's time to replace the DIR-655.

 

[JackMDS]

Not sure I understand, Jack. Are you saying I am seeing traffic that is flowing by on the network but not affecting my LAN? Because what I am seeing are specific connection attempts to the external IP of my router on various ports.

Yeah, in general this is a common phenomenon in Internet cable connection.

Speakeasy test via wired LAN side: 1.5 - 3 mbps down, 5.0-6.0 up.
Speakeasy test via wireless side: 20-25 mbps down, 5.0-6.0 up.

Indeed. this is odd. Yes, there is a strong possibilty that the DIR 655 is Not "Dear" anymore.

To further understand the issue measure LAN Transfer between two wired computers, two Wireless, and in between. I.e, independent from the Internet connection.

You can time file transfer, or use this free util. (set it in its configuration file to use 100MB size). Th free version is good enough for this purpose.

http://www.totusoft.com/downloads.html

You can also read this Thread to see what LAN Speed does for you.

http://forums.anandtech.com/showthread.php?t=2365868&highlight=lan+speed

 

[Markbnj]

To further understand the issue measure LAN Transfer between two wired computers, two Wireless, and in between. I.e, independent from the Internet connection.

You can time file transfer, or use this free util. (set it in its configuration file to use 100MB size). Th free version is good enough for this purpose.

That looks like a good utility. I've used iPerf, but that looks quite a bit easier. At this point I'm not sure whether further analysis is worthwhile. I cabled my laptop into a 100/1000 port on the back of the router and got around 1.5-2.5 mbps from speakeasy. I had my smartphone in the other hand connected wirelessly and got 20-25 mbps. I rebooted the router and repeated the test, same results. I restored the router to factory settings and repeated the test, same results.

At this point I'm not sure how the router could not be at fault. So I am looking for a replacement. Suggestions welcome .

 

[Smoove910]

I may have missed it, but have you completely disabled your kids connection to the router while you are running the tests (laptop vs smartphone)? I'm just thinking on the aspect of eliminating all the variables. I'm assuming your smartphone connects to a cell service and not your router? Just probing a little bit....