Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tevibear]

Hi,

 My Dir 655 has some strange log entries. The strange part is that my computer was off when the log had these entries:

[INFO]   Thu Apr 12 10:29:10 2012   Blocked incoming ICMP packet (ICMP type from 192.168.202.67 to 192.168.202.238
[INFO]   Thu Apr 12 10:28:48 2012   Above message repeated 7 times
[INFO]   Thu Apr 12 06:09:15 2012   Blocked outgoing ICMP packet (ICMP type 3) from 192.168.202.238 to 204.194.232.200

I understand that the type 8 is just a blocked ping. I have that option set on purpose "disable wan ping respond" in the settings. However, it doesn't explain the blocked outgoing ICMP. The reason this is so purplexing is because I have my router set to only have 1 IP address available for DHCP wireless connection, and my computer was not even turned on at the time this log entry was made. I have the router locked up tighter than the virgin Mary as far as security goes. So, why in the world would my router send a packet out to that IP address, somewhere in California, when a computer was not even connected to it at the time. Does it have a mind of its own? There is no way somebody could have gained access to this router the way I have it set up. Any explanations as to how this might have happened?

Thanks

[FurryNutz]

It's coming from a device on your network at 192.168.202.67 and 192.168.202.238. You need to investigate what these devices are and what they are doing. The 655 is only reporting as expected.

[tevibear]

Sorry for the late reply. It's been a busy week at work. Anyhow, the IP address: 192.168.202.238 is the DHCP IP address that my apartment assigns to my router. The router is always on and connected. I only have 1 computer on my "network", and it's only connected to the router when I have it turned on and booted up. My router is only set to have 1 computer able to connect to it (mine). So, when my computer is turned off while I'm at work, I should expect my router to not be sending any outgoing connection requests because nothing is "hooked" up to or connected to it other than the ISP it's plugged into. So, is it my understanding that someone went through the ISP, found my router and somehow sent a packet through it that got blocked because there was no node receiving on the port in cyberspace that it was trying to reach?  This is not looking good. However, I have only noticed that this has happened two or three times, and it just started happening recently. I noticed that the list of "cyber neighbors" with routers using channels that I can see in a scan has gotten bigger lately. There used to be only a few other computers, and now I can scan wireless and see at least 5 or 6 there now. Makes me wonder if a hacker is among them. grrrrr

Thanks

[davevt31]

Your Router will still communicate with Apartment Router even if the computer is turned off.  It will send packets back and forth to the Apartment Router that it gets its DHCP address from telling it that it's still an active connection.

[tevibear]

I understand that, but it still doesn't explain why my router sent a packet out to California. I live in Utah. lol Wouldn't the router send the packet to the IP address of the router it's connected to for the ISP. The ISP is local as well, so a reverse look up of the IP should point to Salt Lake City, not California. Any other ideas?

Thanks

[davevt31]

Synchronizing Time? just a guess.

[tevibear]

Nope. I have that option disabled.

[tevibear]

Figured this out finally. Looks like it is the advanced DNS service option that may have caused this packet to go out. I'm not sure 100%, but it looks like the culprit so far.

[FurryNutz]

It's usually recommended to disable Adv. DNS Services.

[tevibear]

Really? Any particular reason why? I did a little research on the topic, and it looks like the service is actually beneficial from a security standpoint. I know that the traffic might have to take an extra hop or two out to another server, but other than the insignificant bandwidth munching, I don't see the harm in using it. I know that others have reported problems with DNS and computers on their LAN when the option is enabled, but for my configuration where only one computer ever uses the router, it doesn't seem like it should be a problem.
 

[FurryNutz]

Reason for disabling Adv. DNS Services is as you mentioned, it's an extra hop and adds additional processing. Some of us here are in the frame of mind of letting the router run as streamlined as possible with out compromising performance and security. Having all the extra features is good however you have to know that using the additional features can impact performance on some level.

Also it's been known that these servers have been the cause of troubles. I've always had this option disabled and it's not effected any security. They are there for the use so if your wanting to use them, then by all means do if you feel the need too. Just remember that if you encounter some DNS or connections problem, this is one area that needs to be looked at to help troubleshoot the issue. Theres no security issues if you don't choose to use it either.

Enjoy.

[FurryNutz]

http://forums.dlink.com/index.php?topic=5255.0

[tevibear]

Thanks Furry. I'll try disabling it and see what happens.

[tevibear]

Here is an interesting update. Since I have disabled advanced DNS, not only did I have increased bandwidth, but I also saw zero, yes, zero intrusion attempts to my router thereafter. Moral of the story is that perhaps D-Link's advanced DNS service is more of a security nightmare rather than a benefit. let's just leave it at that. It is obvious that you absolutely do not want this service enabled on your D-Link router.

Thanks

[FurryNutz]

Enjoy.