- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
I know I have been asking questions that seem stupid or irrelevant, but I have been leaning about Network security on a basic level as I have gone back to school to study networking. The beginning classes give me a basic level of what networking is, which is just enough knowledge to get into my router and make sure I have the best security set up. I was, again, looking through the security log and every hour my Westell 9100EM router logs a connection as seen below. I substituted my ip with the text "my ip" and the default gateway ip with "gateway ip." I also put "cloned router mac address" where the router broadband mac adress is, which is a cloned router mac address. It made me very concerned because of the word "clonable" in it and "wildcard." I have learned that there are threats out there that can cloan your equipment. I spoke to Verizon customer service but they have never heard of this entry. Do any of you who have this router have the same type of entries? Like I said it happens every 60 minutes.
Again I apologize for my ignorance. I really appreciate the insight and help.
Phil
Dec 3 06:54:21 2011 | Outbound Traffic | Connection closed | : UDP *.*.*.*:68 <-->*.*.*.*:68 [*.*.*.*:67] DHCP hw: cloned router mac address, xid: 0x737b32a eth1 Route Outgoing CLONABLE UNINIT BY DHCP |
Dec 3 06:54:21 2011 | Outbound Traffic | Connection closed | : UDP my ip:68 <-->my ip:68 [gateway ip:67] DHCP hw: cloned router mac address, xid: 0x737b32a eth1 Route Outgoing DEL-PENDING FP-CAP |
Dec 3 06:54:21 2011 | Outbound Traffic | Wildcard connection opened | : UDP *.*.*.*:68 <-->*.*.*.*:68 [*.*.*.*:67] eth1 Route Outgoing CLONABLE UNINIT |
Dec 3 06:54:21 2011 | Outbound Traffic | Connection opened | : UDP my ip:68 <-->my ip:68 [gateway ip:67] eth1 Route Outgoing |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those messages are a history of the times you yourself logged into your router.
Look at the Router Home Page "MY NETWORK"
How many wireless devices are connected and how many wireless connections belong to you?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have UPnP enabled?
If so, it's possible some application or gaming console could have caused this.
Your substitutions make these log entries very hard to read. I can't tell what is public IP address or what are LAN addresses.
It's really only necessary to mask the last octet of your public IP address and the last couple of octects of nay MAC addresses.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Bixbyte wrote:Those messages are a history of the times you yourself logged into your router.
Logging into the router does not cause an "Outbound Traffic" entry.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I do have a Westell 9100EM, although I only use it for testing.
My first thought we you said these occur every hour is that they were DHCP lease renewals.
When VZ issues a DHCP lease, it is for two hours.
At 1/2 the lease interval (i.e. after 1 hour), the existing DHCP lease is renewed.
On the Actiontecs, this shows up in the log clearly as a DHCP lease renewal.
I would have expected the Westells DHCP renewal messages to be similar since both the Westell and the Actiontecs are based on the same middleware.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am wonering if there is anyone on this forum that uses the westell regulary who can let me know if theirs does the same connections.
Phil
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
philn1 wrote:
These connections are using ports 67 and 68.Ports 67 and 68 are indeed DHCP.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@philn1 wrote:
Anti-Phish....The log on my westell doesnt have any connection indicating the lease renewal. what port and ip does the actiontec log when it renews its lease? These connections are using ports 67 and 68.
I am wonering if there is anyone on this forum that uses the westell regulary who can let me know if theirs does the same connections.
Phil
I use the Westell 9100Em. I have no entries for port 68 in my security log. Of course that would be expected as I have the filter set to only show blocked connections.
I'll change it to acceped events and see what appears.
What's your filter set to?