Security Log question
philn11
Enthusiast - Level 3

Hi Everyone,

I know I have been asking questions that seem stupid or irrelevant, but I have been leaning about Network security on a basic level as I have gone back to school to study networking.  The beginning classes give me a basic level of what networking is, which is just enough knowledge to get into my router and make sure I have the best security set up.  I was, again, looking through the security log and every hour my Westell 9100EM router logs a connection as seen below.  I substituted my ip with the text "my ip" and the default gateway ip with "gateway ip."   I also put "cloned router mac address" where the router broadband mac adress is, which is a cloned router mac address. It made me very concerned because of the word "clonable" in it and "wildcard."  I have learned that there are threats out there that can cloan your equipment.  I spoke to Verizon customer service but they have never heard of this entry.  Do any of you who have this router have the same type of entries?  Like I said it happens every 60 minutes.  

Again I apologize for my ignorance.  I really appreciate the insight and help.

Phil

Dec 3 06:54:21 2011Outbound TrafficConnection closed : UDP *.*.*.*:68 <-->*.*.*.*:68 [*.*.*.*:67] DHCP hw: cloned router mac address, xid: 0x737b32a eth1 Route Outgoing CLONABLE UNINIT BY DHCP
Dec 3 06:54:21 2011Outbound TrafficConnection closed : UDP my ip:68 <-->my ip:68 [gateway ip:67] DHCP hw: cloned router mac address, xid: 0x737b32a eth1 Route Outgoing DEL-PENDING FP-CAP
Dec 3 06:54:21 2011Outbound TrafficWildcard connection opened : UDP *.*.*.*:68 <-->*.*.*.*:68 [*.*.*.*:67] eth1 Route Outgoing CLONABLE UNINIT
Dec 3 06:54:21 2011Outbound TrafficConnection opened

: UDP my ip:68 <-->my ip:68 [gateway ip:67] eth1 Route Outgoing

0 Likes
Re: Security Log question
Bixbyte
Contributor - Level 1

Those messages are a history of the times you yourself logged into your router.

Look at the Router Home Page "MY NETWORK"

How many wireless devices are connected and how many wireless connections belong to you? Smiley Happy

Re: Security Log question
Anti-Phish1
Master - Level 1

Do you have UPnP enabled?

If so, it's possible some application or gaming console could have caused this.

Your substitutions make these log entries very hard to read. I can't tell what is public IP address or what are LAN addresses.

It's really only necessary to mask the last octet of your public IP address and the last couple of octects of nay MAC addresses.

Re: Security Log question
Anti-Phish1
Master - Level 1

@Bixbyte wrote:

Those messages are a history of the times you yourself logged into your router.


Logging into the router does not cause an "Outbound Traffic" entry.

0 Likes
Re: Security Log question
philn11
Enthusiast - Level 3
Anti-Phish......thank you for the reply. I do not have upnp enabled and there are no gaming consoles connected. I dont know of any programs that are running either. I have the router connected to a home built system with just Win7 and Norton running. the ips that i took out are the public ips (173.58.xx.xx) and the gateway ip was 173.58.xx.1. The mac address is the same as the router mac except the last digit is a 1 instead of 0. these entries did not show the LAN ips. Hope this helps any. Do you use this router?

0 Likes
Re: Security Log question
philn11
Enthusiast - Level 3
I forgot to add that these connections close after 2 seconds. Not sure if they would close if i had my compter on and connected to the router at each time they open.
0 Likes
Re: Security Log question
Anti-Phish1
Master - Level 1

Yes, I do have a Westell 9100EM, although I only use it for testing.

My first thought we you said these occur every hour is that they were DHCP lease renewals.

When VZ issues a DHCP lease, it is for two hours.

At 1/2 the lease interval (i.e. after 1 hour), the existing DHCP lease is renewed.

On the Actiontecs, this shows up in the log clearly as a DHCP lease renewal.

I would have expected the Westells DHCP renewal messages to be similar since both the Westell and the Actiontecs are based on the same middleware.

0 Likes
Re: Security Log question
philn11
Enthusiast - Level 3
Anti-Phish....The log on my westell doesnt have any connection indicating the lease renewal. what port and ip does the actiontec log when it renews its lease? These connections are using ports 67 and 68.

I am wonering if there is anyone on this forum that uses the westell regulary who can let me know if theirs does the same connections.

Phil
0 Likes
Re: Security Log question
Anti-Phish1
Master - Level 1

philn1 wrote:
These connections are using ports 67 and 68. 


Ports 67 and 68 are indeed DHCP.

http://www.linklogger.com/UDP67_68.htm

0 Likes
Re: Security Log question
viafax999
Community Leader
Community Leader

@philn1 wrote:
Anti-Phish....The log on my westell doesnt have any connection indicating the lease renewal. what port and ip does the actiontec log when it renews its lease? These connections are using ports 67 and 68.

I am wonering if there is anyone on this forum that uses the westell regulary who can let me know if theirs does the same connections.

Phil


I use the Westell 9100Em.  I have no entries for port 68 in my security log.  Of course that would be expected as I have the filter set to only show blocked connections.

I'll change it to acceped events and see what appears.

What's your filter set to?

0 Likes