HI, I'm new to the forum so I want to thank you in advance for your help.
My ISP is Verizon (FiOS) and I use their modem, which has a built-in firewall.
I've been checking my firewall log and I'm seeing some very weird blocked traffic that only happen when I'm online. Some examples:
About 10 of these in a row when my Mac was connected to wireless but not doing anything
Apr 4 Monday 9:51pm (April 3rd) 2016 local5.notice<173> ulogd: Blocked IN=eth0 OUT= MAC=my router's MAC Address SRC=220.127.116.11 (This is "Apple, Inc.") DST=Router's IP LEN=52 TOS=00 PREC=0x00 TTL=55 ID=30243 DF PROTO=TCP SPT=443 DPT=49156 SEQ=2764419126 ACK=54949267 WINDOW=165 ACK URGP=0 MARK=0
A bunch of these in a row:
Apr 3 Sunday 1:12pm 2016 local5.notice<173> ulogd: Blocked IN=eth0 OUT= MAC=my router's MAC Address SRC=18.104.22.168 (This is "Vodafone, Egypt") DST=Router's IP LEN=498 TOS=00 PREC=0x00 TL=55 ID=48637 PROTO=TCP SPT=57274 DPT=50141 SEQ=3153840577 ACK=4255054160 WINDOW=8192 ACK PSH URGP MARK=0
A LOT of these in a row while online. Browsing, checking Outlook.com, etc on my Windows 10 machine:
Apr 6 Wednesday 8:22pm (April 5) 2016 local5.notice<173> ulogd: Blocked IN=eth0 OUT= MAC=my router's MAC Address SRC=22.214.171.124 (This is "Google, Inc.") DST=Router's IP LEN=103 TOS=00 PREC=0x00 TTL=48 ID=64422 PROTO=TCP SPT=443 3 DPT=51454 SEQ=39216501 29 ACK=1248099501 WINDOW=352 ACK PSH URGP=0 MARK=0
Many, many of these, same Windows 10 machine, same browsing type:
Apr 7 Thursday 7:19am 2016 local5. notice<173> ulogd: Blocked IN=eth0 OUT= MAC=my router's MAC Address SRC=126.96.36.199 (This is "Voxel.net") DST=Router's IP LEN=71 TOS=00 PREC=0x00 TTL=55 ID=63498 PROTO=TCP SPT=443 DPT=62549 SEQ=2255184894 ACK=774132708 WIDOW=31 ACK PSH URGP=0 MARK=0
All these happen pretty regularly. Whenever I'm online, several blocks recorded in the firewall logs from one, a few, or all of these sources.
In addition, I see a lot of blocks related to traffic from 188.8.131.52, which is a recurring scan from Shadowserver Foundation. I've reach out to them to see if they're detecting something specific from my IP or MAC but they have not answered.
A few questions:
- What are these blocks indicative of? Is this a port scan or something else? Why do you think they're happening?
- If these are indeed blocked by the firewall, why is there an acknowledgement code in each?
- Can someone please define the following codes?
- ID=54788: what is this ID for?
- SEQ=1112272367: what is this seq # for? What does ti tell me?
- ACK: why is there an ACK code in a firewall block? Shouldn't it be 0?
- ACK URGP=0
Thanks in advance for any guidance you can give on this issue. If there's anything relevant you'd like to add in addition to answering my questions, I really appreciate it!
Edited by IceCreamJones, 11 April 2016 - 08:04 AM.