• caglararli@hotmail.com
  • 05386281520

Router Receiving Unknown Packets from the Same IP and Port Even After Address Rotations – How?

Çağlar Arlı      -    2 Views

Router Receiving Unknown Packets from the Same IP and Port Even After Address Rotations – How?

One of our client's routers is receiving packets from the same source IP address and port repeatedly, even when the router is rebooted and obtains a fresh dynamically assigned IP address, and while no other traffic or connections have yet been made. The router is configured to silently drop all unauthorized inbound packets and does not respond to unauthorized inbound packets (black hole, and no half-acks).

The IP in question is 45.227.254.22, registered in Belize. The source port is always the same (TCP 52383), yet the destination port it attempts to connect with can vary, and can start at TCP 20000 and go up from there.

Out of the thousands of random pings, scans, and pokes the router receives on a daily basis from across the internet, this is the only address that repeatedly and persistently appears in logs, and continues attempts to connect even when the client's router itself is rebooted and has a freshly assigned previously unknown IP from the ISP, and no other outbound or inbound connections have yet been made.

It would appear that what ever is at that IP address is following the router.

Sample From Log:

The client's IP has been anonymized below as 00.00.00.00 to protect privacy. The client router is located in North America (YYZ).

20:45:31.495556 IP 45.227.254.22:52383 > 00.00.00.00:48801: Flags [S], seq 1102121663, win 1024, length 0

20:45:42.621963 IP 45.227.254.22:52383 > 00.00.00.00:31373: Flags [S], seq 3756604334, win 1024, length 0

Questions:

  1. What could be causing this?

  2. How does it always find the client's router?

FAQ:

(This FAQ will be updated as needed)

Q. Who is managing and operating the router, the client or the ISP?

A. The router is fully managed and operated by the client.

NOTE: The answer provided below by @samy-kamkar is not considered the correct answer as typical scanning bot behaviors are well known and were ruled out early on. The IP was studied on the AbuseIP database and other places prior to this posting as well. It is certainly a suspicious IP. However, it having been reported already by others does not conclude that it is only a simple scanning bot.

The suspicious IP is noted to have a range of malicious behaviors, including scanning, brute forcing, and outright hacking attempts.

The client's router is hammered with scans, pings, prods, pokes, and even martian packets, 24 hours a day, 7 days a week, and that is considered normal for anything connected to the public internet. This particular situation does not point to any normal bot. Out of the many thousands of unknown inbound connection attempts, this is the only persistent suspicious IP address out of all others that rapidly and repeatedly appears across a large range of dynamically assigned IP addresses.

The client IP potentials it is targeting with our client are massively large, in the order of tens of thousands of possibilities because of the diverse network blocks assigned to customers by the ISP.

As an example, one connection could be assigned from a range of 10.11.0.0-10.11.255.255, another re-connect could assign from a range of 20.30.0.0-20.30.255.255, and yet another re-connect could assign from a range of 40.50.0.0-40.50.255.255, and so on, and there are dozens of such possible ranges. The suspicious connection also attempts a range of destination ports, but always from the same source port. This behavior is also different from other scans hammering the client's router.

When the client router does connect to the internet with a fresh dynamically assigned address from any random vast range, the suspicious IP begins it's attempts within 30 seconds or less. That is not normal.