den: (cranky)
den ([personal profile] den) wrote2006-06-06 04:08 pm
  • Add Memory
  • Share This Entry

Battling Peripherals

The office ADSL modem won't hold a connection for more than a few minutes before dropping off. It reconnects when I reboot it, but then it loses the connection again. The router log tells me
"Unrecognized attempt blocked from 10.0.0.138:137 to 10.0.0.1 UDP:137" every 10-20 seconds, as the connection drops out. (10.0.0.138 is the modem) The weird part is that the BBC Radio2 stream isn't affected by this, just email, ftp and WWW.

I've changed nothing in the filters or firewall between yesterday and today.

Bloody hardware.

(reboots modem to post this)
Flat | Top-Level Comments Only
jamesb: (Default)

[personal profile] jamesb 2006-06-06 10:15 am (UTC)(link)
It's a pretty good bet that your current WAN-side IP is being probed by a system infected with a trojan/virus.

Do you have any port filtering/firewall running on the router? My server has Port 137 permanently closed.

BTW, Just a wild stab, but are you running a SMC router?

[identity profile] dewhitton.livejournal.com 2006-06-06 10:43 am (UTC)(link)
I'm not running firewalls in the router, but I will be tomorrow. would IP range = * Port = 137 UDP = Deny do the job?

All the PCs have zonealarm so I'm not too concerned there.

The router is that little d-link you saw at the house.
jamesb: (Default)

[personal profile] jamesb 2006-06-06 11:07 am (UTC)(link)
I'd go the other way, and block everything and just open the ports you need.

In my D-Link, this is the setup for a system that's not providing a hole for a Web or Mail server:
Action	Name	Source	Dest	Protocol
Deny	Default	*,*	LAN,*	*,*	
Allow	Default	LAN,*	*,*	*,*

[identity profile] dewhitton.livejournal.com 2006-06-06 11:04 pm (UTC)(link)
That was already in there. D-link must install it as a default.

This is the router log from the moment I start the modem:


Wednesday June 07, 2006 08:56:51 DOD:triggered internally
Wednesday June 07, 2006 08:56:51 DHCP:discover()
Wednesday June 07, 2006 08:56:55 DHCP:discover()
Wednesday June 07, 2006 08:57:03 DHCP:discover()
Wednesday June 07, 2006 08:57:19 DHCP:discover()
Wednesday June 07, 2006 08:58:07 DOD:triggered internally
Wednesday June 07, 2006 08:58:07 DHCP:discover()
Wednesday June 07, 2006 08:58:07 DHCP:offer(10.0.0.138)
Wednesday June 07, 2006 08:58:07 DHCP:request(10.0.0.1)
Wednesday June 07, 2006 08:58:08 DHCP:ack(DOL=4294967295,T1=2147483647,T2=3758096384)
Wednesday June 07, 2006 08:58:56 Unrecognized attempt blocked from 10.0.0.138:137 to 10.0.0.1 UDP:137
Wednesday June 07, 2006 08:59:22 Unrecognized attempt blocked from 10.0.0.138:137 to 10.0.0.1 UDP:137
etc

and then I have to reboot the modem to continue my connection.
jamesb: (Default)

[personal profile] jamesb 2006-06-07 12:27 am (UTC)(link)
As it's your MODEM that keeps needing a reboot, I'd look for the source of the problem in the MODEM itself.

A lot of ADSL MODEMs include their own internal routers, and only need to be connected to a hub. Looking at your router logs, I suspect that your MODEM is running in router mode and is masking what's really going on (like the true source of the port 137 probes). It is usually possible to shut down the router system in the MODEM and rely on an external router instead.

[identity profile] dewhitton.livejournal.com 2006-06-07 01:02 am (UTC)(link)
I'm looking at it now.

The odd thing is that it's happening now, but the connection is not dropping out and doesn't need a reboot every 5 minutes.

[identity profile] quen-elf.livejournal.com 2006-06-06 09:58 pm (UTC)(link)
The BBC stream is different because it's UDP (connectionless) most likely. So that makes that part less weird. Hope you get it sorted anyhow.
Flat | Top-Level Comments Only