Can someone explain strange inbound connections on my server log?


Ok, so I only know as much about networking as I have learned in my Computer Systems and Electronics courses, and I am seeing something that I'm not sure how to interpret. My brother wanted me to make him a private server for Gary's Mod that him and his friends could play together on, hosted on our desktop machine on our private ATnT Uverse home network.

I first assigned a static IP to the desktop via my router's homepage through chrome. I then followed steps at to create firewall exceptions on my router's homepage for the ports used by Gary's Mod.

Gary's Mod uses ports 3478, 4379-4380, 27000-27030. After opening these ports on the router, the associated IP is

If I look in my router's log file, I see this:

INF 2016-05-28T21:09:14-05:00   sys Pinhole added on broadband=, home= appid=-1, port=27014-27050

INF 2016-05-28T21:09:14-05:00   sys Pinhole added on broadband=, home= appid=-1, port=3478

INF 2016-05-28T21:09:14-05:00   sys Pinhole added on broadband=, home= appid=-1, port=4379-4380

INF 2016-05-28T21:09:14-05:00   sys Pinhole added on broadband=, home= appid=-1, port=27000-27030

INF 2016-05-28T21:39:41-05:00   sys Successfully logged into a password protected page

Which is just me creating the exceptions in the firewall. However, I must have done something wrong, and my brother's friend kept getting "Connection timed out" when trying to join my brother's game. So I went further into the log file to check for failed connection attempts. I found these:

INF 2016-05-29T00:56:20-05:00       Previous log entry repeated 2 times
INF 2016-05-29T00:58:05-05:00   fw,fwmon    src= dst= ipprot=6 sport=50610 dport=21 Unknown inbound session stopped
INF 2016-05-29T01:01:06-05:00   fw,fwmon    src= dst= ipprot=6 sport=3483 dport=23 Unknown inbound session stopped
INF 2016-05-29T01:01:15-05:00       Previous log entry repeated 2 times
INF 2016-05-29T01:05:35-05:00   fw,fwmon    src= dst= ipprot=17 sport=44310 dport=5351 Unknown inbound session stopped
INF 2016-05-29T01:07:08-05:00   fw,fwmon    src= dst= ipprot=6 sport=40086 dport=23 Unknown inbound session stopped
INF 2016-05-29T01:07:11-05:00       Previous log entry repeated 1 times

and much, much more, mostly looking the same. There are probably close to 100 of these entries. The destination for all of this traffic is, which is the IP associated with the Gary's Mod ports. I mapped the location of a random handful of the source IP's, and this is what I got:

Source IP map

This is what I'm not sure how to interpret. Am I just seeing the traffic to Gary's Mod servers? Or are these some kind of bot scripts that search for open ports and are trying to get onto the server I have established? I suspect the latter, since every log entry says "Unknown inbound session stopped". I also suspect that that message has something to do with why my brother's friend couldn't connect. Or maybe it's more complicated than that.

As a more general question, why does this happen at all, outside of this context specifically? For example, when I run lastb in bash on my Raspberry Pi, I get a large list of attempted connections (bad logins), and most of those source IP's come from China, some from the Netherlands, etc. Why do bots surf around trying to connect to machines connected on public networks? What is their goal if they happen to gain access? And, is that what is happening with my attempted Garry's Mod server?


Posted 2016-05-29T07:28:31.063

Reputation: 273 is your router's address (and thus your address) for ALL ports, not just the ones you opened. Yes, machines all over the world are probing all systems, including yours, all the time. TCP 21 and 23 are TELNET and FTP, which are often implemented with poor security; UDP 5351 is NAT Port Mapping Protocol, also insecure. Some do it for fun or research, but most have the goal of stealing your data and/or running malware on your computer to use it to attack others or just sell access to your machine as part of a botnet to other criminals. – dave_thompson_085 – 2016-05-29T11:47:45.347

... What's happening to your desired connections I have no clue. – dave_thompson_085 – 2016-05-29T11:49:35.060



You're getting scanned for vulnerable services. This isn't related to running Gary's Mod, it's just something that happens to anything with a public IP address (like your router) on the internet.

More specifically, I see connection attempts for:

  • ipprot=6 (TCP) dport=21 (FTP), an ancient file-sharing protocol that's hopelessly insecure and nobody should be using anymore.

  • ipprot=6 (TCP) dport=23 (Telnet), an ancient remote login protocol that's hopelessly insecure and nobody should be using anymore.

  • ipprot=17 (UDP) dport=5351 (NAT Port Mapping Protocol), a protocol intended to allow devices on a private network to tell the router how to configure their internet connections, which is vulnerable to attack when exposed to the external internet.

Basically, people scan the internet at random looking for easy-to-attack targets. If you keep watching the logs, you'll see more attempts at these and other ports, including completely random port numbers (just to see what they can find). Your router's builtin firewall seems to be blocking the probes just fine, which it about the best you can do.

Eventually, someone's going to land a lucky probe that hits one of the ports used by Gary's Mod. Whether they can exploit that discovery depends on the security of the Gary's Mod server software, which I'm not familiar with so I can't comment.

Gordon Davisson

Posted 2016-05-29T07:28:31.063

Reputation: 28 538