2
For the past 4 weeks, I have noticed that my router and modem lights blink continuously:
The router is a Linksys WRT160NL running DD-WRT v24-sp2 (07/20/12) std and the modem is a Cisco DPC3825. The modem is capable of routing as well but I turned that off so it is in bridge mode.
I also have two linux servers in my network. One is running Asterisk and the other is a web server.
Initially, the asterisk server was in the DMZ, but I took it out because of the suspicious traffic. Instead, I forwarded a bunch of ports to the Asterisk server and port 80 to the web server. After this, I started noticing a bunch of errors in the web server logs:
192.168.1.1 - - [05/Mar/2013:12:49:10 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:49:11 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:49:11 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:49:12 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:23 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:33 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:38 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:40 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:42 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:44 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
Note: 192.168.1.1
is my router's IP in this case (not the real one, but you get the idea).
To verify my suspicion, I turned off port forwarding to the web server (port 80), and the error logs stopped. So, I concluded the traffic was coming from outside my network.
EDIT: I disconnected EVERYTHING except the modem and router, and yet the lights are still blinking. They only stop if I disconnect the cable from router to modem.
Any ideas how I can determine the source of the traffic and hopefully stop it?
EDIT2: I managed to enable firewall logs and got thousands of dropped packets from the same IP:
2013-03-05T15:21:30-05:00 my.local.domain.com kernel: [1403284.570000] DROP IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=68.71.197.69 DST=xx.xx.xx.xx LEN=200 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=12882 DPT=4032 LEN=180
1You should be able to look at the logs of the router and see what's coming in and hitting the box. If it's a single ip, you can blackhole it at your router. – rfelsburg – 2013-03-05T18:56:40.310
Unfortunately, all the log entries have the IP of my router. Some DDWRT misconfiguration perhaps? – Alfero Chingono – 2013-03-05T19:03:06.370
I just tested with my mobile phone (over 3G) and an external IP appeared in the log. hmmm. – Alfero Chingono – 2013-03-05T19:05:56.913
Check the outermost router. If you are, then hmm, I'm not sure. – rfelsburg – 2013-03-05T19:08:12.543
Please tell me this is in your home environment (in which case I will migrate it to SuperUser for you) -- If you're using that Linksys "router" in a production business environment you need to start thinking about replacements... – voretaq7 – 2013-03-05T19:12:50.023
1wait...wpad.dat is to due with proxy autoconfig...is there any devices that might be inadvertantly set to try and recover this file? – tombull89 – 2013-03-05T19:15:52.310
@voretaq7 Yes, home environment. – Alfero Chingono – 2013-03-05T19:16:37.807
@tombull89 Not that I know of. Interesting part is that this stopped when I turned off port forwarding. – Alfero Chingono – 2013-03-05T19:20:47.823