# Attack detected / Firewall triggered



## Done_Fishin (Oct 10, 2006)

I was checking out my router log today .. and found this 



> Current Log Entries
> 
> 
> 0000-00-00 00:00:01 E |System |Current Mode: Bridge-Router
> ...





Can anyone shed light on what this is 

*0000-00-00 00:54:12 E |CWMP |CWMP is attempting to connect to the ACS named http://111.111.111.111:1111/ACS-INTF. *

Also this attack .. is it connected to the Firewall alarms from the two different sites?
*0000-00-00 00:00:56 E |Attack Detected |TCP packet with only FIN flag set - 81.183.114.73:63706 -> 91.140.17.190:31246 len=40 id=15594*

IS there any way to know if anything got through ???
IS there anything that I should be doing to tighten down my security ??

All advice gratefully recieved ..


----------



## johnwill (Sep 26, 2002)

If it got through, it wouldn't be in the log. :smile:

This kind of stuff shows up all the time in the logs.


----------



## Done_Fishin (Oct 10, 2006)

any idea what http://111.111.111.111:1111/ACS-INTF means .. trued to google it but came up with nothing .. doesn't look like a proper address unless its in the 127 range or maybe it's IPv6


----------



## johnwill (Sep 26, 2002)

I have no idea, looks like a cryptic web address, since it's sitting behind an http:// :smile:


----------



## Doctor Olds (May 14, 2009)

Done_Fishin said:


> I was checking out my router log today .. and found this
> 
> Can anyone shed light on what this is
> 
> ...


That is a normal log entry for CWMP aka TR-069 (short for Technical Report 069) aka "CPE WAN Management Protocol" (CPE -- Customer Premise Equipment) and it looks like you may have changed the real IP to all 1's, correct? If not then the ISP setup their Firmware strangely or someone else modified the ACS IP trying to stop it connecting. Either way it is ok.

You can read much more about CWMP at these links below. It is not an attack, and it is harmless as it your Modem checking in with your ISP trying to connect to a private firmware delivery/basic configuration server owned by the ISP to make sure you have their latest bug fixed/latest feature release Firmware along with the basic connection type info for the DSL's VC (Virtual Circuit) settings. That's basically it in a nut shell. It is becoming the de factor standard for ISPs and other service providers (Cell phones, Wi-Fi devices, Set Top Boxes, and much more) to keep their customers equipment updated and secured.

http://www.carricksolutions.com/TR-069/

http://en.wikipedia.org/wiki/TR-069


> TR-069 (short for Technical Report 069) is a DSL Forum (which was later renamed as Broadband Forum) technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices.


http://www.broadband-forum.org/technical/download/TR-069.pdf

http://www.broadband-forum.org/technical/download/TR-069Amendment2.pdf

You can disable the CWMP agent/process if you like. Details are in the linked article below:

Disabling the CWMP agent from CLI
http://shadow.sentry.org/~trev/adsl4200/cwmp_config.html

As to security, your log just shows packets it didn't like and dropped. Likely it was a late response to a Browser or DNS, or Email request and the NAPT Table entry had expired so the Router was not expecting a response since that port was closed recently by NAT/NAPT table timeout.

Test your Routers security responses by using these two test sites below. Set your Firewall to Off in the Modem/Router, yes Off as that only allows pings on the Routers WAN Interface and does not reduce your true security level (trust me the scan sill confirm this and also I've been using and setting up these Speedstreams since late 1999, beta tested firmware for a while when Efficient still owned them before Siemens bought them out and I own 8+ different Models including Business Class versions which I can swap out quickly for testing and configuration issues). Pings are not a real security risk even though one site (GRC.com) wants you to think that they are, but as long as your results show all Green Blocks after running the "All Service Ports Test" that is a solid determination on the status of your Routers first 1056 ports (Green aka Stealth means no response, not even a this port is closed response, just no acknowledgment :wink: ). Red Blocks are items to be concerned with as those represent a port or ports that when checked, have replied "port number x here and I am open ready to accept connections." 


<li>
GRC | Shields UP! -- Internet Connection Security Analysis
https://www.grc.com/x/ne.dll?bh0bkyd2

<li> Der Keiler - Free Online-Portscanner - Using NMAP
http://www.derkeiler.com/Service/PortScan/

Regards,

Doctor Olds


----------



## Done_Fishin (Oct 10, 2006)

Many, many thanks for your knowledgeable help which has confirmed my suspicions about some of the points I had raised. I had forgotten all about this topic which I started over a year ago .. but I still use the same router and the update in information is more than welcome.

The all ones address is exactly as I see it, nothing changed or hidden .. It just seems that it's trying to connect but either not allowed or the host not found, which seemed strange .. why bother ? Why not cut it out ? unless perhaps it's just there to keep the line up & running, There is a term for it which I forget now .. but I think it was a problem going back into win95/98 days when the line would suddenly stop responding until a patch was introduced 

Thanks for those links , I will be investigating very shortly .


----------

