[Jquaide]

For the past 4 days I have been receiving this from my router's log:

2009/01/05 22:13:04 PST FW: severity=low src=221.192.xxx.xx dst=71.129.xx.xx ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped

2009/01/05 22:20:22 PST FW: severity=low src=221.195.xx.xx dst=71.129.xx.xx ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped

I am unable to do anything worthwhile on my computer other than check my email while failing multiple times to load due to timing out. I formatted my computers because i thought it had something to do with spyware/malware to no avail. even while both my computers are off i keep getting the port scan errors on my router. I called my isp and they told me that everything is fine. I am running WinXP sp3 and use a 2Wire HomePortal 1000SW.

Thank you if you can help and i appologize if this is the wrong forum to place this in.

[Elvandil]

Ports are scanned all the time. 1000's of people are doing them all day long for various useful and nefarious purposes. Even ISP's do it. A good firewall should not be affected by port scans and it certainly shouldn't affect your connection. These data packets are tiny. Multiple connection attempts or scans should induce an automatic block in a good firewall.

If you are having connection problems, either it is caused by something else, or you need a new firewall. Can you connect any better with it turned off?

[JohnWill]

Please supply the following info, exact make and models of the equipment please.

Name of your ISP (Internet Service Provider).
Make and exact model of the broadband modem.
Make and exact model and hardware version of the router (if a separate unit).
Model numbers can usually be obtained from the label on the device.
Connection type, wired or wireless.
If wireless, encryption used, (none, WEP, WPA, or WPA2)
Version and patch level of Windows on all affected machines, i.e. XP (Home or Pro), SP1-SP2-SP3, Vista (Home, Business, Ultimate), etc.
The Internet Browser in use, IE, Firefox, Opera, etc.




Please give an exact description of your problem symptoms, including the exact text of any error messages.

• If you're using a wireless connection, have you tried a direct connection with a cable to see if that changes the symptoms?
• For wireless issues, have you disabled all encryption on the router to see if you can connect that way?
• Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue?
• If there are other computers on the same network, are they experiencing the same issue, or do they function normally?

On any affected computer, I'd also like to see this:

Hold the Windows key and press R, then type CMD (COMMAND for W98/WME) to open a command prompt:

Type the following commands on separate lines, following each one with the Enter key:

PING 206.190.60.37

PING yahoo.com

NBTSTAT -n

IPCONFIG /ALL

Right click in the command window and choose Select All, then hit Enter.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.

[Jquaide]

AT&T DSL formerly SBC Global
2Wire HomePortal 1000SW
Router is built in with the modem
Laptop - WEP WinXP Pro Service Pack 3 on Mozilla Firefox
Desktop - Wired WinXP Pro Service Pack 3 on Mozilla Firefox

While doing tasks like browsing webpages it is begining to ease up where I only get interupted if I receive the Port Scan the second I am loading a page. When I try to get on a program which needs a sustained connection such as an online video game or a voip service the ping skyrockets from 89 to 1900+ the second I am scanned and then proceeds to timeout of whatever I was doing at the time. I have about 4 pages of logs from the past 4 days so I will post the most recent 20 errors.

INF 2009/01/06 08:29:18 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 08:39:08 PST SYS: vlanmon0: connection lost, reconnecting...
INF 2009/01/06 08:48:18 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 09:07:09 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 09:16:23 PST FW: severity=low src=218.10.111.106 dst=71.129.50.88 ipprot=6 sport=12200 dport=7212 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 09:26:08 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 09:44:58 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 09:58:41 PST FW: severity=low src=221.195.73.86 dst=71.129.50.88 ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:03:49 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:22:33 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:28:52 PST FW: severity=low src=218.10.111.106 dst=71.129.50.88 ipprot=6 sport=12200 dport=7212 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:31:27 PST FW: severity=low src=61.153.45.198 dst=71.129.50.88 ipprot=6 sport=58933 dport=5902 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:31:28 PST FW: severity=low src=61.153.45.198 dst=71.129.50.88 ipprot=6 sport=2677 dport=5902 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:41:12 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 10:59:57 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 11:02:27 PST FW: severity=low src=221.195.73.86 dst=71.129.50.88 ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 11:18:58 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 11:37:47 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 11:38:50 PST FW: severity=low src=221.195.73.86 dst=71.129.50.88 ipprot=6 sport=12200 dport=1080 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 11:41:18 PST FW: severity=low src=218.10.111.106 dst=71.129.50.88 ipprot=6 sport=12200 dport=7212 TCP Port Scan Detected, Packet Dropped
INF 2009/01/06 11:54:39 PST SYS: Successfully logged into a password protected page
INF 2009/01/06 11:56:36 PST FW: severity=low src=221.192.199.34 dst=71.129.50.88 ipprot=6 sport=12200 dport=9788 TCP Port Scan Detected, Packet Dropped

Tried changing up from wireless to wired and vice versa for no change in broadband speed. I have disabled encryption for no change. I have connected directly to the modem for no change. All computers on the same network are experiencing the same issue.


the requested command promt returns :

C:\>ping 206.190.60.37

Pinging 206.190.60.37 with 32 bytes of data:

Reply from 206.190.60.37: bytes=32 time=108ms TTL=56
Reply from 206.190.60.37: bytes=32 time=85ms TTL=56
Request timed out.
Request timed out.

Ping statistics for 206.190.60.37:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 85ms, Maximum = 108ms, Average = 96ms

C:\>ping yahoo.com

Pinging yahoo.com [206.190.60.37] with 32 bytes of data:

Reply from 206.190.60.37: bytes=32 time=86ms TTL=56
Request timed out.
Reply from 206.190.60.37: bytes=32 time=106ms TTL=56
Reply from 206.190.60.37: bytes=32 time=91ms TTL=56

Ping statistics for 206.190.60.37:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 86ms, Maximum = 106ms, Average = 94ms

C:\>nbtsats -n
'NBTSATS' is not recognized as an internal or external command,
operable program or batch file.

C:\>nbtstat -n

Local Area Connection 2:
Node IpAddress: [172.16.1.34] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
USER-B65303E873<00> UNIQUE Registered
USER-B65303E873<20> UNIQUE Registered
WORKGROUP <00> GROUP Registered

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : user-b65303e873
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Belkin 11Mbps Wireless USB Network A
dapter
Physical Address. . . . . . . . . : 00-30-BD-9D-C3-7B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 172.16.1.34
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.0.1
DHCP Server . . . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 172.16.0.1
Lease Obtained. . . . . . . . . . : Tuesday, January 06, 2009 12:19:07 P
M
Lease Expires . . . . . . . . . . : Tuesday, January 06, 2009 1:19:07 PM


C:\>

[Wanderer2]

"INF 2009/01/06 08:39:08 PST SYS: vlanmon0: connection lost, reconnecting..."

This is an error requiring more investigation. Ask your isp if they are doing vlans.

Run a connection/speed test using any one of a dozen online free services. Post your results and what you are told by the isp as your up/down bandwidth.

do a tracert yahoo.com and post the results.

[JohnWill]

For the other error, let's see a couple of these.

Register at DSLReports and run their Line Quality Tests. It's best to run this test with a direct wired connection to eliminate any wireless issues from the results. It's useful many times to run this test several times, and we'd like to see each of the results. Post the results link from the top of the test display page for each test run here.

The link to post is near the top of the page and looks like:

If you wish to post this result to a forum, please copy/paste this URL
http://www.dslreports.com/linequality/nil/2357195 <- sample only, yours will obviously be different!
and your IP will be disguised.

Copy/paste that link here.

Note: You will have to enable PING (ICMP) request response either in your router (if you have one), or in your computer's firewall for direct modem connections. This is very important to get the most important part of the test to run.







I think the port scans are something that probably happens to almost every router on the planet, I checked a couple of the addresses. I'd be amazed if many other people don't see scans from the same address ranges.

[Jquaide]

I'm on hold for at least 2 more hours with the isp tech support place. I am supposed to be getting 1536kbps Incoming 384kbps Outgoing and I am getting 1263kbps/294kbps

traceroute to w2.rc.vip.re4.yahoo.com (206.190.60.37) with 32 bytes and 30 max hops:
1: adsl-71-129-63-254.dsl.irvnca.pacbell.net (71.129.63.254) 15 ms
2: dist4-vlan55.irvnca.pbi.net (67.114.48.66) 73 ms
3: bb2-g9-0.irvnca.sbcglobal.net (151.164.92.196) 15 ms
4: bb2-p12-0.klmzmi.sbcglobal.net (151.164.242.77) 16 ms
5: asn10310-yahoo.eqlaca.sbcglobal.net (151.164.89.214) 18 ms
6: so-2-0-0.pat1.dax.yahoo.com (216.115.96.50) 49 ms
7: ae4.pat2.dax.yahoo.com (216.115.102.139) 49 ms
8: so-1-0-0.pat2.dce.yahoo.com (216.115.96.20) 102 ms
9: ae1-p151.msr2.re1.yahoo.com (216.115.108.23) 83 ms

[Wanderer2]

Those up/down you listed are within tolerances. You never get exactly what the isp states but should be close as you are.

Your tracert looks OK though it never completed at 206.190.60.37

[Jquaide]

http://www.dslreports.com/linequality/nil/2473221
http://www.dslreports.com/linequality/nil/2473258

this is what i was able to come up with in the past 2 hours due to how bad i was lagging while i was trying to do this.

i have a 3rd one queued right now

http://www.dslreports.com/linequality/nil/2473298

[Jquaide]

Quote:

Originally Posted by Wanderer2

Your tracert looks OK though it never completed at 206.190.60.37

i ran it again just now using command prompt instead of the router MDC

C:\>tracert yahoo.com

Tracing route to yahoo.com [206.190.60.37]
over a maximum of 30 hops:

1 1 ms 1 ms <1 ms homeportal.gateway.2wire.net [172.16.0.1]
2 14 ms 17 ms 17 ms adsl-71-129-63-254.dsl.irvnca.pacbell.net [71.12
9.63.254]
3 14 ms 15 ms 27 ms dist4-vlan55.irvnca.pbi.net [67.114.48.66]
4 14 ms 17 ms 17 ms bb2-g9-0.irvnca.sbcglobal.net [151.164.92.196]
5 16 ms 17 ms 15 ms bb2-p12-0.klmzmi.sbcglobal.net [151.164.242.77]

6 18 ms 23 ms 19 ms asn10310-yahoo.eqlaca.sbcglobal.net [151.164.89.
214]
7 50 ms 50 ms 51 ms so-2-0-0.pat1.dax.yahoo.com [216.115.96.50]
8 51 ms 53 ms 49 ms ae4.pat2.dax.yahoo.com [216.115.102.139]
9 83 ms 84 ms 82 ms so-1-0-0.pat2.dce.yahoo.com [216.115.96.20]
10 84 ms 82 ms 84 ms ae1-p141.msr1.re1.yahoo.com [216.115.108.19]
11 83 ms 84 ms 84 ms te-9-3.bas-a2.re4.yahoo.com [216.39.49.7]
12 82 ms 82 ms 82 ms w2.rc.vip.re4.yahoo.com [206.190.60.37]

Trace complete.

C:\>

[JohnWill]

So far, I see nothing wrong. The line quality tests all look fine, and your tracert seems OK too. The speeds are not out of line for the level of service you have either.

Do you have any other computers on this network? I'm thinking more along the lines of something on the computer. Can you test this with another computer? Perhaps a friend with a laptop if you don't have a second computer?