12 Comments

Summary:

Is it possible the AirPort Extreme base station isn’t catching all the malicious traffic bound for my home network? I just opened Console to check on an issue I was having with lookupd, but I was distracted when the ipfw.log firewall log file popped up with […]

Is it possible the AirPort Extreme base station isn’t catching all the malicious traffic bound for my home network? I just opened Console to check on an issue I was having with lookupd, but I was distracted when the ipfw.log firewall log file popped up with quite a lot of blocked attempts.

How many? Try 7831 over a two-hour span. Clearly a distributed denial-of-service (dDOS) attack, all 7800+ of these log entries were bound for ports 32787, 32788, and 32789, from 713 different source IP addresses. Thankfully, the Mac OS X software firewall denied all those requests. But it leads me to wonder: Why did the AEBS let them through anyway?

I checked my port forwarding rules, and there’s nothing there that would specifically allow TCP traffic through on these ports. I have exactly one port range forwarded and it’s thousands away from these three ports, which are used, the best I can uncover, for “sometimes an RPC port”.

Can anyone with a stronger networking background help me out here? Is this a vulnerability in the AirPort Extreme, or should those ports be open for a reason that has no clear documentation?

  1. Now check for Bittorrent clients and other apps which may use uPnP or similar to open incoming ports on the firewall. You wouldn’t happen to have one which has opened up the firewall, but not opened up the local firewall? That would look just like a DDOS….

    Share
  2. @Codepope — I considered that. The range of ports I mentioned is specifically for that purpose, and I dictate to my apps to use those ports and not to find their own. Still, there’s a possibility that an app isn’t respecting my preferences and going off punching open holes on its own.

    Share
  3. can you post a couple of lines from your ipfw.log?

    Share
  4. Lil’ snitch will inform you about which ports are in use by which apps on your mac.

    Share
  5. @rob — I’ve got the full log at my website. (The hostname & IP in the logs are fake.)

    @max — I run Little Snitch 2.0b7, but it didn’t show me anything relevant.

    Share
  6. Blocked attempts normally means that there was an attempt to access your network via that port and it was blocked by your firewall. Means it was doing its job and you shouldn’t have anything to worry about.

    Share
  7. Do you have “Enable NAT Port Mapping Protocol” enabled in the base station?

    Share
  8. @ Twist — The logs are showing up on my MBP, which means that these attempts are making it through my AirPort Extreme base station. That’s the problem. The MBP is blocking them, but the base station should be and I shouldn’t be seeing them in my log file at all.

    @ Rob — ‘Enable NAT Port Mapping Protocol’ is checked. I suppose that would do it, then! I’m still going to fault Apple for this one, because even a techie like me turns it on thinking it necessary for any port mapping, not realizing that it’s actually the NAT-PMP alternative to uPNP. I’ve turned it off and we’ll see what happens.

    False alarm or coincidence? Like I said, I don’t have any apps that I’m aware of that run on those ports. That it lasted two hours and a few odd seconds seems extra fishy.

    Thanks for your help, everyone.

    Share
  9. This is exactly why we use “Defense in Depth”.

    Share
  10. Have you tried netstat from a command line prompt?
    netstat is used to see what ports are being listened on and which have established connections.
    I usually use this in windows and linux environments for debugging network related issues. However, I googled the netstat command for mac os x, and I think these commands can show information that might shed a light as to which app is opening these ports:
    netstat -a (-A ;couldn’t understand what the difference is)
    netstat -np (shows all protocols and which ports they use, without doing a namelookup on IP’s)
    Here’s a link to where I found the information:
    http://www.osxfaq.com/man/1/netstat.ws

    BR, Kim

    Share

Comments have been disabled for this post