Blog Post

A chink in the AirPort armor?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Is it possible the AirPort Extreme base station isn’t catching all the malicious traffic bound for my home network? I just opened Console to check on an issue I was having with lookupd, but I was distracted when the ipfw.log firewall log file popped up with quite a lot of blocked attempts.

How many? Try 7831 over a two-hour span. Clearly a distributed denial-of-service (dDOS) attack, all 7800+ of these log entries were bound for ports 32787, 32788, and 32789, from 713 different source IP addresses. Thankfully, the Mac OS X software firewall denied all those requests. But it leads me to wonder: Why did the AEBS let them through anyway?

I checked my port forwarding rules, and there’s nothing there that would specifically allow TCP traffic through on these ports. I have exactly one port range forwarded and it’s thousands away from these three ports, which are used, the best I can uncover, for “sometimes an RPC port”.

Can anyone with a stronger networking background help me out here? Is this a vulnerability in the AirPort Extreme, or should those ports be open for a reason that has no clear documentation?

12 Responses to “A chink in the AirPort armor?”

  1. Thanks for the suggestion, Kim. I’ve been using netstat for a long time as well on various systems. Unfortunately it doesn’t do much good when you discover the attempt in your logs two days later. I can’t see what ports were actually open at the time on my MBP, or what application(s) were serving which ports at the time which would have caused NAT-PMP to open the firewall ports in question.

  2. Kim Fairlane

    Have you tried netstat from a command line prompt?
    netstat is used to see what ports are being listened on and which have established connections.
    I usually use this in windows and linux environments for debugging network related issues. However, I googled the netstat command for mac os x, and I think these commands can show information that might shed a light as to which app is opening these ports:
    netstat -a (-A ;couldn’t understand what the difference is)
    netstat -np (shows all protocols and which ports they use, without doing a namelookup on IP’s)
    Here’s a link to where I found the information:

    BR, Kim

  3. @ Twist — The logs are showing up on my MBP, which means that these attempts are making it through my AirPort Extreme base station. That’s the problem. The MBP is blocking them, but the base station should be and I shouldn’t be seeing them in my log file at all.

    @ Rob — ‘Enable NAT Port Mapping Protocol’ is checked. I suppose that would do it, then! I’m still going to fault Apple for this one, because even a techie like me turns it on thinking it necessary for any port mapping, not realizing that it’s actually the NAT-PMP alternative to uPNP. I’ve turned it off and we’ll see what happens.

    False alarm or coincidence? Like I said, I don’t have any apps that I’m aware of that run on those ports. That it lasted two hours and a few odd seconds seems extra fishy.

    Thanks for your help, everyone.

  4. Blocked attempts normally means that there was an attempt to access your network via that port and it was blocked by your firewall. Means it was doing its job and you shouldn’t have anything to worry about.

  5. @Codepope — I considered that. The range of ports I mentioned is specifically for that purpose, and I dictate to my apps to use those ports and not to find their own. Still, there’s a possibility that an app isn’t respecting my preferences and going off punching open holes on its own.

  6. Codepope

    Now check for Bittorrent clients and other apps which may use uPnP or similar to open incoming ports on the firewall. You wouldn’t happen to have one which has opened up the firewall, but not opened up the local firewall? That would look just like a DDOS….