# Occasional attacks on Wireless AP



## SpriteMidr (Apr 30, 2016)

Random question:

Is it normal to get occasional attacks detected on a home access point's firewall?

I very occasionally see logs of potential DOS and XMAS attacks. I have seen these appear for well over a year or so. Our IP is dynamically set by the ISP anyway, so it cant be potential... is this normal activity, or something to worry about?


----------



## beers (Apr 30, 2016)

If it's just one packet then the NAT state likely expired or dropped for whatever reason.  A lot of those log TCP session states that aren't correlated with active sessions.


----------



## SpriteMidr (Apr 30, 2016)

beers said:


> If it's just one packet then the NAT state likely expired or dropped for whatever reason.  A lot of those log TCP session states that aren't correlated with active sessions.


I thought as much. I just wanted to make sure all the same. I am eventually gonna set an SSH server up to access from uni, so I wanted to make sure. It will use public/private key auth anyway, but still.

Cheers for the quick reply!


----------



## SpriteMidr (May 9, 2016)

Another related question I keep meaning to ask.

On Windows 10, I occasionally get some odd devices show up. They are often called full-ford (amazon) or Zeta (blackview). They have MAC addresses but no IP address. The router doesn't show them up and I cant access them or ping them. They show up on every Windows 10 machine I have, and I have no devices connected that are of this identification. Furthermore, I have changed the router SSID, password and added access control to a whitelist of machine MACs (not the odd ones), but they still show up...

This is really weird, and I cant find out much about it. I am guessing that it is just a Windows 10 "thing", as it never occurs on any other machine.

<edit>
Like, I just rebooted the router, and it disappeared. It is really weird. If there were an IP address I would be panicking but it seems to be a false thing being detected.

<edit again>

Like, now, I have full_ford by Amazon showing up instead.

Like, seriously, this is very odd.

<another edit>
It seems other people have the issue too. Turning WPS off seems to fix it, kicks them straight away. Seems to be something like other devices nearby looking for open APs or something, I don't know.

<final edit>
Actually, seems I still have the issue. I have tracked it down to something called WCN - Wireless Connect-Now (or wtte). It seems it is to do with peer-to-peer device discovery (like WiFi-Direct). Probably the neighbours devices being detected as existing.


----------



## Geoff (May 11, 2016)

SpriteMidr said:


> It seems other people have the issue too. Turning WPS off seems to fix it, kicks them straight away. Seems to be something like other devices nearby looking for open APs or something, I don't know.


WPS is awful and has lots of security vulnerabilities.  You should turn it off the instant you install a new wireless router/AP.


----------



## Agent Smith (May 29, 2016)

SpriteMidr said:


> Random question:
> 
> Is it normal to get occasional attacks detected on a home access point's firewall?
> 
> ...




What firewall is this? 

I looked up two of those IPs and if those are inbound I might be concerned.


----------



## SpriteMidr (May 29, 2016)

Just the bog standard router firewall.

It is my home connection.

Here are logs for the few days or so. I get them via email.

Any addresses blanked are my machines.






I don't run any web server or anything, it is just our home internet connection. I have DDNS set up for when I set a file server up to SSH into from uni using private/public key pairing. Have not yet set this up however.


----------

