Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Are These Access Attempts In My Router Log?

We are all under constant attack.

A wireless router.
(Image: canva.com)
Any device sitting on the internet is subject to a constant stream of "internet background noise". It's why you really want to be behind a firewall.
Question: I went into my router to change my password from “admin”, and checked the log. There were a lot of “unrecognized access” from random IP addresses to a set of fairly random ports. Are these the pages I am reading on the internet, or random attempted hacks into my computer network?

You would be amazed at the amount of malicious network traffic on the internet.

At least one security guru has coined the term “internet background noise” for all this traffic.

What is it?

It’s the reason you must have a firewall.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

We are all under attack

Every internet-connected device is under a slow, persistent attack by malware on other (typically infected) machines. Your router is your best first line of defense, as it prevents outside connections from reaching your equipment. Keeping your computer as up-to-date as possible so as to patch the vulnerabilities those other machines are looking for is also key.

A constant attack

Those random addresses trying to connect to random ports on your router are likely attempted hacks into your computer or computer network.

Don’t take it personally. They’re not trying to get to you; they’re trying to get to anyone: anyone whose computer is not protected, not up to date, or has some kind of unpatched vulnerability.

Here’s what’s going on.

Malware on a network

Computers can be really dumb, but they make up for it by being really fast and/or really persistent.

Malware authors take advantage of that by writing malicious software that checks every possible IP address for a computer with known, unpatched vulnerabilities. If a vulnerability is found, the malware then infects that computer and moves on to the next.

Now, “every possible IP address” is a lot of IP addresses. It’s measured in the billions. And yes, checking each one is kind of a stupid way to go about it. But here’s where persistence pays off:

  • One computer starts scanning and eventually finds another that’s vulnerable, and infects it.
  • Now two computers are scanning, and each eventually finds another they can infect, and does so.
  • Now four computer are scanning . . .
  • Then eight . . .
  • Then 16 . . .

And so on. Now, it’s rarely that simple a progression, but it is a progression nonetheless. By being methodical, this malware copies itself to as many computers as it can find.

Since they’re scanning all possible IP addresses, eventually yours will be scanned.

Protection is easy

Your router is doing its job. It’s blocking all those incoming connections.

Even a cheap consumer-grade router protects you from all this noise. By only allowing outbound connections — connections your equipment makes to sites and services on the internet — it effectively blocks any attempts for malware “out there” to reach your machines.

It’s why I so strongly recommend using a router, even if you have only one device.

Naked on the internet

Any machine sitting “naked” on the internet — connected directly without a router — is subject to these constant attempts to exploit known vulnerabilities.

If that is your machine, and it has an unpatched vulnerability the malware is searching for, it’ll be infected and your computer will join the crowd.

On the other hand, as long as you’re as up-to-date as possible, you dramatically reduce the chances of being vulnerable.

Of course, our questioner is behind a router, and so is protected.

Router logs

Your router log is showing these attempts. Your router is acting as a firewall and preventing them from reaching a “real machine”.

Not all routers have logs to examine, so you’re in kind of a unique position to watch all this background noise if you so choose. (To check if your router has logging ability, and how to turn it on, check the documentation for your device.)

Most people never even know that this activity exists and that it’s constantly happening.

Where? And why?

So where are all these vulnerability probes coming from? Infected machines. In fact, the owners of those machines probably have no idea that their machine is participating in this activity.

So why don’t those folks just clean, patch, and protect their machines?

Why indeed.

They should. But the sad fact is that there are a large number of folks who still do not adequately protect themselves. Much of this “internet background noise” is due to computers infected with viruses that are several years old, and for which patches have also been available for years.

In addition, there are many old machines running old software for which patches might not be available, or machines that are effectively unattended, just running and doing whatever it is they do without paying attention.

All these machines put the rest of us at risk.

So, yes, as I and others have been preaching almost daily, it’s critical to keep your machine up to date and get behind a firewall so as to avoid becoming one of those machines trying to infect everyone else…

… and to protect yourself from everyone who doesn’t.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play
Posted: July 15, 2021 in: Firewalls
This is an update to an article originally posted March 1, 2007
Shortlink: https://askleo.com/2949
« Previous post:
Next post: »

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and "retired" in 2001. I started Ask Leo! in 2003 as a place to help you find answers and become more confident using all this amazing technology at our fingertips. More about Leo.

9 comments on “What Are These Access Attempts In My Router Log?”

  1. Hi Leo,I enjoy your newsletter. Especially the “to the point” answers and descriptions you give.My brain is getting quite old, but i do remember the Wireless tech telling me i don’t need all those firewalls because their equipment keeps changing, the IP address? I did check and i have a Nate. Thanks,js

    Reply
  2. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    It depends on a lot of different things.

    If you are on dial-up you get a new IP each time. I used to believe that
    you didn’t need a firewall in that case, but have since changed my mind.

    MOST broadband connections also give you a new IP address occasionally,
    but it’s definitely not “changing all the time”. Firewall of some sort
    required.

    What he *may* have been refering to is that you may already be behind a
    net router which acts as a firewall. That’s how I run here at home. My
    router acts as my firewall for all my machines, and the machines
    themselves do NOT run any additional firewall software.

    But even if your IP changes, the random scans that I discuss in the
    article are still happening, and could quite easily hit your IP address.

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFF6bgzCMEe9B/8oqERApycAJ4wrg+0XQuC4IgThMTknkjbmsOxQQCgiatm
    jLmlIv38hqKpPJI4YuBKu10=
    =3RO0
    —–END PGP SIGNATURE—–

    Reply
  3. Try opening your web browser and typing dslrouter in the address bar. If you’re with Verizon and you have the Westell router they usually supply, the default username is admin and the default password is password.

    Reply
  4. I still use a older Wireless G router (Linksys WRT54GS v1.1 (8MB Flash/32MB RAM)) myself since my internet line is nothing quick, so that older Wireless G router is more than good enough (in Feb 2020 I replaced the cheap china made capacitors with Panasonic(Japan made) brand, so this router will be good for many years to come). that’s one thing I like about these older routers, they tend to be pretty reliable even though I suspect it would be outdated for many modern internet lines due to the 10MB/s transfer speed cap on the LAN ports (and wireless I am sure is definitely less than that).

    plus, I update it from time-to-time with DD-WRT firmware to keep up with the latest security fixes. it’s running OpenSSL 1.1.1k and Dnsmasq 2.8.5 etc. I am currently running build r46640 from May 13th 2021 (dd-wrt.v24_mini_generic.bin) on the router as they have test builds released often as while these are not ‘stable’ releases, since they are released often, they are usually okay to use as they don’t really release any ‘stable’ versions anymore it seems. so a lot of the stuff you might see on the site, is probably using old/outdated builds. but this general part of the forums is where you can find topics and people start topics fairly often showing the latest test builds along with a link to the general firmware page… https://forum.dd-wrt.com/phpBB2/viewforum.php?f=1 ; but in regards to these older Wireless G routers, like Linksys WRT54* variations and the like, you basically need to go to https://dd-wrt.com/support/other-downloads/?path=betas%2F ; then click the year, which right now is ‘2021’, then from there go to the particular build you want to try, then ‘broadcom’ folder, and from there you can choose what particular one you want. but generally speaking… if your old router has only 2MB of flash you can ONLY use ‘dd-wrt.v24_micro_generic.bin’. if you got 4MB of Flash you can use the ‘micro’ if you want but ‘mini’ (i.e. dd-wrt.v24_mini_generic.bin) or ‘standard’ (i.e. dd-wrt.v24_std_generic.bin ) etc is probably what you want. ‘mega’ (dd-wrt.v24_mega_generic.bin) is the most feature filled version, which I can run since it requires 8MB of Flash storage on ones router, but I don’t bother since in all honesty pretty much everything I need even the ‘micro’ version is passable as the common person would be ‘good enough’ even with the ‘micro’ build.

    WARNING: keep in mind if your not careful it’s possible to BRICK your router!!! ; brick = permanently kill your router if the flashing process fails etc (technically I can use what they call ‘JTAG’ to revive my WRT54GS v1.1 if I ever have a bad flash etc (assuming other methods to revive it fail, JTAG will always work if you have the proper files to fix it) but I currently don’t have the JTAG cable to do this so I am usually careful when upgrading and so far everything is good). this is why it’s best to stick to builds that people have tested to ensure they are ‘good enough’ to use. also, there are ‘overclocking’ options (i.e. Administration > Management. then scroll down where it says ‘Overclocking’ (my router defaults to 216MHz, but many of these older routers will be 200MHz, I have used 240MHz on my WRT54GS v1.1 router before in the past but I had issues when upgrading firmware etc and thankfully I revived the router without having to use JTAG) but my advice is DO NOT touch this unless you know what your doing as I think it can potentially brick your router!!! ; but in all honesty, there is not really going to be much of a difference anyways on such a old router and leaving it at it’s default MHz is much safer for the reliability of your router anyways as when ones router is at it’s default MHz, upgrading firmware is nice and reliable. in fact, I actually bricked a old Belkin router (2MB flash/8MB RAM) not all that long ago because I upgraded firmware when the router was in a overclocked state and it does not respond to pings etc so there was no way to fix that, so I tossed it in the garbage.

    for the record… if I would have held reset button for 30 seconds PRIOR TO the upgrade everything would have worked fine since it clears the routers settings and restores it to it’s defaults which would have removed the overclock. but I did not really care all that much as I got that router for free many years ago and it’s the worst of the old routers I have anyways.

    but speaking of upgrading (which is typically done through “192.168.1.1” in your web browser ), I would say a optimal thing would be to, unplug router, wait a little, plug it back in, then hold reset button for 30 seconds, then flash it from the routers page (assuming your already running DD-WRT) ‘Adminstration > Firmware Upgrade’). but once you load the correct firmware file and click ‘upgrade’, make SURE to wait a full 5 minutes to be safe and don’t interrupt the process!. after that’s done then you hold the routers reset button for another 30 seconds and once it comes back online you simply configure the router to your liking and your all set. DD-WRT is pretty secure in it’s default state already as stuff like UPNP etc is disabled by default (I suggest leaving it disabled for security reasons). but you need to make a username/password for signing into the router and adjust your routers Wireless settings (done through ‘Wireless’ tab (which on ‘Basic Settings’ you can adjust your SSID name which is what your wireless devices see as the router they are connecting to) and on ‘Wireless Security’, security mode WPA2-PSK with CCMP-128 (AES) is generally what the average user will want to use and then just setup their password etc (use a different one than the one you use to sign into the router with!)). with that said… when I upgrade I typically just go to firmware upgrade page and upload the newer firmware, then after I wait the 5 minutes to be safe, I then just hold reset button for 30 seconds and then reconfigure everything to my liking and I am done.

    p.s. I turned on the built-in firewall in Linux Mint for good measure though even though I probably don’t need it because of the router. but it won’t hurt anything, so I figured it’s still a good idea as a ‘just in case’ sort of thing.

    Reply
  5. A few years ago The University of Texas at Austin ran an experiment. They took a clean Windows system and put it on the internet (what is called a “Honeypot” computer) and recorded how long it took for the first hack penetration attempts to happen. The time? ELEVEN SECONDS!!! [By the way, this is way up from a similar test about five years before, when it took 45 seconds before someone (something) tried to infect them.]

    Reply
  6. My router emails the router log when it fills. Today after 5 hours, 55 minutes the log contained 897 hits from an IP address that is listed as part of my ISP. Over 40 logs have been sent to their abuse address. According to their abuse web site, they say they want logs. I’ve also discovered that several of the people in tech support do not have a clue about what is going on. “DoS” is something most have never heard of. The solution is to “Change your modem. That may change your IP address and solve the issue.” Changing the modem does nothing. However, changing the MAC address of the router does. However, after getting a new IP address, it was hit before the router could assign an IP address to the computer.

    The ISP confirmed that with one IP hits were coming from a foreign government. Some of them were occurring in 1-5 second intervals. The were from all addresses in the 4th octet of the domain, 0-255.

    My email client files the logs in a folder for that router.

    I tried an experiment by putting a retired router between the modem and my existing router. i.e. Two routers are used. The inside router usually contains DHCP assignments, and time sync. However, there have been a some “ACK Scan” from some external addresses for port 443. To the best of my knowledge the first router does not have any ports open. I am at a loss about these hits on the 2nd router.

    Anyway, I’ll probably keep the 2 router environment.

    I see similar logs from the router at my son and dad’s home.

    I’m slowly coming around to adjusting to the internet background noise.

    Reply
  7. I have a new router, better than the one my ISP provides. I am a little confused getting it all set up properly. There is another old “extender” same brand as new router, and it appears to be connected to my Internet. Should this be removed? It is at least 10 years old and just somehow found a home to attach to my network OR my hackers made some changes.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.