We are all under constant attack.
You would be amazed at the amount of malicious network traffic on the internet.
At least one security guru has coined the term âinternet background noiseâ for all this traffic.
What is it?
Itâs the reason you must have a firewall.
Become a Patron of Ask Leo! and go ad-free!
We are all under attack
Every internet-connected device is under a slow, persistent attack by malware on other (typically infected) machines. Your router is your best first line of defense, as it prevents outside connections from reaching your equipment. Keeping your computer as up-to-date as possible so as to patch the vulnerabilities those other machines are looking for is also key.
A constant attack
Those random addresses trying to connect to random ports on your router are likely attempted hacks into your computer or computer network.
Donât take it personally. Theyâre not trying to get to you;Â theyâre trying to get to anyone: anyone whose computer is not protected, not up to date, or has some kind of unpatched vulnerability.
Hereâs whatâs going on.
Malware on a network
Computers can be really dumb, but they make up for it by being really fast and/or really persistent.
Malware authors take advantage of that by writing malicious software that checks every possible IP address for a computer with known, unpatched vulnerabilities. If a vulnerability is found, the malware then infects that computer and moves on to the next.
Now, âevery possible IP addressâ is a lot of IP addresses. Itâs measured in the billions. And yes, checking each one is kind of a stupid way to go about it. But hereâs where persistence pays off:
- One computer starts scanning and eventually finds another thatâs vulnerable, and infects it.
- Now two computers are scanning, and each eventually finds another they can infect, and does so.
- Now four computer are scanning . . .
- Then eight . . .
- Then 16 . . .
And so on. Now, itâs rarely that simple a progression, but it is a progression nonetheless. By being methodical, this malware copies itself to as many computers as it can find.
Since theyâre scanning all possible IP addresses, eventually yours will be scanned.
Protection is easy
Your router is doing its job. Itâs blocking all those incoming connections.
Even a cheap consumer-grade router protects you from all this noise. By only allowing outbound connections â connections your equipment makes to sites and services on the internet â it effectively blocks any attempts for malware âout thereâ to reach your machines.
Itâs why I so strongly recommend using a router, even if you have only one device.
Naked on the internet
Any machine sitting ânakedâ on the internet â connected directly without a router â is subject to these constant attempts to exploit known vulnerabilities.
If that is your machine, and it has an unpatched vulnerability the malware is searching for, itâll be infected and your computer will join the crowd.
On the other hand, as long as youâre as up-to-date as possible, you dramatically reduce the chances of being vulnerable.
Of course, our questioner is behind a router, and so is protected.
Router logs
Your router log is showing these attempts. Your router is acting as a firewall and preventing them from reaching a âreal machineâ.
Not all routers have logs to examine, so youâre in kind of a unique position to watch all this background noise if you so choose. (To check if your router has logging ability, and how to turn it on, check the documentation for your device.)
Most people never even know that this activity exists and that itâs constantly happening.
Where? And why?
So where are all these vulnerability probes coming from? Infected machines. In fact, the owners of those machines probably have no idea that their machine is participating in this activity.
So why donât those folks just clean, patch, and protect their machines?
Why indeed.
They should. But the sad fact is that there are a large number of folks who still do not adequately protect themselves. Much of this âinternet background noiseâ is due to computers infected with viruses that are several years old, and for which patches have also been available for years.
In addition, there are many old machines running old software for which patches might not be available, or machines that are effectively unattended, just running and doing whatever it is they do without paying attention.
All these machines put the rest of us at risk.
So, yes, as I and others have been preaching almost daily, itâs critical to keep your machine up to date and get behind a firewall so as to avoid becoming one of those machines trying to infect everyone elseâŠ
⊠and to protect yourself from everyone who doesnât.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
Hi Leo,I enjoy your newsletter. Especially the âto the pointâ answers and descriptions you give.My brain is getting quite old, but i do remember the Wireless tech telling me i donât need all those firewalls because their equipment keeps changing, the IP address? I did check and i have a Nate. Thanks,js
ââBEGIN PGP SIGNED MESSAGEââ
Hash: SHA1
It depends on a lot of different things.
If you are on dial-up you get a new IP each time. I used to believe that
you didnât need a firewall in that case, but have since changed my mind.
MOST broadband connections also give you a new IP address occasionally,
but itâs definitely not âchanging all the timeâ. Firewall of some sort
required.
What he *may* have been refering to is that you may already be behind a
net router which acts as a firewall. Thatâs how I run here at home. My
router acts as my firewall for all my machines, and the machines
themselves do NOT run any additional firewall software.
But even if your IP changes, the random scans that I discuss in the
article are still happening, and could quite easily hit your IP address.
Leo
ââBEGIN PGP SIGNATUREââ
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFF6bgzCMEe9B/8oqERApycAJ4wrg+0XQuC4IgThMTknkjbmsOxQQCgiatm
jLmlIv38hqKpPJI4YuBKu10=
=3RO0
ââEND PGP SIGNATUREââ
Try opening your web browser and typing dslrouter in the address bar. If youâre with Verizon and you have the Westell router they usually supply, the default username is admin and the default password is password.
I still use a older Wireless G router (Linksys WRT54GS v1.1 (8MB Flash/32MB RAM)) myself since my internet line is nothing quick, so that older Wireless G router is more than good enough (in Feb 2020 I replaced the cheap china made capacitors with Panasonic(Japan made) brand, so this router will be good for many years to come). thatâs one thing I like about these older routers, they tend to be pretty reliable even though I suspect it would be outdated for many modern internet lines due to the 10MB/s transfer speed cap on the LAN ports (and wireless I am sure is definitely less than that).
plus, I update it from time-to-time with DD-WRT firmware to keep up with the latest security fixes. itâs running OpenSSL 1.1.1k and Dnsmasq 2.8.5 etc. I am currently running build r46640 from May 13th 2021 (dd-wrt.v24_mini_generic.bin) on the router as they have test builds released often as while these are not âstableâ releases, since they are released often, they are usually okay to use as they donât really release any âstableâ versions anymore it seems. so a lot of the stuff you might see on the site, is probably using old/outdated builds. but this general part of the forums is where you can find topics and people start topics fairly often showing the latest test builds along with a link to the general firmware page⊠https://forum.dd-wrt.com/phpBB2/viewforum.php?f=1 ; but in regards to these older Wireless G routers, like Linksys WRT54* variations and the like, you basically need to go to https://dd-wrt.com/support/other-downloads/?path=betas%2F ; then click the year, which right now is â2021â, then from there go to the particular build you want to try, then âbroadcomâ folder, and from there you can choose what particular one you want. but generally speaking⊠if your old router has only 2MB of flash you can ONLY use âdd-wrt.v24_micro_generic.binâ. if you got 4MB of Flash you can use the âmicroâ if you want but âminiâ (i.e. dd-wrt.v24_mini_generic.bin) or âstandardâ (i.e. dd-wrt.v24_std_generic.bin ) etc is probably what you want. âmegaâ (dd-wrt.v24_mega_generic.bin) is the most feature filled version, which I can run since it requires 8MB of Flash storage on ones router, but I donât bother since in all honesty pretty much everything I need even the âmicroâ version is passable as the common person would be âgood enoughâ even with the âmicroâ build.
WARNING: keep in mind if your not careful itâs possible to BRICK your router!!! ; brick = permanently kill your router if the flashing process fails etc (technically I can use what they call âJTAGâ to revive my WRT54GS v1.1 if I ever have a bad flash etc (assuming other methods to revive it fail, JTAG will always work if you have the proper files to fix it) but I currently donât have the JTAG cable to do this so I am usually careful when upgrading and so far everything is good). this is why itâs best to stick to builds that people have tested to ensure they are âgood enoughâ to use. also, there are âoverclockingâ options (i.e. Administration > Management. then scroll down where it says âOverclockingâ (my router defaults to 216MHz, but many of these older routers will be 200MHz, I have used 240MHz on my WRT54GS v1.1 router before in the past but I had issues when upgrading firmware etc and thankfully I revived the router without having to use JTAG) but my advice is DO NOT touch this unless you know what your doing as I think it can potentially brick your router!!! ; but in all honesty, there is not really going to be much of a difference anyways on such a old router and leaving it at itâs default MHz is much safer for the reliability of your router anyways as when ones router is at itâs default MHz, upgrading firmware is nice and reliable. in fact, I actually bricked a old Belkin router (2MB flash/8MB RAM) not all that long ago because I upgraded firmware when the router was in a overclocked state and it does not respond to pings etc so there was no way to fix that, so I tossed it in the garbage.
for the record⊠if I would have held reset button for 30 seconds PRIOR TO the upgrade everything would have worked fine since it clears the routers settings and restores it to itâs defaults which would have removed the overclock. but I did not really care all that much as I got that router for free many years ago and itâs the worst of the old routers I have anyways.
but speaking of upgrading (which is typically done through â192.168.1.1â in your web browser ), I would say a optimal thing would be to, unplug router, wait a little, plug it back in, then hold reset button for 30 seconds, then flash it from the routers page (assuming your already running DD-WRT) âAdminstration > Firmware Upgradeâ). but once you load the correct firmware file and click âupgradeâ, make SURE to wait a full 5 minutes to be safe and donât interrupt the process!. after thatâs done then you hold the routers reset button for another 30 seconds and once it comes back online you simply configure the router to your liking and your all set. DD-WRT is pretty secure in itâs default state already as stuff like UPNP etc is disabled by default (I suggest leaving it disabled for security reasons). but you need to make a username/password for signing into the router and adjust your routers Wireless settings (done through âWirelessâ tab (which on âBasic Settingsâ you can adjust your SSID name which is what your wireless devices see as the router they are connecting to) and on âWireless Securityâ, security mode WPA2-PSK with CCMP-128 (AES) is generally what the average user will want to use and then just setup their password etc (use a different one than the one you use to sign into the router with!)). with that said⊠when I upgrade I typically just go to firmware upgrade page and upload the newer firmware, then after I wait the 5 minutes to be safe, I then just hold reset button for 30 seconds and then reconfigure everything to my liking and I am done.
p.s. I turned on the built-in firewall in Linux Mint for good measure though even though I probably donât need it because of the router. but it wonât hurt anything, so I figured itâs still a good idea as a âjust in caseâ sort of thing.
A few years ago The University of Texas at Austin ran an experiment. They took a clean Windows system and put it on the internet (what is called a âHoneypotâ computer) and recorded how long it took for the first hack penetration attempts to happen. The time? ELEVEN SECONDS!!! [By the way, this is way up from a similar test about five years before, when it took 45 seconds before someone (something) tried to infect them.]
Yep. I recall that test. I donât recall it being seconds, but it was definitely frighteningly fast.
My router emails the router log when it fills. Today after 5 hours, 55 minutes the log contained 897 hits from an IP address that is listed as part of my ISP. Over 40 logs have been sent to their abuse address. According to their abuse web site, they say they want logs. Iâve also discovered that several of the people in tech support do not have a clue about what is going on. âDoSâ is something most have never heard of. The solution is to âChange your modem. That may change your IP address and solve the issue.â Changing the modem does nothing. However, changing the MAC address of the router does. However, after getting a new IP address, it was hit before the router could assign an IP address to the computer.
The ISP confirmed that with one IP hits were coming from a foreign government. Some of them were occurring in 1-5 second intervals. The were from all addresses in the 4th octet of the domain, 0-255.
My email client files the logs in a folder for that router.
I tried an experiment by putting a retired router between the modem and my existing router. i.e. Two routers are used. The inside router usually contains DHCP assignments, and time sync. However, there have been a some âACK Scanâ from some external addresses for port 443. To the best of my knowledge the first router does not have any ports open. I am at a loss about these hits on the 2nd router.
Anyway, Iâll probably keep the 2 router environment.
I see similar logs from the router at my son and dadâs home.
Iâm slowly coming around to adjusting to the internet background noise.
I have a new router, better than the one my ISP provides. I am a little confused getting it all set up properly. There is another old âextenderâ same brand as new router, and it appears to be connected to my Internet. Should this be removed? It is at least 10 years old and just somehow found a home to attach to my network OR my hackers made some changes.
Unfortunately itâs impossible for me to say without model numbers and the actual connection specifics.