Unusual Probing on Forwarded Port

[curtisw493 0]

I have been experimenting with port forwarding. All traffic that I am generating is beginning and ending within my own LAN environment, but one side transits the internet via AIRVPN and forwarded ports.

IE. I have a process running on a computer inside my LAN that connects to an AIRVPN server on one of my  reserved ports and is forwarded to another of my computers on a separate LAN. Well and good. Works fine.

 

However I almost immediately noticed that a connection was being attempted from IP address 221.220.155.170. That is to say a process at the address was probing the AIRVPN server on my reserved port, and that connection request was being forwarded to my LAN computer via the tunnel.

 

I tried whois and initially got nothing. Attempted to connect to them using telnet. I got a garbled response over https that looked sort of bulletinboardish. Nothing on port 80.

 

I reran whois today and found that the ip address belongs to Asia Pacfic Network Information Center. Any idea who they are and why they would be interfering with my testing?  I have other forwarded ports reserved which do not show similar activity.

 

Net Range 221.0.0.0 - 221.255.255.255 CIDR 221.0.0.0/8 Name APNIC7 Handle NET-221-0-0-0-1 Parent   Net Type Allocated to APNIC Origin AS   Organization Asia Pacific Network Information Centre (APNIC) Registration Date   Last Updated 2010-07-30 Comments This IP address range is not registered in the ARIN database.
For details, refer to the APNIC Whois Database via
WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
** IMPORTANT NOTE: APNIC is the Regional Internet Registry
for the Asia Pacific region. APNIC does not operate networks
using this IP address range and is not able to investigate
spam or abuse reports relating to these addresses. For more
help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming RESTful Link http://whois.arin.net/rest/net/NET-221-0-0-0-1 See Also Related organization's POC records. See Also Resource links. See Also Related delegations.

 

[curtisw493 0]

reran all this again today and within five minutes i was being scanned by the same ip address and one additional ip address. scanned is too strong a description. afaik they were only trying to connect on only one port.

 

i googled this asia pacific network information center today and see all kinds of complaints.

[InactiveUser 185]

With a fast internet connection and tools like Masscan, it only takes anywhere from a few minutes to a few hours to scan the entire internet for open ports.

This means that you can expect every port that's open to the internet to see some unexpected traffic rather sooner than later. That, in itself, is nothing to worry about unless you're running vulnerable services or weak authentication.
You might have picked a port especially interesting to some scanners, which may explain why you haven't seen such activity on your other ports (yet).

The connection attempt you saw is not related to APNIC, they are just the registry for that block of IPs.
Here's the actual whois info for your IP:

netname: UNICOM-BJ
descr: China Unicom Beijing province network

Some trivia: Besides the private bulletin board on port 443 (~ 20.000 registered users), the Linux server at IP 221.220.155.170 runs a number of other services: SSH, FTP, VNC, Telnet, and a Synology web interface. Looks like someone's personal server to me, or perhaps a server shared by a number of people. The FTP server greets you with a somewhat amusing message:
220 PLS DISCONNECT IF U HAVE NO IDEA WHERE U R AT!