Jump to content
Not connected, Your IP: 3.142.172.250
curtisw493

Unusual Probing on Forwarded Port

Recommended Posts

I have been experimenting with port forwarding. All traffic that I am generating is beginning and ending within my own LAN environment, but one side transits the internet via AIRVPN and forwarded ports.

IE. I have a process running on a computer inside my LAN that connects to an AIRVPN server on one of my  reserved ports and is forwarded to another of my computers on a separate LAN. Well and good. Works fine.

 

However I almost immediately noticed that a connection was being attempted from IP address 221.220.155.170. That is to say a process at the address was probing the AIRVPN server on my reserved port, and that connection request was being forwarded to my LAN computer via the tunnel.

 

I tried whois and initially got nothing. Attempted to connect to them using telnet. I got a garbled response over https that looked sort of bulletinboardish. Nothing on port 80.

 

I reran whois today and found that the ip address belongs to Asia Pacfic Network Information Center. Any idea who they are and why they would be interfering with my testing?  I have other forwarded ports reserved which do not show similar activity.

 

Net Range 221.0.0.0 - 221.255.255.255 CIDR 221.0.0.0/8 Name APNIC7 Handle NET-221-0-0-0-1 Parent   Net Type Allocated to APNIC Origin AS   Organization Asia Pacific Network Information Centre (APNIC) Registration Date   Last Updated 2010-07-30 Comments This IP address range is not registered in the ARIN database.
For details, refer to the APNIC Whois Database via
WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
** IMPORTANT NOTE: APNIC is the Regional Internet Registry
for the Asia Pacific region. APNIC does not operate networks
using this IP address range and is not able to investigate
spam or abuse reports relating to these addresses. For more
help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming RESTful Link http://whois.arin.net/rest/net/NET-221-0-0-0-1 See Also Related organization's POC records. See Also Resource links. See Also Related delegations.

 

Share this post


Link to post

reran all this again today and within five minutes i was being scanned by the same ip address and one additional ip address. scanned is too strong a description. afaik they were only trying to connect on only one port.

 

i googled this asia pacific network information center today and see all kinds of complaints.

Share this post


Link to post

With a fast internet connection and tools like Masscan, it only takes anywhere from a few minutes to a few hours to scan the entire internet for open ports.

This means that you can expect every port that's open to the internet to see some unexpected traffic rather sooner than later. That, in itself, is nothing to worry about unless you're running vulnerable services or weak authentication.
You might have picked a port especially interesting to some scanners, which may explain why you haven't seen such activity on your other ports (yet).

The connection attempt you saw is not related to APNIC, they are just the registry for that block of IPs.
Here's the actual whois info for your IP:

netname: UNICOM-BJ
descr: China Unicom Beijing province network

Some trivia: Besides the private bulletin board on port 443 (~ 20.000 registered users), the Linux server at IP 221.220.155.170 runs a number of other services: SSH, FTP, VNC, Telnet, and a Synology web interface. Looks like someone's personal server to me, or perhaps a server shared by a number of people. The FTP server greets you with a somewhat amusing message:
220 PLS DISCONNECT IF U HAVE NO IDEA WHERE U R AT!
 


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...