Mysterious connection activity

Under Status > Realtime Graphs > Connections, I see a bunch of connections from hosts on my LAN to various hosts on the Internet. All good.

But I also see several dozen connections like this, that seem to involve my ISP:

What are these? How can the source IP be somewhere else?

My setup: OpenWrt Attitude Adjustment 12.09 / LuCI 0.11.1 Release (0.11.1) on a NETGEAR WNDR3800.

There is no excuse to run 12.09 (which has been EOL for almost a decade) on a Netgear WNDR3800 (680 MHz AR7161 (ath79), 16/128), which can easily run the currently supported version (21.02.x/ 22.03~).

5 Likes

The instructions to upgrade put me asleep.

How about my questions? :wink:

It is a reasonable assumption that those connections are malicious and are utilizing the numerous significant vulnerabilities in your router. The only way to fix this is to upgrade. Attitude Adjustment (12.09) is very old (10 years), and it is completely unsupported (and has been for many years, too). You need to upgrade, or deal with the consequences of using a highly vulnerable router firmware.

7 Likes

We will wait here while you wake up.

1 Like

This is most likely your router connecting to the isp dns server.
However I fully agree with @psherman and @slh that you should upgrade.

2 Likes

Port 53 looks like DNS requests indeed, but I second the advice given by others: you are a vulnerability on the internet with 12.09. Not just to yourself, but also to others since by now you might be part of a botnet.

If you're worried about security and exposure - and you wouldn't be opening this topic if you weren't - you really should update your firmware.

1 Like

The easiest and fastest way to check for bots is a power off 30seconds reboot and there are gone.

But if there are bots that has nested themself in that device because of known exploit they will come back within minutes since they just assumed you got afraid and flushed their pals with a power cycle and they will wait a couple of minutes before returning so you will calm down.

1 Like

That DNS traffic you see is likely the LuCI page itself doing reverse lookups for all shown IPs. It should level off after at most 15-30s when all (most) PTR records are cached.

1 Like

Hah! Okay, I've upgraded to OpenWrt 21.02.3 and manually ported all my settings.

I'm still seeing the same mysterious connections, e.g.:

So, if these are indeed DNS lookups, and I don't click on Enable DNS Lookups, should I expect to see them all disappear after a while?

I guess I'm unclear on how the Source can be an address that's not on my LAN.

So, if these are indeed DNS lookups, and I don't click on Enable DNS Lookups, should I expect to see them all disappear after a while?

Yes.

I guess I'm unclear on how the Source can be an address that's not on my LAN.

I would guess the source is your current WAN IP (dnsmasq initiates a connection from your routers wan towards your ISP DNS server after all). The DNS queries triggered by LuCI are not coming from the LAN because they're initiated from OpenWrt itself.

1 Like

I checked and it's just as you say. The source address is the WAN IP of the router, as assigned by the ISP, and the destination addresses are always port 53 on DNS 1 and DNS 2.

After 8 hours, I checked again without enabling DNS lookup on the connection activity page. I still see a fair number of DNS requests being sent.

Is there some way to see the details of these requests?

Install ntopng and check with that.

Great tool