Hi
Before I open a terminal and start putting in commands I just wanted to talk to someone about this spoofing that I think I have going on.

Each time my firewall is attacked it's been a different port each time but always begins with the number 4 and the source is either 91. or 199. The length has been 1500.
The protocol has always been Transmission Control Protocol.

Could this TCP be my laptop trying to connect to my desktop pc down the hall?

If it indeed this is spoofing how would I verify the authenticity of the datagrams?

Install Wireshark and start capturing packets. You can see the MAC address, ports, data, protocol, and everything else about the packets hitting your computer.

Please elaborate. What do you mean by spoofing and how do you know it is an attack? Do you have log or other information that you could share? At LQ-Security, we deal with facts, not supposition and guesswork. Please provide data and we will gladly help you analyze it to determine what is happening and help you figure out what to do about it.

Port number 43737 Source 91.189.94.12 Protocol TCP First hit Length 1500

Port number 45057 Source 199.7.48.231 Protocol TCP Second hit Length 1500

Haven't been hit yet today but I have only been online for 30 min's. It's now 8:05p.m. and I just got hit 3 more times.

Feb.2 20:00:37 wlano Port 32866 Source 72.14.204.102 Length 1470
Feb.2 20:00:45 wlano Port 32870 Source 72.14.204.102 Length 916
Feb.2 20:00:54 wlano Port 32866 Source 72.14.204.102 Length 1470

The service for these 3 are Sun-RPC portmap
The address is 1600 Amphitheatre Parkway
San Jose, Ca
Google Headquarters

What should I do?

You mentioned these are firewall logs. I'm assuming you mean from your gateway firewall and not the iptables on your local machine. If that's the case I wouldn't worry about it as a gateway firewall will naturally be flooded with packets of a mysterious and potentially hostile nature as part of its job. If these are coming from the local machine you'll want to do a netstat -ap to see if there is an app on your machine with an active connection on those ports that may have started the communication. The traffic you are seeing could just be a response.

Shadowbox12:
I checked netstat ap and everything in the terminal seems ok.

I think your right it was just traffic that was a response.

I went to https://www.grc.com/port_45057.htm....Shields up and checked on those ports and so far they are not a threat.


Thank you for helping me.

From your description, I assume the destination port was 80. Google and the other search engines operate web crawling bots that go out and find web sites to index. This is normal activity. If you do not operate a web page, you can safely ignore it. As shadowbox12 pointed out, you will also see lots of more hostile traffic appear in your logs which is the result of scanners and other programs. If you are not operating server application, including SSH, you can leave these ports closed and these scans should be inconsequential.

As I don't operate a web page I will as you mentioned; safely ignore the sites to index.

Thank you and Have A Good Weekend