Illegal connection state attack

For the last couple of days (starting around the 4th or 5th), there seems to be a bunch of different IP addresses trying to hack into my router or something. I'm not any type of security expert, so if anyone could tell me how to handle this I would be grateful. The weird thing is, it didn't seem to happen in the past, only for the last few days has my routers security log started to record all these attacks. There is like 20 or 30 of these attacks each day, so it's weird that it didn't seem to happen before. I've scanned my computer thoroughly for any malicious files and I'm certain that isn't the problem. Here is an example of what one line in the security log looks like (I've removed the IP addresses):

Mar 8 12:35:08 Hack Attack: DROP ICMP packet from [ppp0] [attackers IP] to [my external IP] [SPI:Illegal connection state attack]

edit: I should also add that upon checking the IP's they appear to be from all around the world.

reply to post by ChaoticOrder


It's nothing to worry about, happens to anything connected to the internet. This is just your firewall working.
The internet is full of zombie computers and malware infested servers, most of which will randomly port scan an ip range, and yours just happened to be in the range someone started to scan.

The important thing is that the packet was dropped by your router's firewall (or easily put; ignored by your router).

reply to post by InsideYourMind

and yours just happened to be in the range someone started to scan.

But the thing is I've changed my IP like 2 times now but it still seems to be happening. And as I stated, I didn't seem to get any of these logs until a few days ago. It just seems a little weird and makes me a bit uncomfortable.

reply to post by ChaoticOrder


if you're running a firewall (which i assume this is the case)
and unless you know there's some special interest in what's on your computer,
i wouldn't worry too much: sounds like ordinary port scans? your firewall will keep them closed.

reply to post by NeverSleepingEyes

and unless you know there's some special interest in what's on your computer,
i wouldn't worry too much: sounds like ordinary port scans?

No there is nothing of particular interest on my computer, but it does seem like someone is trying to target me, based on the fact that this only recently started to happen. And also even when I change my IP it still continues to happen, as if they know when I change it. The IP addresses seem to be located all over the world, which could mean some one is attempting to use a botnet to attack me or that my router only just started to log these types of attack... but I can't see why that would be the case because my router firmware hasn't changed for quite a while.

reply to post by ChaoticOrder

But the thing is I've changed my IP like 2 times now but it still seems to be happening. And as I stated, I didn't seem to get any of these logs until a few days ago. It just seems a little weird and makes me a bit uncomfortable.

It will happen regardless of your IP. Once you are connected to the internet you are using an external IP address, sure, joe blow in china doesn't know it's yours, but he does have a list of all possible IP ranges, and where geographically, they are assigned.

Beyond that, most of these incoming icmp packets are harmless, it's just how networking works. If you are concerned, start restricting and closing ports on your router and only enable the ones you use. This is a headache, it takes work, and constant updating.

If you have a device connected to the internet, expect to almost be bombarded with this type of traffic. The only time you need to be concerned is when it's so much, coming from so many addresses, that it becomes a denial of service attack. simply put, they send so many packets at your router, it can't keep up, and you get dumped offline. If you ISP is worth their salt, they would remove you from the network before it got that far along.

Watching your logs, and keeping informed, is good. Paranoia is not.

You are safe as long as you keep your firewall/router/antivirus up to date. Actually, if you don't go to nefarious sites, block most ads and scripts(not here of course) and pay attention to what you are doing, you don't even need the antivirus.

Firewall, up to date router firmware, script blocking browser. That's my security. No infections, not even malware or a redirect, on my main box in over 10 years.

reply to post by ChaoticOrder

And also even when I change my IP it still continues to happen, as if they know when I change it. The IP addresses seem to be located all over the world, which could mean some one is attempting to use a botnet to attack me or that my router only started to of these types of attack...

Yes and no, if it's a botnet attack, they seriously suck at it.

Programmer A writes a piece of software that scans for devices, ip ranges, and ports, on any connected network.
UserB downloads that and starts running it while networked into your ISP network.

The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages.[1] It is assigned protocol number 1.[2]

Source

Now maybe back in 1981 you could "ping" someone offline, using the "ping of death" but those days are long gone. All this appears to be, to me, is standard traffic, simple ping messages or port scan queries. No one is directing this specifically at YOU, it's directed at anyone on the network.

theres alot of malware out there that tries blocks of ip addresses and so 20 pings to see if somethings alive from a random address is a prelude to doing a more detailed scan but since your router has dropped the packets the software will think its not active so will move onto the next address sort of the opposite of a burgular knocking on the door and if they get a reply they dont burgle the place but try the next door

reply to post by phishyblankwaters

It will happen regardless of your IP. Once you are connected to the internet you are using an external IP address, sure, joe blow in china doesn't know it's yours, but he does have a list of all possible IP ranges, and where geographically, they are assigned.

I guess you are right, I just find it a little weird my router has never logged these attacks before.

Firewall, up to date router firmware, script blocking browser. That's my security. No infections, not even malware or a redirect, on my main box in over 10 years.

Yeah I do all the same things, and I haven't had a virus in a very long time. Not quite 10 years though. Was the internet even invented back then? I'm joking.

reply to post by ChaoticOrder

Go over HERE and check your Internet Connection's Privacy. When you load a webpage, your Browser sends a HEADER out to all who can see and read it. In Windows, HTTP Cookies are filed in HTTP format, and can be read by web pages. It is best to file all Cookies in Plain Text. I have a Time Warner Roadrunner Internet Connection, the business physical address is in Hardin, Virginia. I run Fedora 16n Linux, I-Tables Firewall with all ICMP Requests Denied. My header shows the IP address of the main server in Hardin, not my personal IP address, which is hidden, or rather masqueraded. The Header can see my Proxy, and the TW Server, and nothing else. If one of my Ports is scanned, I get a report. If any packet come in aimed at the Firewall, I hear about it. Too bad this kind of security doesn't come by default, I know, but if we want Internet Security, then we have to work for it.