When a consultant checks his phone list on the vonage.comat my location. A port scan from 216.115.24.192 is logged at our firewall. There is no Vonage phone being used on the network (that is known anyway). It happens when he logs into check his account. Why is this happening?
Thanks, Tal
NateHoy Vonage Forum MVM
Joined: Nov 01, 2005 Posts: 2257
Location: New England
When a consultant checks his phone list on the vonage.comat my location. A port scan from 216.115.24.192 is logged at our firewall. There is no Vonage phone being used on the network (that is known anyway). It happens when he logs into check his account. Why is this happening?
Thanks, Tal
That IP address (according to Arin) is owned by Vonage.
What do you mean by "checks his phone list"? Do you mean his voicemail? Hmm. That "should" just be a regular web page, albeit an SSL one.
What port is being scanned?
_________________ Comcast Cable (3m down / 256k up) -> Linksys BEFCMU10 v2 (DOCSIS 1.0) -> WRT54G v4 ("Tomato" firmware) -> the rest of my network including a WRTP54G (Firmware: 5.01.04) My Vonage Self-Help Guides: http://vonage.nmhoy.net
The person logs onto the Vonage site and looks at the phone number list of sent and received calls for his Vonage phones. I know that the ip is Vonage that is why I post the question here, hoping that some else had noticed it, or knew why. There appears to be 1 to 2 port scans per times he access the Vonage web site. The port scans [22/Nov/2005 11:01:23] PORTSCAN hostip="216.115.24.192" log="protocol:TCP, source: 216.115.24.192, destination: xx.xxx.xx.xx, ports: 65281, 65282, 65283, 65284, 65285, 65286, 65287, 65288, 65289, 65279, ..." [22/Nov/2005 11:01:43] PORTSCAN hostip="216.115.24.192" log="protocol:TCP, source: 216.115.24.192, destination: xx.xxx.xx.xx, ports: 65281, 65282, 65283, 65284, 65285, 65286, 65288, 65289, 65303, 65279, ..." [22/Nov/2005 11:02:19] PORTSCAN hostip="216.115.24.192" log="protocol:TCP, source: 216.115.24.192, destination: xx.xxx.xx.xx, ports: 65303, 65313, 65314, 65316, 65318, 65319, 65320, 65321, 65322, 65323, ..." [22/Nov/2005 11:02:59] PORTSCAN hostip="216.115.24.192" log="protocol:TCP, source: 216.115.24.192, destination: xx.xxx.xx.xx, ports: 65313, 65314, 65316, 65318, 65319, 65320, 65321, 65323, 65334, 65335, ..."
WOW! Is that a partial extract? As in, does it port scan the ENTIRE port range?
Even if it's just the ports you posted... Holy cow! There's no reason for Vonage do be doing that to serve up a web page. Good catch.
Vonage, even if it was contacting the phone adapter for some bizarre reason, or trying to, should already have a different IP address for the adapter, and shouldn't be anywhere NEAR those ranges, and would have absolutely no reason to be pumping port scans to ports their adapters don't even use.
I'd have your consultant call Customer Service directly on this one, and insist on going up the support chain a couple of steps. Straaaaange.
_________________ Comcast Cable (3m down / 256k up) -> Linksys BEFCMU10 v2 (DOCSIS 1.0) -> WRT54G v4 ("Tomato" firmware) -> the rest of my network including a WRTP54G (Firmware: 5.01.04) My Vonage Self-Help Guides: http://vonage.nmhoy.net
KDWycha Vonage Forum Evangelist
Joined: Jan 19, 2005 Posts: 605
Location: Tampa, Florida USA (813)
Yes that is a partial , it does appear to scan more, but that is all the firewall is logging to the accessible log. I will contact my consultant and see what happens. Thanks for the confirmation that something is wrong.
yes the phone device actually sends us its IP address and the open port from behind the NAT router. I can look at a devices debug log and see 192.168.x.x.:459382 or something similar. I have no idea why the site would be scanning those IPs.
Of course anyone I ask here about that looks at me like I just suggested a coleslaw wrestling tournament right here in the call center and then they yell at me and chase me back to my phone. So no luck on my initial inquiries...
j-card Vonage Forum Senior
Joined: Nov 23, 2005 Posts: 119
Location: Victoria, British Columbia, Canada
How does one check for a port scan? I have a router, but I don't know how to check for port scans... Would be interesting to see if this is happening here as well...
_________________ J-Card ------------------------------------------------- "If you can't dazzle with brilliance, baffle with bull$&!#" Please vote on how you would rate your service! Lets see what people really think! Canada UK US
NateHoy Vonage Forum MVM
Joined: Nov 01, 2005 Posts: 2257
Location: New England
How does one check for a port scan? I have a router, but I don't know how to check for port scans... Would be interesting to see if this is happening here as well...
Generally, you have to be running a router sophisticated enough to log all connection attempts. In the logs, just look for a whole list of connection attempts from the same IP address to all different ports.
_________________ Comcast Cable (3m down / 256k up) -> Linksys BEFCMU10 v2 (DOCSIS 1.0) -> WRT54G v4 ("Tomato" firmware) -> the rest of my network including a WRTP54G (Firmware: 5.01.04) My Vonage Self-Help Guides: http://vonage.nmhoy.net
The WRT-54G v4.20.7 Linksys Firmware seems to have a log under Admin. Kinda stripped down, but it shows incoming and outgoing. I see lots of www, and even a couple of tftp entries from when I backed up my Cisco router IOS's.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
All times are GMT - 5 Hours
Vonage Service Plans
Vonage VoIP Members
Members New behm27 New Today 2 Yesterday 3 Total 64296 Who Is On Site Visitors 135 Members 0 Total 135
1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.
2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.
HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments (for example, U.S. & Canada 300), all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.
Thinking of signing up for Vonage but have questions? Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074 No Vonage Promotional Codes or Coupon Codes are required at www.vonage.com.
The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal as a means to offset
our cost. If you are considering signing up for Vonage and have found our Vonage
News, Customer Reviews, Forums & all other parts of this site useful, please
use our Vonage FREE Month sign up offer Deal Coupon.
Vonage VoIP Phone Service is redefining communications by offering consumers & small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.43 Seconds and 250 Pages In The Last 60 Seconds The Vonage VoIP Forum
w00t! 
Members
New 
New Today 2
Yesterday 3
Total 64296
Who Is On Site
Visitors 135
Members 0
Total 135
-0.03