Problem :
I have a 2701HGV-B 2Wire modem and router (AT&T). The log is basically full with entries similar to the
following with a time between a fifth and a third of a second between entries:
src=86.156.7.170 dst=xxx.xxx.xxx.38 ipprot=17 sport=6882 dport=1701 Unknown inbound session stopped
src=58.176.22.252 dst=xxx.xxx.xxx.38 ipprot=17 sport=21573 dport=1701 Unknown inbound session stopped
src=91.221.6.250 dst=xxx.xxx.xxx.38 ipprot=17 sport=25902 dport=1701 Unknown inbound session stopped
...
where the source IP will be different for every entry. The entries accumulate constantly, every single second that the router is on several of them appear in the log. The destination is the WAN address for my router. I understand that this is somehow related to VNCs, but I don’t know enough to figure out why my router is getting bombarded with requests for a VNC session. Is there anything fishy going on or is this normal? If it is normal, how do I keep these entries from spamming my log files? Since there’s about two or three of them every second, everything else gets drowned out.
Solution :
IP Protocol 17 is UDP, and as mentioned in the comments, UDP/1701 is the port commonly used for L2TP, a VPN protocol.
L2TP has had some vulnerabilities reported so two mostl likely scenarios are
- A PC has been compromised and is being used to scan for vulnerable L2TP implementations, and your IP has been scanned
- Your IP address has been previously used by someone else, who was actually running an L2TP gateway, and one of the clients to that gateway is still attempting to contact it.
The source address is part of the UK ISP BTs range, so probably a domestic connection.
In any case, your firewall is blocking it, it is doing its job. If you watch your external connection you will see many attempts to connect to ports on your IP address. This is just the background radiation of the internet, zombie PCs doing scans.
You can safely ignore it.