This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I've been looking over my daily router logs for the last few days and keep finding this entry sporadically:
[LAN access from remote] from 184.105.247.199:32931 to 10.8.108.64:5353, Wednesday, Jul 06,2016 00:55:38
[LAN access from remote] from 184.105.247.211:49177 to 10.8.108.64:5353, Tuesday, Jul 05,2016 01:12:23
[LAN access from remote] from 71.6.216.54:5353 to 10.8.108.64:5353, Monday, Jul 04,2016 13:38:22
[LAN access from remote] from 184.105.247.231:40494 to 10.8.108.64:5353, Sunday, Jul 03,2016 01:32:55
I have my home network devices setup with reserved IP addresses, so I can tell you that 10.8.108.64 is my own personal MacBook Pro (OS X 10.11.5). I do not have any static routes or port mappings setup to bring specific traffic from the router to my Mac. The public IP addresses shown here trace back to the domains shadowserver.org and rapid7.com. Based upon the time stamps, I'm pretty sure at least some of these entries (if not all) appear to be happening while I'm away from my computer. Anyone got any idea what these logs mean?
Port 5353 is commonly used for Multicast DNS (Apple calls it Bonjour). It's unusual to see a remote device access this port. In addition to disabling port forwarding/triggering, make sure that UPnP and DMZ are disabled, too. Those are the two other vectors by which a remote device could access the internal network.
shadowserver.org is a bunch of folks who (from Wikipedia): "The Shadowserver Foundation is a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud. It aims to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers and the spread of malware." And Rapid7 is an Internet security company.
I don't know what they are doing scanning or trying to access your network, but are you sure your local network has not been compromised/part of a botnet, etc..? BTW, I am an utter nobody and know-nothing-much, and I'm sure someone with Real Smarts can assist you better, but I'd just check your local PCs/devices anyway. The one time I had something like this happen was when a friend's son used his laptop on my home network. When he wasn't using it, the botnet he been infected with started doing its nefarious deeds. I booted him off the network, cleaned his laptop, and his mum bent his ear for months of his obsession with visiting absolutely any site that said they had "Game Cheats." Teenagers, huh? 😉
Port 5353 is commonly used for Multicast DNS (Apple calls it Bonjour). It's unusual to see a remote device access this port. In addition to disabling port forwarding/triggering, make sure that UPnP and DMZ are disabled, too. Those are the two other vectors by which a remote device could access the internal network.
Disabling UPnP appears to have stopped these from showing up in the logs. And I'm savvy enough with networking to create any necessary port maps that I might need, so UPnP doesn't seem to offer me any real benefits anyway. I've had it off for several weeks now and have not noticed any issues. Thanks for helping to make my home network more secure!
