Hi,
I am using MT devices around year now and I like to check my main router logs from time to time. There was always some port scanner entries from Firewall, some IP scanned few ports and disappeared for some time. Sometimes there were 3-4 different scanning source IPs per day, sometimes there was 2-3 days of no scaning at all. However since I upgraded to 6.46.2 (may be just coincidence) two days ago 99% of my log is port scanner running all the time.Is that normal? Should I be worrying?

Looks more like a SYN flood, restart your router to get new IP

restart your router to get new IP

Did he say he was on a dynamic address?
No. So it's not the most sensible suggestion.

Name: 093105141014.naklo.vectranet.pl
Address: 93.105.141.14

I'm wondering why some attacker (or "attacker"?) would banging on a seemingly random TCP port number, such as 52676?

That IP address returns the following:
person: Piotr Najduk
address: Vectra S.A.
address: Al. Zwyciestwa 253
address: 81-525 Gdynia
address: POLAND
phone: +48 58 6248352
e-mail: p.najduk@vectra.pl
nic-hdl: PN3299-RIPE
mnt-by: PN97052-MNT
created: 2012-03-13T10:55:37Z
last-modified: 2012-09-24T16:39:55Z
source: RIPE
You can send them an email and find out why they are scanning your system -- assuming they will respond to your query.

BTW That IP Address may be a QNAP server http://93.105.141.14:8080/cgi-bin/

Do you have a QNAP NAS running?

MOAB effectively blocks millions of bad guys ....

restart your router to get new IP

Did he say he was on a dynamic address?
No. So it's not the most sensible suggestion.

Did he say he is on static? So you can take you comment and shove it

@CZFan: It depends what you see as default or normal, static or dynamic address. I vote for static, but I've seen ISPs using both. So IMHO your original suggestion assumes too much.

Vectra is the Polish CableTV operator.

From log we can see that something behind this static address tries to connect to address 155.x.y.x port 52676

For me it is not Qnap the source as it is just accessible with the redirection at the same address from the "attack" comes from.
I suspect that there is a "zombie" computer behind this address which scans random computers as the effect of beeing "zombied".

This address seems to be "owned" (assigned statically) to Vectra client as redirection of port 8080 to this particular Qnap device is barely done by Vectra itself for any particular client.

We do not know what device is operating this 93.x.y.x address so maybe the router is affected.

My opinion .. drop traffic from this address or make a claim to Vectra that you are attacked from their network.

whatever static or dynamic, I think it can be quite normal.
I have an ordinary "home" subscription with a pseudo-static IP (almost never changes) and today my Splunk indicates about 3800 such packets have been dropped.
Sometimes I also see these sweeps pass by.

Just noise...

BTW That IP Address may be a QNAP server http://93.105.141.14:8080/cgi-bin/
Do you have a QNAP NAS running?

Now it became a bit creepy as I have QNAP running in my network.
I hope it is just coincidence, as it works just as DVR for outside cam recording and no aditional services are configured on it and it is not accessible from outside LAN on the first place.

Anyway I emailed three persons mentioned whois database for that IP along with abuse@vectra.pl which was mentioned there as well. We will see if they can check it somehow.

Regarding my IP - it is static.

You should DROP all unknown traffic on input chain, and especially not log (easy to exhaust the router with a tiny flood). Your current rules that add to address lists (which you then presumably drop) also open you to attacks by an IP spoofing attacker.

BTW That IP Address may be a QNAP server http://93.105.141.14:8080/cgi-bin/
Do you have a QNAP NAS running?

Now it became a bit creepy as I have QNAP running in my network.

Likely it has been compromised or there is some way that its presence is known for outside users and they are now trying to compromise it.
That kind of devices often allow outside access to files e.g. for use on a mobile device, and it is really a bad idea to enable that.

I have a /16 on internet (65536 addresses) so I get around 1-2 Mbit/s of continuous portscanning on that, but I do not see directed scans to this particular port.
So they likely only scan that port after determining some other way (e.g. via that open port 8080) that you run a QNAP.

I didn't read this thread closely and there's already been some good suggestions - but is your external IP on Shodan? You don't need a logon or API key to check for one IP on their site. https://www.shodan.io/search?query= and type in your external IP at the end of the link. Once I saw activity from external hosts trying to use my proxy server. They couldn't actually use it because of the firewall, but obviously I had to shut that down. They had identified my router as Mikrotik because I'd neglected to disable the BTest server running by default on port 2000. I disabled that, moved my proxy off the bastion router, and I wasn't on Shodan anymore. Just thought it was worth mentioning :)

I checked shodan and I am listed there with that port 52676 - what does it mean? Where did it came from? Entry was added there yesterday, but I am getting flooded since 3 days - just when I did upgrade to 6.46.2 from 6.46.

What are your UPnP settings and does it list your QNAP in the stats of UPnP?

UPnP disabled since begining.

restart your router to get new IP

Did he say he was on a dynamic address?
No. So it's not the most sensible suggestion.

Did he say he is on static? So you can take you comment and shove it

He didn't, but has now, so that makes you look like a complete jerk doesn't it? A rude, ignorant jerk, who makes rash assumptions about things.

And power cycling is not necessary to get new dynamic addresses anyway. But I suppose you can't be told anything. Your type never can.

Came back home and studied Shodan a bit more.
If I understand correctly I am added there not as "host", but as comment to other host entry: I checked Deluge running on my raspberry pi and indeed it used 52676 port during current session.

So if my thinking is correct then some compromised system/machine extracted DHT list from itself and I was listed there amongst other nodes.

Maybe you can add a tarpit rule before the drop rule to make them busier and see the results.

Tarpit TCP, Drop UDP.

UPnP disabled since begining.

You still need to investigate whether it can be possible that your devices have been reachable from the outside, e.g. by port forwarding.
This would have been much more likely with UPnP running but of course you can have manual port forwards as well.

I checked Deluge running on my raspberry pi and indeed it used 52676 port during current session.

Guess what? Running torrent from behind the firewall is same as announcing some public service. Even though some (if not all) torrent clients use random port number (if not configured differently), they tend to run for days without changing port number. And basic assumption is that torrent clients behave in P2P spirit (e.g. accepting incoming connections from other clients).
Having all the above in mind one should not be surprised if some strangers bang on the door ...

Anyway, the behaviour illustrated in OP is stray ... normal torrent clients don't try to aggressively connect, each time using different local port.

Stopping seeding of linux iso's makes port scanning stop within 2 minutes. I resume it starts again. My guess is that one of peers has some malicious software installed and it uses seeders list as target for attack.

Anything like "Stun, Turn, Ice" using software used on your side? Skype, Torrent, .... can all name your IP as connection point if used. Teamviewer, Logmein, GoToMyPc, JoinMe, ... used by anybody behind your firewall? Games that use "Turn" to interconnect? ....

Stopping seeding of linux iso's makes port scanning stop within 2 minutes. I resume it starts again. My guess is that one of peers has some malicious software installed and it uses seeders list as target for attack.

Oh you are running BitTorrent? I missed that...
Of course when you run BitTorrent you need to add a forward for the port it uses, and without logging when you do not want to see that.
BitTorrent is a bi-directional protocol, it receives incoming connects from the other users in the peer-to-peer net.