Home Network hit by intense Port Scans

After installing Splunk on my brand new Intel NU and ingesting firewall logs, I wrote a couple of simple SPL to make sense of what’s hitting my router.

One of those SPL breaks down the number of hits by Countries over a 24 hours period.

The stats varies day to day and is usually boring but one day I noticed that about 3/4 of traffic originated seemingly from Russia which naturally pique my interest.

I say “seemingly from Russia” because I used the iplocation command which correlates IP address to Country using a static database. I also cross-checked the IP addresses against Talos and AbuseIPDB, which unfortunately gave me conflicting location information.

index=[name of index] RULEACTION=DENY 
| rename Country AS COUNTRY
| iplocation SRC
| stats count by COUNTRY

Unsure as to when the surge in “Russian” IPs hitting my router started, I ran the timechart command to count the number of “Russian” IPs in one hour intervals over a period of one week.

index=[name of index] RULEACTION=DENY earliest=-1w
| rename SRC AS SRC_IP
| timechart count(SRC_IP) AS "count" span=1h

According to the results, the increase in traffic from “Russia” started on the 18th of December 2020 and has stayed steady since.

However if I were to look at this over a period of 2 weeks, we can see that the traffic started to gradually increase on the 14th of December and sharply increased on the 18th of December!

index=[name of index] RULEACTION=DENY earliest=-2w
| rename SRC AS SRC_IP
| timechart count(SRC_IP) AS "count" span=1d

I’ve got no idea why my IP address is being port scanned so intensely for the past few days.

As the saying goes; it’s not what’s being detected by your security controls but it’s the ones that goes undetected that we should be worried about.