New to Wireless-Router Log-Really Being Attacked?

I'm new to wireless routing, just got a new Belkin, set up as WPA2 security, attached is from a log I saved from last night, is my router REALLY being attacked? I went into the logs and found all these attacks, I did notice that my anti virus protection was running a full scan on both LAN and WAN about this time.

I searched the web and found something similar from another user of a Belkin router
http://www.thedvdforums.com/forums/showthread.php?t=558512

So is this really normal? I am new to this so I have no idea if this is normal or should I be concerned?

Log
Mon May 25 18:22:48 2009
=>Found attack from 61.160.216.187.
Source port is 6000 and destination port is 7212 which use the TCP protocol.
Mon May 25 18:22:48 2009
=>Found attack from 61.160.216.187.
Source port is 6000 and destination port is 8000 which use the TCP protocol.
Mon May 25 18:42:25 2009
=>Found attack from 114.45.68.164.
Source port is 3392 and destination port is 25 which use the TCP protocol.
Mon May 25 18:42:55 2009
=>Found attack from 218.22.25.10.
Source port is 51253 and destination port is 22 which use the TCP protocol.
Mon May 25 18:43:25 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 18:43:25 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 19:27:52 2009
=>Found attack from 222.215.230.49.
Source port is 12200 and destination port is 8000 which use the TCP protocol.
Mon May 25 19:29:24 2009
=>Found attack from 222.215.230.49.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 19:30:25 2009
=>Found attack from 222.215.230.49.
Source port is 12200 and destination port is 3128 which use the TCP protocol.
Mon May 25 19:37:07 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 19:37:07 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 19:43:50 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 19:43:50 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 19:58:17 2009
=>Found attack from 218.27.133.206.
Source port is 6000 and destination port is 4899 which use the TCP protocol.
Mon May 25 20:06:02 2009
=>Found attack from 125.65.165.139.
Source port is 12200 and destination port is 3128 which use the TCP protocol.
Mon May 25 20:08:36 2009
=>Found attack from 61.160.216.187.
Source port is 6000 and destination port is 7212 which use the TCP protocol.
Mon May 25 20:08:36 2009
=>Found attack from 61.160.216.187.
Source port is 6000 and destination port is 8000 which use the TCP protocol.
Mon May 25 20:12:12 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 20:12:12 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 20:18:54 2009
=>Found attack from 60.172.229.11.
Source port is 6000 and destination port is 2967 which use the TCP protocol.
Mon May 25 20:32:50 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 20:32:50 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 20:39:32 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 20:44:10 2009
=>Found attack from 209.51.201.98.
Source port is ICMP and destination port is ICMP which use the ICMP protocol.
Mon May 25 21:07:25 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 21:14:07 2009
=>Found attack from 221.195.73.68.
Source port is 6000 and destination port is 7212 which use the TCP protocol.
Mon May 25 21:14:07 2009
=>Found attack from 221.195.73.68.
Source port is 6000 and destination port is 8000 which use the TCP protocol.
Mon May 25 21:14:37 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 21:26:30 2009
=>Found attack from 119.161.130.75.
Source port is 6000 and destination port is 2967 which use the TCP protocol.
Mon May 25 21:32:10 2009
=>Found attack from 64.80.103.235.
Source port is 1847 and destination port is 5900 which use the TCP protocol.
Mon May 25 21:35:46 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 21:35:46 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.
Mon May 25 21:42:59 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 9090 which use the TCP protocol.
Mon May 25 21:54:21 2009
=>Found attack from 61.160.216.187.
Source port is 6000 and destination port is 7212 which use the TCP protocol.
Mon May 25 21:54:21 2009
=>Found attack from 61.160.216.187.
Source port is 6000 and destination port is 8000 which use the TCP protocol.
Mon May 25 21:56:55 2009
=>Found attack from 221.192.199.36.
Source port is 12200 and destination port is 7212 which use the TCP protocol.

 

I'd say it's a jungle out there. So your router is only doing its job guarding your LAN from unknown internet traffic knocking on the other side of your fence.

 

Note that all these "attacks" are rarely from the same IP... it is likely just erratic internet traffic that just so happens to make a request (not necessarily a malicious attack) to connect with your router.

 

Thanks for your replies. I have read that you should make sure that you have no open ports, what does that mean and how do I know if I have any open ports that should be closed? I just let the router configure everything with the set up disc included so I really didn't mess with any setting other than create a password for the router and change the setting to configure using n only instead of g and n.

Can any tell me step by step how to see if I have any open ports (would this be for LAN and WAN?)

I'm just nervous since this is my first wireless laptop and have always just used a LAN.

 

Ports are usually left open in order to let binded programs or services (example, Remote Desktop or Windows Terminal Server service) receive data from outside sources (this is called listening); malicious attacks known as port scans can take advantage of known port bindings for various Windows services.

However, if it is just background internet traffic then its harmless. I would leave the firewall configuration the way it is unless you know what you're doing; if you inadvertently close a port that is binded to some process or service, you may screw things up.

 

You've likely answered your own question, but read further down to see where the IP addresses resolve to first.

Some A/V and other security programs routinely check for potential security issues by actively scanning your system and router for ports that may be vulnerable. Seeing this type of activity in a log and thinking it may be an attack is a common mistake made by programmers who are publishing programs to online servers that are being protected by active scanning services. They'll notice the server log file as part of their routine and note the "attacks" in the log file. I've had "server attacks" reported by programmers doing work on client servers whose sites are being protected by active scanning services to maintain PCI Standard compliance. The service routinely probes the server's access ports looking for vulnerabilities, and reports any problems it finds.

If you didn't have WPA2 enabled previously, it's likely this has always been there and you're just now seeing it being logged since you've enabled it.

Checking the IP addresses involved, virtually all of the IP addresses resolve to APNIC.net, the Asian Registrar and Services company, which is probably your ISP, or the umbrella organization for your ISP or hosting services provider. The individual company the IP's resolve to is China Telecom. If that is a service you use then it's likely not a problem. If not, then I'd be suspicious.

To check each IP source, go to this APNIC link:

APNIC WHOIS SEARCH

Do a copy and paste on the IP addresses and you'll see where they're coming from. Though there are different IP addresses, for the most part they resolve to China Telecom or a Beijing/other subsidiary.

It is common for these types of services to run periodic security scans on customer Routers if the customer has signed up for A/V protection and/or other security protection offered by their ISP, at least in this hemisphere of the planet. Only you can determine if it's the same where you are, but if you're using online security protection, then it's likely that's why you're seeing these scans. I'd be willing to guess you swapped the Belkin router for one that you were renting from your ISP and that's why you're just seeing it now.

The time period involved is over 3 hours, almost 4, and that's long for any security scan, though it depends on the type of service you have. Some security service scans as I said previously are meant to be random and periodic to simulate real attacks. If China Telecom or one of its subsidiaries is your ISP, then you might check your ISP services to see if there is such a security scanning protection/prevention program in place as part of your Internet Service. If not then I'd be asking pointed questions.