Incoming connections on torrent port

I have a NAS connected to my router, with 1 port forwarded to it (5xxxx). The NAS runs transmission-daemon for downloading torrents using the above mentioned port.

The last torrent downloaded was Ubuntu a few days ago, which has finished, been removed and is not seeding. There are no other torrents seeding or otherwise.

Basically I have noticed for the past 2 days the LAN1 port (my NAS) on the router and also the internet port have been flashing fast and constantly. If I disconnect the internet, the LAN port for NAS also stops flashing, as if it is communicating with the internet.

I checked the netgear router logs and sure enough it is filled with incoming rule matches every second for the last few days from a wide range of external IPs. This rule match is the port forward mentioned above.

I deleted the rule and immediatly the LAN port stops flashing, but internet light is still flashing as before, even when I detach all devices and disable wireless.

Is this some sort of attack on the torrent port? or would torrent clients still be trying to connect to my IP even days after removing?

Any advice would be appreciated.

Further to my original post, since removing the forward rule, the netgear is now logging the connections as DOS..

Wed, 2011-05-04 09:08:11 - UDP Packet - Source:175.136.126.203,31299 Destination:188.222.xxx.xxx,51413 - [DOS]
Wed, 2011-05-04 09:08:11 - UDP Packet - Source:125.74.86.176,21369 Destination:188.222.xxx.xxx,51413 - [DOS]
Wed, 2011-05-04 09:08:11 - UDP Packet - Source:88.111.108.37,24339 Destination:188.222.xxx.xxx,51413 - [DOS]
Wed, 2011-05-04 09:08:11 - UDP Packet - Source:151.27.51.213,7017 Destination:188.222.xxx.xxx,51413 - [DOS]
Wed, 2011-05-04 09:08:12 - UDP Packet - Source:89.126.34.122,37514 Destination:188.222.xxx.xxx,51413 - [DOS]

In reply to a post by SilentBob:

would torrent clients still be trying to connect to my IP even days after removing?

It's either that (which is quite likely), or the usual port-scanning bots that are out there. Wouldn't worry about it too much if that's the only service you have open.

Does your router's firewall log show vast numbers of blocked\dropped attempts from all sorts of ports? If it does, try rebooting the router, so that you get a different public IP, and see what happens then.

In reply to a post by SilentBob:

the netgear is now logging the connections as DOS..

Probably because of the high port number.

From that extract, it lopks like you're getting many different IPs attempting to access that port, rather than each IP hitting a range of ports.

Logs are only showing connections on that specific port.

I do believe this sorta thing has happened before, last time it happened the router seemed to [censored] itself and refused wifi clients to connect etc. rebooting it and getting a new WAN ip solved it before.

Obviously I would like to have a port forwarded for the purpose of torrents, but would rather not get DOSd in the process.

In reply to a post by SilentBob:

Obviously I would like to have a port forwarded for the purpose of torrents, but would rather not get DOSd in the process.

You (almost certainly) won't. Keep your forwarding rules as limited as you can and you'll be fine. The number of attempts you're seeing still generates a very limited volume of traffic.

The previous problem you mention may simply have been the router struggling to manage the vast number of connections and running out of processor\memory.

If that's freenas you're running, get it up to a recent version,

http://www.learnfreenas.com/blog/2010/11/10/freenas-...

Even that shouldn't be a problem really - you only have one high port open, and the vulnerability requires port 80.

I did have FTP enabled, and decided to disable it - the limited use I was making of FTP wasn't worth the huge number of attempted logins from others.

Cheers for the info.

I am actually running Ubuntu Server.

I was getting horrible internet speeds last night and was concerned this was causing it, perhaps its just a coincidence. I will wait until my WAN ip changes then re-enable the portfoward and see how it goes.

In that case, just keep it patched and only run the services on the server that you have to. (Generic advice, but surprisingly rarely followed)

Speeds? Might be that the router was suffering some brain-fade with the number of connections requested, more likely to be just congestion elsewhere though.

Cheers.

As a precaution I will also rotate the torrent port on NAS and router every few days.

Shouldn't really be necessary, I've run a similar setup for about a year with no unwanted side-effects.

Odds are that there's a rarely-updated tracker somewhere that's causing this.