This 198.144.159.110 IP been scanning ports on my router for few days.
Skynet log show this IP been blocked for few thousands time, compare to second highest is just few hundreds time.
The IP already in FireHOL banned list as firehol_level3
Reverse lookup goes to Netminders Server Hosting (AS7040) in Canada
It using port 58863, 58808, 58845, 58871, and 58854 to probe.
Virustotal show all security vendors list it as clean except for CINS Army.

I disconnect all LAN cable to router, disable wifi and cold boot router. DDNS not enabled. Waited 5 minutes after have internet before connect back device to check the log. Sure enough in that 5 minutes time there's multiple entries for this IP.
So I guess it just do massive scanning on all IP? I can't think of other way how it can target me.
Unless my router that keep sending beacon to it, which I highly doubt. I'm using latest Asus wrt firmware and Skynet.
Now almost 5 hours and it have scanned for almost 1000 times. Only 26 times it scan for same port number twice.

I guess it's normal and we can't really control for Internet scanning/noise.

As long as you don't have any open ports you should be fine. If you have free time, try setting up a t-pot.

It does make me feel not comfortable, as if I'm being targeted. Also worry if that many nonstop scans will overwhelm the router. Yesterday, after the router cycle to another ip address, I immediately being hit by 89.248.165.90 nonstop at port 40003. Within few minutes it done almost 1000 times probe.

t-pot is honeypot? I roughly understand honeypot is deliberate open a port to attract malware or hacker but don't see what good doing that for normal user.

after changing ip address still getting non-stop port scanning?

i guess probably your device/machine got malware hidden.

Are you high value target? Hehehe...

No device connected by lan cable and wifi is disabled. No DDNS.
On latest asus wrt firmware and only script installed is Skynet.
Cold boot start and got new ip.

I don't think got virus or malware that infect the router, else many others also having same thing.
But can't think of any other way how it can still find me back.

Surely not
This must be bot malware that doing such obvious probe. Just can't find out how it can find me back.

Its normal. If you set up server on popular provider you can get scanned and brutforced by hundreds of IPs thousands of times each every hour. Just close the firewall and rate limit failed attempts.

Its not that they are following your IP, you are just happened to be inside their scanning IP range, which is same no matter how you you refresh your dynamic IP.

For you getting thousands of rouge pings sounds alarming. But from origin server doing that to thousands of IP over and over barely consume any CPU cycles, and they can keep doing that indefinitely for almost free.

This post has been edited by failed.hashcheck: Aug 4 2021, 11:55 PM

Thanks for the reassurance.
I guess sometimes rogue botnet will go crazy scanning. Yesterday finally it have stop scanning.

your router should absorb most of these scans... and tempban them if the issue persists for a long time.

to be save do check your side of the OS to ensure there is no malware or virus that has been infiltrated into your system?.

I can reassure you that this is normal. It's called as an Internet noise for reason. What you should worry if asuswrt is showing or blocking lots of malicious connection from your INTERNAL clients, it's a sign of compromised hosts.

Enable all the options under Asus AI Protection