Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

bitts

macrumors newbie
Original poster
Nov 17, 2016
13
0
hollywood, CA
Hi GRC's Shields up just showed me that port 443 was open on my mac air. Im not running anything that would or should have it be open. Can someone walk me through how I go about the steps to closing it.
When I ran terminal command sudo lsof -i :443 To see what process was running on this port it gave me a HUGE output. like such:


COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ngagentd 76 root 20u IPv4 0x58230338a7c01557 0t0 TCP 192.168.1.4:53520->104.17.108.108:https (ESTABLISHED)
syspolicy 147 root 21u IPv4 0x58230338a7bfce3f 0t0 TCP 192.168.1.4:53660->17.248.188.103:https (ESTABLISHED)
findmydev 239 root 8u IPv4 0x58230338a2906f7f 0t0 TCP 192.168.1.4:53650->17.248.174.6:https (ESTABLISHED)
BDCoreIss 294 root 12u IPv4 0x582303389ff34b2f 0t0 TCP 192.168.1.4:53579->227.211.149.34.bc.googleusercontent.com:https (ESTABLISHED)
StocksWid 59104 tibs 7u IPv4 0x582303389cb2328f 0t0 TCP 192.168.1.4:53457->media-router-apple71.prod.media.vip.gq1.yahoo.com:https (CLOSED)
StocksWid 59104 tibs 16u IPv4 0x58230338b37c0e3f 0t0 TCP 192.168.1.4:53458->a72-246-157-144.deploy.static.akamaitechnologies.com:https (CLOSED)
Microsoft 59915 tibs 66u IPv4 0x58230338b37b8b2f 0t0 TCP 192.168.1.4:52530->52.109.2.53:https (ESTABLISHED)
Microsoft 59915 tibs 67u IPv4 0x58230338b37b8b2f 0t0 TCP 192.168.1.4:52530->52.109.2.53:https (ESTABLISHED)
firefox 59942 tibs 26u IPv4 0x58230338b37c69a7 0t0 TCP 192.168.1.4:53496->104.16.248.249:https (ESTABLISHED)
firefox 59942 tibs 29u IPv4 0x582303389ff30417 0t0 TCP 192.168.1.4:53485->lax17s49-in-f5.1e100.net:https (ESTABLISHED)
firefox 59942 tibs 31u IPv4 0x58230338a2901417 0t0 TCP 192.168.1.4:53646->104.16.148.64:https (ESTABLISHED)
firefox 59942 tibs 58u IPv4 0x582303389cb26f7f 0t0 TCP 192.168.1.4:53474->ec2-44-224-160-20.us-west-2.compute.amazonaws.com:https (ESTABLISHED)
firefox 59942 tibs 67u IPv4 0x58230338a7bfc417 0t0 TCP 192.168.1.4:53562->123.208.120.34.bc.googleusercontent.com:https (ESTABLISHED)
firefox 59942 tibs 76u IPv4 0x58230338a2906557 0t0 TCP 192.168.1.4:53564->102.115.120.34.bc.googleusercontent.com:https (ESTABLISHED)
firefox 59942 tibs 80u IPv4 0x58230338a29046df 0t0 TCP 192.168.1.4:53565->76.237.120.34.bc.googleusercontent.com:https (ESTABLISHED)
firefox 59942 tibs 108u IPv4 0x58230338af0ace3f 0t0 TCP 192.168.1.4:53599->dd-in-f94.1e100.net:https (ESTABLISHED)
firefox 59942 tibs 126u IPv4 0x58230338b3574867 0t0 TCP 192.168.1.4:53605->151.101.65.69:https (ESTABLISHED)
firefox 59942 tibs 129u IPv4 0x58230338a5fe6867 0t0 TCP 192.168.1.4:53636->lax31s14-in-f3.1e100.net:https (ESTABLISHED)
firefox 59942 tibs 136u IPv4 0x58230338b37b8107 0t0 TCP 192.168.1.4:53628->lax31s01-in-f2.1e100.net:https (ESTABLISHED)
firefox 59942 tibs 147u IPv4 0x58230338af0ad867 0t0 TCP 192.168.1.4:53623->151.101.24.193:https (ESTABLISHED)
firefox 59942 tibs 148u IPv4 0x58230338a2901e3f 0t0 TCP 192.168.1.4:53648->104.16.148.64:https (ESTABLISHED)
firefox 59942 tibs 155u IPv4 0x58230338a29079a7 0t0 TCP 192.168.1.4:53651->ec2-54-205-69-200.compute-1.amazonaws.com:https (ESTABLISHED)
firefox 59942 tibs 157u IPv4 0x58230338b37b5867 0t0 TCP 192.168.1.4:53652->239.237.117.34.bc.googleusercontent.com:https (ESTABLISHED)
firefox 59942 tibs 159u IPv4 0x58230338af0b1557 0t0 TCP 192.168.1.4:53653->221.5.120.34.bc.googleusercontent.com:https (ESTABLISHED)
Microsoft 60252 tibs 15u IPv4 0x58230338a7bfd867 0t0 TCP 192.168.1.4:53661->13.69.116.104:https (ESTABLISHED)
Microsoft 60252 tibs 17u IPv4 0x58230338a7c029a7 0t0 TCP 192.168.1.4:53662->13.69.116.104:https (ESTABLISHED)
Microsoft 60252 tibs 18u IPv4 0x58230338a7bff6df 0t0 TCP 192.168.1.4:53667->13.69.116.104:https (ESTABLISHED)
Microsoft 60252 tibs 19u IPv4 0x582303389cb25b2f 0t0 TCP 192.168.1.4:53668->13.69.116.104:https (ESTABLISHED)
Microsoft 60252 tibs 22u IPv4 0x58230338a72acf7f 0t0 TCP 192.168.1.4:53669->13.69.116.104:https (ESTABLISHED)
tibs@MacBook-Air ~ %


dont know If that was the right command to run, or if this helps at all, but if anyone can help me with this Id greatly appreciatte it. Please go easy on me, im kinda a newbie. :) thanks.
 
Port 443 is a virtual port that computers use to divert network traffic. ... HTTPS is secure and is on port 443, while HTTP is unsecured and available on port 80. Information that travels on the port 443 is encrypted using Secure Sockets Layer (SSL) or its new version, Transport Layer Security (TLS) and hence safer.

 
OK ,
Port 443 is a virtual port that computers use to divert network traffic. ... HTTPS is secure and is on port 443, while HTTP is unsecured and available on port 80. Information that travels on the port 443 is encrypted using Secure Sockets Layer (SSL) or its new version, Transport Layer Security (TLS) and hence safer.

Thank you so much for the reply. ive read different things. To my understanding, Yes 443 is for HTTPS but unless Im running a web server or have some other use for it being open, it should be closed.... because it does in fact pose many security threats. This is what I have found to be true on many theads including Shields up. Shields up just explains how to close it for windows though now mac. So im looking for a solution to close it for a mac.
 

Port 443​

HTTPS (Hypertext Transfer Protocol Secure) is a secured HTTP version where all traffic is bind with strong encryption that passes through 443. This port is also connected with TCP protocol and creates a secure connection between the webpages and browser. HTTPS Port 443 was officially published in RFC 1700 and solicited by “Kipp E.B. Hickman”. The main difference between Port 80 and Port 443 is strong security. Port-443 allows data transmission over a secured network, while Port 80 enables data transmission in plain text. Users will get an insecure warning if he tries to access a non-HTTPS web page. Port 443 encrypts network data packets before data transmission takes place. The security over port 443 is used by the SSL protocol (secure socket layer).

Due to the much-needed awareness spread among internet users regarding the safety of their data shared with the websites, over 95% of accessed websites are done using a secure HTTPS connection over Port 443, according to Google’s research.
 
You're right that port 443 can and should be closed, and this will not interfere with traffic initiated by you that uses https. I'd look at your router as well as the firewall on the Mac. but I think you did that?
 
You're right that port 443 can and should be closed, and this will not interfere with traffic initiated by you that uses https. I'd look at your router as well as the firewall on the Mac. but I think you did that?
Yes, The firewall on my mac is set to stealth mode, and what exactly would I look for i my router? I believe everything there is configured correctly. It seems Im supposed to find out what process or application is utilizing 443 and close that, but when I ran the command to see what was on 443 the output above in my initial comment is what I got. which I dont really understand what to do with. ....
 
You're right that port 443 can and should be closed, and this will not interfere with traffic initiated by you that uses https. I'd look at your router as well as the firewall on the Mac. but I think you did that?
But thank you for confirming that it is infact supposed to be closed :)
 
Every router brand/firmware version is different and has its own firewall settings. Look in addition to firewall or ("security") for 'remote admin' or something similar, which might be under administration or system. This option (if it's there) allows for remote administration of the router via https, so it would be a culprit. Screenshots or a list of what's there or more info about the router might help us help you.
 
Every router brand/firmware version is different and has its own firewall settings. Look in addition to firewall or ("security") for 'remote admin' or something similar, which might be under administration or system. This option (if it's there) allows for remote administration of the router via https, so it would be a culprit. Screenshots or a list of what's there or more info about the router might help us help you.
HI, Thanks for your reply, SO Im using a netgear Nighthawk RAX30 . I called netgear support to ask how to close ports. He walked me through and showed me to go to Web Services Managment and uncheck "Always use HTTPS to access this router" however,

before I did that, we looked at my logs, and i had hundreds of [DoS attack:ACK_Scan] from source 52.96.188.178, port 443 DATE & TIME
so he told me to reboot my router to factory settings and change all my passwords and wifi names , which I did. I then unchecked the port 443 box , checked back end of day and STILL I get this
Monday, January 17, 2022 09:46:59
[DoS attack:ACK_Scan] from source: 52.96.190.210,port 443, Monday, January 17, 2022 09:35:41
[DoS attack:ACK_Scan] from source: 52.96.228.130,port 443, Monday, January 17, 2022 09:27:41
[DoS attack:ACK_Scan] from source: 52.96.165.66,port 443, Monday, January 17, 2022 09:07:26
[DoS attack:ACK_Scan] from source: 52.96.188.146,port 443, Monday, January 17, 2022 09:05:13
[DoS attack:ACK_Scan] from source: 52.96.165.82,port 443, Monday, January 17, 2022 09:04:52
[DoS attack:ACK_Scan] from source: 52.96.165.98,port 443, Monday, January 17, 2022 08:57:59
[DoS attack:ACK_Scan] from source: 52.96.166.226,port 443, Monday, January 17, 2022 08:45:13
[DoS attack:ACK_Scan] from source: 52.96.110.98,port 443, Monday, January 17, 2022 08:22:39
[DoS attack:ACK_Scan] from source: 52.96.42.66,port 443, Monday, January 17, 2022 08:05:45
[DoS attack:ACK_Scan] from source: 52.96.165.66,port 443, Monday, January 17, 2022 07:59:39
[DoS attack:ACK_Scan] from source: 52.96.110.2,port 443, Monday, January 17, 2022 07:51:59
[DoS attack:ACK_Scan] from source: 52.96.187.226,port 443, Monday, January 17, 2022 07:43:59
[DoS attack:ACK_Scan] from source: 52.96.110.2,port 443, Monday, January 17, 2022 07:25:10
[DoS attack:ACK_Scan] from source: 52.96.166.18,port 443, Monday, January 17, 2022 07:14:49
[DoS attack:ACK_Scan] from source: 52.96.104.242,port 443, Monday, January 17, 2022 07:04:31
[DoS attack:ACK_Scan] from source: 52.96.110.66,port 443, Monday, January 17, 2022 07:03:48
[DoS attack:ACK_Scan] from source: 52.96.42.82,port 443, Monday, January 17, 2022 06:54:27
[DoS attack:ACK_Scan] from source: 52.96.110.66,port 443, Monday, January 17, 2022 06:44:23
[DoS attack:ACK_Scan] from source: 52.96.104.194,port 443, Monday, January 17, 2022 06:24:27
[DoS attack:ACK_Scan] from source: 52.96.36.82,port 443, Monday, January 17, 2022 06:18:52
[DoS attack:ACK_Scan] from source: 52.96.42.82,port 443, Monday, January 17, 2022 06:15:00
[DoS attack:ACK_Scan] from source: 81.177.165.82,port 443, Monday, January 17, 2022 06:07:11
[DoS attack:ACK_Scan] from source: 52.96.166.194,port 443, Monday, January 17, 2022 06:04:42
[DoS attack:ACK_Scan] from source: 52.96.166.194,port 443, Monday, January 17, 2022 06:01:48
[DoS attack:ACK_Scan] from source: 52.96.110.50,port 443, Monday, January 17, 2022 06:00:50
[DoS attack:ACK_Scan] from source: 52.96.190.210,port 443, Monday, January 17, 2022 05:54:21
[DoS attack:ACK_Scan] from source: 52.96.110.66,port 443, Monday, January 17, 2022 05:51:06
[DoS attack:ACK_Scan] from source: 81.177.165.82,port 443, Monday, January 17, 2022 05:46:49
[DoS attack:ACK_Scan] from source: 52.96.166.130,port 443, Monday, January 17, 2022 05:44:00
[DoS attack:ACK_Scan] from source: 81.177.165.82,port 443, Monday, January 17, 2022 05:41:47
[DoS attack:ACK_Scan] from source: 52.96.110.18,port 443, Monday, January 17, 2022 05:41:04
[DoS attack:ACK_Scan] from source: 52.96.190.210,port 443, Monday, January 17, 2022 05:33:40
[DoS attack:ACK_Scan] from source: 52.96.190.210,port 443, Monday, January 17, 2022 05:31:07
[DoS attack:ACK_Scan] from source: 52.96.165.82,port 443, Monday, January 17, 2022 05:23:12
[DoS attack:ACK_Scan] from source: 52.96.188.162,port 443, Monday, January 17, 2022 05:13:12
[DoS attack:ACK_Scan] from source: 52.96.104.242,port 443, Monday, January 17, 2022 05:05:18
[DoS attack:ACK_Scan] from source: 52.96.228.130,port 443, Monday, January 17, 2022 04:55:18
[DoS attack:ACK_Scan] from source: 81.177.165.82,port 443, Monday, January 17, 2022 04:52:24
[DoS attack:ACK_Scan] from source: 52.96.190.210,port 443, Monday, January 17, 2022 04:45:29
[DoS attack:ACK_Scan] from source: 52.96.166.210,port 443, Monday, January 17, 2022 04:34:53
[DoS attack:ACK_Scan] from source: 52.96.166.210,port 443, Monday, January 17, 2022 04:30:52
[DoS attack:ACK_Scan] from source: 52.96.230.66,port 443, Monday, January 17, 2022 04:24:33
[DoS attack:ACK_Scan] from source: 52.96.166.146,port 443, Monday, January 17, 2022 04:14:25
[DoS attack:ACK_Scan] from source: 52.96.188.178,port 443, Monday, January 17, 2022 04:07:44
[DoS attack:ACK_Scan] from source: 52.96.190.210,port 443, Monday, January 17, 2022 04:04:11
[DoS attack:ACK_Scan] from source: 52.96.110.2,port 443, Monday, January 17, 2022 03:57:07
[DoS attack:ACK_Scan] from source: 52.96.42.82,port 443, Monday, January 17, 2022 03:53:39
[DoS attack:ACK_Scan] from source: 52.96.42.82,port 443, Monday, January 17, 2022 03:49:41
[DoS attack:ACK_Scan] from source: 52.96.70.130,port 443, Monday, January 17, 2022 03:44:58
[DoS attack:ACK_Scan] from source: 52.96.36.82,port 443, Monday, January 17, 2022 03:43:00
[DoS attack:ACK_Scan] from source: 52.96.110.50,port 443, Monday, January 17, 2022 03:32:24
[DoS attack:ACK_Scan] from source: 52.96.188.130,port 443, Monday, January 17, 2022 03:27:55
[DoS attack:ACK_Scan] from source: 52.96.42.66,port 443, Monday, January 17, 2022 03:21:49
[DoS attack:ACK_Scan] from source: 52.96.42.66,port 443, Monday, January 17, 2022 03:17:27
[DoS attack:ACK_Scan] from source: 52.96.59.226,port 443, Monday, January 17, 2022 03:07:45
[DoS attack:ACK_Scan] from source: 52.96.70.130,port 443, Monday, January 17, 2022 03:02:57
[DoS attack:ACK_Scan] from source: 52.96.187.226,port 443, Monday, January 17, 2022 03:02:28
[DoS attack:ACK_Scan] from source: 52.96.110.98,port 443, Monday, January 17, 2022 02:47:03
[DoS attack:ACK_Scan] from source: 52.96.110.98,port 443, Monday, January 17, 2022 02:46:12
[DoS attack:ACK_Scan] from source: 52.96.166.242,port 443, Monday, January 17, 2022 02:45:19
[DoS attack:ACK_Scan] from source: 52.96.165.66,port 443, Monday, January 17, 2022 02:33:15
[DoS attack:ACK_Scan] from source: 81.177.165.82,port 443, Monday, January 17, 2022 02:13:09
[DoS attack:ACK_Scan] from source: 52.96.110.114,port 443, Monday, January 17, 2022 02:08:10
[DoS attack:ACK_Scan] from source: 52.96.104.210,port 443, Monday, January 17, 2022 01:56:53
[DoS attack:ACK_Scan] from source: 52.96.165.82,port 443, Monday, January 17, 2022 01:44:23
[DoS attack:ACK_Scan] from source: 52.96.59.226,port 443, Monday, January 17, 2022 01:30:12
[DoS attack:ACK_Scan] from source: 52.96.110.34,port 443, Monday, January 17, 2022 01:25:18
[DoS attack:ACK_Scan] from source: 52.96.166.18,port 443, Monday, January 17, 2022 01:08:47
[DoS attack:ACK_Scan] from source: 52.96.188.162,port 443, Monday, January 17, 2022 00:59:06
[DoS attack:ACK_Scan] from source: 52.96.110.98,port 443, Monday, January 17, 2022 00:54:22
[DoS attack:ACK_Scan] from source: 52.96.166.178,port 443, Monday, January 17, 2022 00:44:50
[DoS attack:ACK_Scan] from source: 52.96.222.130,port 443, Monday, January 17, 2022 00:21:32
[DoS attack:ACK_Scan] from source: 52.96.110.34,port 443, Monday, January 17, 2022 00:15:30
[DoS attack:ACK_Scan] from source: 52.96.166.130,port 443, Monday, January 17, 2022 00:05:09
[DoS attack:ACK_Scan] from source: 52.96.166.162,port 443, Sunday, January 16, 2022 23:54:26
[DoS attack:ACK_Scan] from source: 45.158.12.60,port 80, Sunday, January 16, 2022 23:48:50
[DoS attack:ACK_Scan] from source: 52.96.165.66,port 443, Sunday, January 16, 2022 23:44:19
[DoS attack:ACK_Scan] from source: 52.96.228.130,port 443, Sunday, January 16, 2022 23:33:08
[DoS attack:ACK_Scan] from source: 52.96.59.226,port 443, Sunday, January 16, 2022 23:30:48
[DoS attack:ACK_Scan] from source: 13.109.221.131,port 443, Sunday, January 16, 2022 23:26:22
[admin login] from source 192.168.1.2, Sunday, January 16, 2022 23:22:58
[admin login] from source 192.168.1.2, Sunday, January 16, 2022 23:22:56
[DoS attack:ACK_Scan] from source: 52.96.165.114,port 443, Sunday, January 16, 2022 23:13:05
[DHCP IP: (192.168.1.5)] to MAC address e0:89:7e:5e:a4:a2, Sunday, January 16, 2022 23:08:43
[DoS attack:ACK_Scan] from source: 52.96.166.178,port 443, Sunday, January 16, 2022 23:02:28
[DoS attack:ACK_Scan] from source: 52.96.166.178,port 443, Sunday, January 16, 2022 23:00:43
[DoS attack:ACK_Scan] from source: 4.79.142.201,port 41220, Sunday, January 16, 2022 22:57:46
[DoS attack:ACK_Scan] from source: 13.109.221.131,port 443, Sunday, January 16, 2022 22:56:22
[DHCP IP: (192.168.1.2)] to MAC address 3c:22:fb:31:4c:98, Sunday, January 16, 2022 22:50:49
[DoS attack:ACK_Scan] from source: 52.96.42.82,port 443, Sunday, January 16, 2022 22:50:43
[DoS attack:ACK_Scan] from source: 192.168.1.2,port 60650,

I ran shields up and it says 443 is closed now. so I have no idea whats going on.
 
Yes, The firewall on my mac is set to stealth mode, and what exactly would I look for i my router? I believe everything there is configured correctly. It seems Im supposed to find out what process or application is utilizing 443 and close that, but when I ran the command to see what was on 443 the output above in my initial comment is what I got. which I dont really understand what to do with. ....

There are three parties involved in this discussion - your computer's network interface, your router, and the external server. Your opening post described an issue that only involves the first of the three; port 443 being open on your Mac Air. It seems likely that this is/was not the case. I don't know anything about GRC, but I'm guessing it found that port 443 was open on your router, not your Mac.

I have a feeling you just had the external interface of the router exposed for router administration on port 443. That's probably not a good idea. I don't really understand the purpose of the checkbox you unchecked "Always use HTTPS to access this router". I hope by unchecking it you aren't loosening up access (allowing unencrypted access) rather than turning it off.

The lsof command you used queries all usages of port 443 by your Mac, even if it's the external server's port number. Your computer contacts external servers on their port 443 all of the time. If you want to just see your own computer's process that's listening on port 443, then you would use the command like "lsof -i@192.168.1.4:443" (assuming your computer's network interface has IP address 192.168.1.4). In your listing, I didn't see that any process on your computer that was listening on port 443.

In your router logs, the 52.96.* addresses seem to be Microsoft addresses. I do see that you have some Microsoft process in your first listing that is also talking to a Microsoft address. So, I guess you are running some Microsoft software that is legitimately contacting Microsoft servers. For some reason, return packets from the Microsoft servers are now and again being flagged. I found this post

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/DoS-attack-ACK-Scan-from-source/td-p/1768924

which suggests that false positives are common for Netgear routers.
 
HI, Thanks for your reply, SO Im using a netgear Nighthawk RAX30 . I called netgear support to ask how to close ports. He walked me through and showed me to go to Web Services Managment and uncheck "Always use HTTPS to access this router" however,

before I did that, we looked at my logs, and i had hundreds of [DoS attack:ACK_Scan] from source 52.96.188.178, port 443 DATE & TIME
so he told me to reboot my router to factory settings and change all my passwords and wifi names , which I did. I then unchecked the port 443 box , checked back end of day and STILL I get this

I ran shields up and it says 443 is closed now. so I have no idea whats going on.
Where did you find the logs... not thinking it will help me because I have an Apple Airport Extreme. I've looked in /var/log and see nothing.
 
Where did you find the logs... not thinking it will help me because I have an Apple Airport Extreme. I've looked in /var/log and see nothing.
HI there, I found the logs in my router. under "advanced/ Administation/ Logs." I know you mentioned that the 52.96 were mostly microsoft but 1. I dont have any moicrosoft software running through my mac or router, and 2. when I google some of these IP address' ( which is what it said to do in that link you sent) almost all of them, the first thing that pops up is ABUSEIPDB then is says that that Ip address has been reported and the e same confidence of abuse is 100%. that it is a datacenter/Webhosting/transit. and goes on to list all the people that have reported it and what for. Mostly the same as myself DOS ACK SCAN or Port attacks. ALso I have quite a lot of other IP address; that arent the 52.96... IP's such as 193.203.230.223 which I have connecting to port 443 8 times or rather doing a DoS attack:ACK_Scan. Now I am seeing my own devices on there and to ports that arent 443? such as DoS attack:ACK_Scan 192.168.1.2 to port 58313 or port 52669 etc. ( 192.168.1.2 is my mac) I also see my iphone and my bf's mac being DoS attack:ACK_Scan to different ports. Any suggestions as to what to do?
 
I Might add that my mac has since started randomly turning off, well not off but the screen goes black WHILST im in the middle of using it, not whille its been sitting a while but Ill be in the middle of say typing or something or taking a screen shot and just black screen, sometimes Ill just move my finger round the mousepad and it turns back on to where it left off othertimes it starts back up at the log in screen and I have to sign back in. Its quite odd.
 
There are three parties involved in this discussion - your computer's network interface, your router, and the external server. Your opening post described an issue that only involves the first of the three; port 443 being open on your Mac Air. It seems likely that this is/was not the case. I don't know anything about GRC, but I'm guessing it found that port 443 was open on your router, not your Mac.

I have a feeling you just had the external interface of the router exposed for router administration on port 443. That's probably not a good idea. I don't really understand the purpose of the checkbox you unchecked "Always use HTTPS to access this router". I hope by unchecking it you aren't loosening up access (allowing unencrypted access) rather than turning it off.

The lsof command you used queries all usages of port 443 by your Mac, even if it's the external server's port number. Your computer contacts external servers on their port 443 all of the time. If you want to just see your own computer's process that's listening on port 443, then you would use the command like "lsof -i@192.168.1.4:443" (assuming your computer's network interface has IP address 192.168.1.4). In your listing, I didn't see that any process on your computer that was listening on port 443.

In your router logs, the 52.96.* addresses seem to be Microsoft addresses. I do see that you have some Microsoft process in your first listing that is also talking to a Microsoft address. So, I guess you are running some Microsoft software that is legitimately contacting Microsoft servers. For some reason, return packets from the Microsoft servers are now and again being flagged. I found this post

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/DoS-attack-ACK-Scan-from-source/td-p/1768924

which suggests that false positives are common for Netgear routers.
Sorry I replied to the wrong person in regards to your post about this. So ignore the part about where the logs are, and the rest I was meaning to send you. Also I posted about my mac is now randomly shutting off for no reason. which just started happening. anyway heres what I had said

"HI there, I found the logs in my router. under "advanced/ Administation/ Logs." I know you mentioned that the 52.96 were mostly microsoft but 1. I dont have any moicrosoft software running through my mac or router, and 2. when I google some of these IP address' ( which is what it said to do in that link you sent) almost all of them, the first thing that pops up is ABUSEIPDB then is says that that Ip address has been reported and the e same confidence of abuse is 100%. that it is a datacenter/Webhosting/transit. and goes on to list all the people that have reported it and what for. Mostly the same as myself DOS ACK SCAN or Port attacks. ALso I have quite a lot of other IP address; that arent the 52.96... IP's such as 193.203.230.223 which I have connecting to port 443 8 times or rather doing a DoS attack:ACK_Scan. Now I am seeing my own devices on there and to ports that arent 443? such as DoS attack:ACK_Scan 192.168.1.2 to port 58313 or port 52669 etc. ( 192.168.1.2 is my mac) I also see my iphone and my bf's mac being DoS attack:ACK_Scan to different ports. Any suggestions as to what to do?"
 
Im using a netgear Nighthawk RAX30

There are three parties involved in this discussion - your computer's network interface, your router, and the external server.

There is another party involved - your internet modem. You have mentioned the Nighthawk router but haven't described your internet modem. If you can enable stealth mode there.

Screen Shot 2022-02-04 at 2.03.51 PM.png
 
Unfortunately I don't own a Netgear router, so I have no expertise with it. I don't know why it's reporting so many threats, but it all could be nothing, just mistakes by the router. If many Netgear users are seeing the same mistakes, then abuse reports will abound. This question is definitely something that should be taken to the Netgear forums.

I don't know how it is that you have no Microsoft software running when I see the following line in your opening post:

Microsoft 59915 tibs 67u IPv4 0x58230338b37b8b2f 0t0 TCP 192.168.1.4:52530->52.109.2.53:https (ESTABLISHED)

Perhaps you can open Activity Monitor and find something there that identifies itself as a Microsoft application. Or, if you repeat your original "sudo lsof -i:443" but instead use "sudo lsof -I:443 +c 0", then you will see the full command name rather than just the first nine characters (which happen to spell "Microsoft").

I seem to remember, when I looked at your IP addresses, that some of the ones I considered Microsoft addresses were "Azure" addresses. This is a legitimate cloud service offered by Microsoft and used by many software products. So maybe some of your non-Microsoft applications are using Azure.

I wish I could be of more help.
 
Unfortunately I don't own a Netgear router, so I have no expertise with it. I don't know why it's reporting so many threats, but it all could be nothing, just mistakes by the router. If many Netgear users are seeing the same mistakes, then abuse reports will abound. This question is definitely something that should be taken to the Netgear forums.

I don't know how it is that you have no Microsoft software running when I see the following line in your opening post:



Perhaps you can open Activity Monitor and find something there that identifies itself as a Microsoft application. Or, if you repeat your original "sudo lsof -i:443" but instead use "sudo lsof -I:443 +c 0", then you will see the full command name rather than just the first nine characters (which happen to spell "Microsoft").

I seem to remember, when I looked at your IP addresses, that some of the ones I considered Microsoft addresses were "Azure" addresses. This is a legitimate cloud service offered by Microsoft and used by many software products. So maybe some of your non-Microsoft applications are using Azure.

I wish I could be of more help.
I appreciate all and any help you can / are giving. When I tried that command it didint quite work ( see screen shot) and when I went to activity monitor I typed in the search bar "microsoft" and there was nothing there. Blank. What Im concerned about is these other IP addtress' in addition to the many 52.96. ... and the ones that are my mac computer IP 192.168.1.2 , port 50130 (for example) what does this mean? and is this the reason my mac is starting to turn off on its own? I will definitly put a call into netgear and see if they can provide any answers. I wasnt aware there was a netgear forum and at the time of writing this I didnt really know it was a router issue. So I apologize for not posting in the proper place.
 

Attachments

  • Screenshot 2022-02-09 at 6.14.14 PM.png
    Screenshot 2022-02-09 at 6.14.14 PM.png
    333.6 KB · Views: 92
  • Screenshot 2022-02-09 at 6.15.40 PM.png
    Screenshot 2022-02-09 at 6.15.40 PM.png
    667.6 KB · Views: 81
  • Screenshot 2022-02-09 at 6.19.12 PM.png
    Screenshot 2022-02-09 at 6.19.12 PM.png
    206.4 KB · Views: 85
  • Screenshot 2022-02-09 at 6.23.01 PM.png
    Screenshot 2022-02-09 at 6.23.01 PM.png
    193.6 KB · Views: 90
  • Screenshot 2022-02-09 at 6.21.19 PM.png
    Screenshot 2022-02-09 at 6.21.19 PM.png
    200.7 KB · Views: 182
Why are you relying on your router to provide your defense? The first line of defense should always be your internet modem. Bad actors should be blocked at the modem and never allowed access to your local lan. Configurability depends upon the modem vendor, but in the case of Comcast their advanced security handles pretty much everything. My netgear router is the 2nd line of defense. Pretty much never used for protection as the Comcast modem firewalls and defenses pretty much handle everything.

Different issue if you need to allow outside access to your lan.
 
Last edited:
I appreciate all and any help you can / are giving. When I tried that command it didint quite work ( see screen shot) and when I went to activity monitor I typed in the search bar "microsoft" and there was nothing there. Blank. What Im concerned about is these other IP addtress' in addition to the many 52.96. ... and the ones that are my mac computer IP 192.168.1.2 , port 50130 (for example) what does this mean? and is this the reason my mac is starting to turn off on its own? I will definitly put a call into netgear and see if they can provide any answers. I wasnt aware there was a netgear forum and at the time of writing this I didnt really know it was a router issue. So I apologize for not posting in the proper place.

I'm so sorry I mistyped the command; the upper case "I" should have been lower case. I'll try to address the rest of your email when I get a work break.
 
I appreciate all and any help you can / are giving. When I tried that command it didint quite work ( see screen shot) and when I went to activity monitor I typed in the search bar "microsoft" and there was nothing there. Blank. What Im concerned about is these other IP addtress' in addition to the many 52.96. ... and the ones that are my mac computer IP 192.168.1.2 , port 50130 (for example) what does this mean? and is this the reason my mac is starting to turn off on its own? I will definitly put a call into netgear and see if they can provide any answers. I wasnt aware there was a netgear forum and at the time of writing this I didnt really know it was a router issue. So I apologize for not posting in the proper place.

No need to apologize, I just wish we could help more.

Forget about the Microsoft thing. I really don't know why I see Microsoft in one of your posts at the top. I do notice that the machine you were on when you ran that "lsof" command was at 192.168.1.4 rather than 192.168.1.2. Maybe you were on a different computer when you ran that. It's probably not important.

Maybe give this a read https://yoodley.com/what-is-dos-attack-ack-scan/. My quick read suggests that you probably don't have any problem.

Your computer shutting off is probably unrelated to incoming network traffic that your router is blocking. From what I can see you're only getting one packet every 5 to 10 minutes. I can't see how that can affect your computer at all.

This all seems like a trio of unrelated things:

1 - Some hardware problem is causing your computer to turn off.

2 - Your router is successfully blocking some bad traffic now and again - and worrying you since you see it in its logs.

3 - Some external advice site (GRC's Shields up) noticed that you had external administration of your router turned on. It warned you because it's not really a good idea to allow administration of your router from the internet.

Since your phone call with Netgear support might have addressed 3, and 2 is probably not really an issue, you might only be left with 1 to worry about.

I don't want to discount whatever @HDFan is saying about your modem. It's always good to have the external modem secure things more aggressively so that your router is only the second line of defense, rather than the first. I'll leave it to them to assist you in configuring your modem (if you feel it's worth that extra effort).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.