Overclockers Australia Forums
OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Networking, Telephony & Internet

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 17th November 2012, 6:57 PM   #1
Taco_k1ng Thread Starter
Member
 
Taco_k1ng's Avatar
 
Join Date: Sep 2012
Location: Gold Coast, Queensland
Posts: 36
Default Im being hit with DoS scans / attacks like crazy

so my router log is showing all these scans and attacks from different ips i live pretty woop woop no one would be in range of our wireless n even so its locked. im curious to what these means and why is it cause my net speed to slow right down to dial up like speeds and even quite frequently causing the net to drop out.

heres what the logs look like:
(note i recently restarted it which wipes the logs but we get 100s of these a day)

[DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:54:22
[DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:52:54
[Time synchronized with NTP server time-h.netgear.com] Saturday, November 17,2012 07:52:14
[DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:52:11
[DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:51:49
[DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:51:28
[Internet connected] IP address: 121.222.187.185 Saturday, November 17,2012 07:50:47
[DSL: Up] Saturday, November 17,2012 07:49:39
[DHCP IP: (192.168.0.5)] to MAC address 94:44:52:89:FF:89 Saturday, November 17,2012 07:49:12
[UPnP set event:AddPortMapping] from source 192.168.0.4 Saturday, November 17,2012 07:49:07
[DHCP IP: (192.168.0.4)] to MAC address 00:24:8D:21:AA:24 Saturday, November 17,2012 07:49:07
[admin login] from source 192.168.0.2 Saturday, November 17,2012 07:49:04
[DHCP IP: (192.168.0.3)] to MAC address 00:15:B7:1F:C1:F3 Saturday, November 17,2012 07:48:47
[DHCP IP: (192.168.0.2)] to MAC address 50:E5:49:54:5D:62 Saturday, November 17,2012 07:48:41
[Initialized, firmware version: V1.1.00.08_1.00.08 ] Saturday, November 17,2012 07:48:23

HELP PLEASE :S
__________________
Na Na Na Na Na Na BATMAN!

Rig: Intel 2500k @4.2 w/ Tower Heatsink, Gigabyte Z68XP-UD3, 4gb 1600mhz + 4gb 1333mhz RipJaws, Galaxy GTX 560 Ti OC, Agility 3 SSD, 1.5 TB green WD.
Taco_k1ng is offline   Reply With Quote

Join OCAU to remove this ad!
Old 17th November 2012, 7:00 PM   #2
JoJoker
(Banned or Deleted)
 
Join Date: Apr 2010
Location: NOPE
Posts: 2,506
Default

Let your ISP know you are being DDoSed. Do you have a static IP? If you don't, powercycle your modem and leave it off for a good 30 seconds. You should get a new IP and whoever is targeting you should lose you.

Then you can try and figure out who you pissed off.
JoJoker is offline   Reply With Quote
Old 17th November 2012, 7:06 PM   #3
kilebantick
Member
 
kilebantick's Avatar
 
Join Date: Feb 2010
Location: Victoria, Maldon
Posts: 751
Default

Whoever it is is located in Santa Clara, California.
I've a feeling it's a shell-based attack (think that's the name. Upload PHP shell, use it to Ssyn/UDP flood an address), as most of the servers I've come across in my shitty history of being DDoSED, come from around there.



Edit: Do you have McAffee Installed?
NetRange: 161.69.0.0 - 161.69.255.255
CIDR: 161.69.0.0/16
OriginAS:
NetName: NETWORK-ASSOCIATES-INC
NetHandle: NET-161-69-0-0-1
Parent: NET-161-0-0-0-0
NetType: Direct Assignment
RegDate: 1992-06-15
Updated: 2010-04-21
Ref: http://whois.arin.net/rest/net/NET-161-69-0-0-1

OrgName: McAfee, Inc.
OrgId: MCAFE-2
Address: 3965 Freedom Circle
City: Santa Clara
StateProv: CA
PostalCode: 95054
Country: US
RegDate: 2006-07-05
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/MCAFE-2

OrgTechHandle: INO25-ARIN
OrgTechName: McAfee Network Operations
OrgTechPhone: +1-408-346-5200
OrgTechEmail: netadmin (at) mcafee.com
OrgTechRef: http://whois.arin.net/rest/poc/INO25-ARIN

OrgAbuseHandle: INO25-ARIN
OrgAbuseName: McAfee Network Operations
OrgAbusePhone: +1-408-346-5200
OrgAbuseEmail: netadmin (at) mcafee.com
OrgAbuseRef: http://whois.arin.net/rest/poc/INO25-ARIN
__________________
Succesfull trades: Here
$7088 Total trades
Quote:
Originally Posted by eyeLikeCarrots
I computer equipment-ed for several years before outsourcing it. Now I make network ping and enjoy long walks on the firewalling with correlate syslog. On weekend I make good proxy with happy.
kilebantick is offline   Reply With Quote
Old 17th November 2012, 7:09 PM   #4
Taco_k1ng Thread Starter
Member
 
Taco_k1ng's Avatar
 
Join Date: Sep 2012
Location: Gold Coast, Queensland
Posts: 36
Default

i don't anymore on this PC i use to a while ago, Not sure about the other computers in the house. so should i ring this number and report it or?
__________________
Na Na Na Na Na Na BATMAN!

Rig: Intel 2500k @4.2 w/ Tower Heatsink, Gigabyte Z68XP-UD3, 4gb 1600mhz + 4gb 1333mhz RipJaws, Galaxy GTX 560 Ti OC, Agility 3 SSD, 1.5 TB green WD.
Taco_k1ng is offline   Reply With Quote
Old 17th November 2012, 7:10 PM   #5
HeXa
Member
 
HeXa's Avatar
 
Join Date: Jul 2001
Location: Canberra, ACT
Posts: 9,036
Default

doubt it is a DoS... more likely a port scan

ignore and get on with your life
__________________
Quote:
Originally Posted by Bern View Post
I've just deleted 29 posts from this thread, and most of you are bloody lucky I've been at the pub for the last six hours, because if I was sober you'd all be fucking beninated to hell!!1!
[Edit: And furthermore, if I have to come back tomorrow and sort out more of this crap while I've got a hangover you'll all be really fucked.]
HeXa is offline   Reply With Quote
Old 17th November 2012, 7:16 PM   #6
Taco_k1ng Thread Starter
Member
 
Taco_k1ng's Avatar
 
Join Date: Sep 2012
Location: Gold Coast, Queensland
Posts: 36
Default

i would go on with my life but i'm having major net issues with my net dropping multipal times per day like 10-20 with 100s of these logged always around the time of the speeds being slowed down to dial up or lower and it dropping out.
__________________
Na Na Na Na Na Na BATMAN!

Rig: Intel 2500k @4.2 w/ Tower Heatsink, Gigabyte Z68XP-UD3, 4gb 1600mhz + 4gb 1333mhz RipJaws, Galaxy GTX 560 Ti OC, Agility 3 SSD, 1.5 TB green WD.
Taco_k1ng is offline   Reply With Quote
Old 17th November 2012, 8:24 PM   #7
Dodge M4S
Member
 
Dodge M4S's Avatar
 
Join Date: Jul 2006
Location: 6061
Posts: 3,048
Default

Cant you block them?
__________________
Quote:
Originally Posted by no5isalive View Post
Btw what does the 'U' in OCAU stand for?
Dodge M4S is offline   Reply With Quote
Old 19th November 2012, 6:26 PM   #8
MR CHILLED
D'oh!
 
MR CHILLED's Avatar
 
Join Date: Jan 2002
Location: Canadia
Posts: 98,878
Default

Interesting! I've been having a couple of issues recently with slow cable connection, only fixable with a modem reboot....maybe this is the cause?
__________________
The Prime Minister of Australia: "no one can be the suppository of all wisdom''
abbott on the NBN: "We're not against using the internet, errr, for all these things, ah but do we really want to invest $50billion dollars of hard earned tax payers money on what is essentially a video entertainment system."
| Co2 is weightless apparently
MR CHILLED is offline   Reply With Quote
Old 19th November 2012, 7:16 PM   #9
disco frank
Member
 
disco frank's Avatar
 
Join Date: Mar 2008
Location: perth
Posts: 1,447
Default

mmmmm
since seeing this i looked at my router and found

11/19/2012 17:58:12 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 17:47:00 **Smurf** 212.98.184.255->> 10.1.1.7, Type:3, Code:3 (from LAN1 Outbound)
11/19/2012 17:36:41 **Smurf** 210.195.239.0, 14602->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 17:29:52 **Smurf** 213.87.132.255, 27294->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 17:18:30 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 17:07:13 NTP Date/Time updated.
11/19/2012 17:00:25 **Smurf** 208.103.249.0, 6881->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 16:54:58 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 16:42:40 **Smurf** 201.167.19.0, 20981->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 16:33:35 **Smurf** 210.195.239.0, 14602->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 16:15:29 **Smurf** 202.152.86.0, 2277->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 16:03:48 **Smurf** 210.195.239.0, 14602->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 15:54:44 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 15:50:15 **Smurf** 213.138.80.0, 57175->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
11/19/2012 15:50:05 sending ACK to 10.1.1.4



i have ZERO idea! considering its a wired network
the only thing i know is that 10.1.1.7 is my nas box!
__________________
yes this an overclockers forum
no my pc is not overclocked!
disco frank is online now   Reply With Quote
Old 19th November 2012, 8:46 PM   #10
Wako
Member
 
Join Date: Jun 2006
Posts: 480
Default

you nas may be running a torrent client listening on port 6881
__________________
CHIPS
Wako is offline   Reply With Quote
Old 19th November 2012, 8:53 PM   #11
disco frank
Member
 
disco frank's Avatar
 
Join Date: Mar 2008
Location: perth
Posts: 1,447
Default

Quote:
Originally Posted by Wako View Post
you nas may be running a torrent client listening on port 6881

it does have a torrent client which i dont use and have now disabled

cheers!
__________________
yes this an overclockers forum
no my pc is not overclocked!
disco frank is online now   Reply With Quote
Old 19th November 2012, 9:19 PM   #12
caspian
Member
 
caspian's Avatar
 
Join Date: Mar 2002
Location: Melbourne
Posts: 6,779
Default

Quote:
Originally Posted by MR CHILLED View Post
Interesting! I've been having a couple of issues recently with slow cable connection, only fixable with a modem reboot....maybe this is the cause?
possibly, but cable normally has fairly sticky IPs that only expire after quite a while. if all you're rebooting is the modem then it might be on the way out. check your WAN IP with whatismyip.com or ipchicken.com between reboots and see.
__________________
The stupid, it burns.
caspian is offline   Reply With Quote
Old 19th November 2012, 9:38 PM   #13
MR CHILLED
D'oh!
 
MR CHILLED's Avatar
 
Join Date: Jan 2002
Location: Canadia
Posts: 98,878
Default

Quote:
Originally Posted by caspian View Post
possibly, but cable normally has fairly sticky IPs that only expire after quite a while. if all you're rebooting is the modem then it might be on the way out. check your WAN IP with whatismyip.com or ipchicken.com between reboots and see.
Thanks, bit of a backstory with this. I'll pm you some details soon, if you have some time to assess. Curious to get your input on the situation.
__________________
The Prime Minister of Australia: "no one can be the suppository of all wisdom''
abbott on the NBN: "We're not against using the internet, errr, for all these things, ah but do we really want to invest $50billion dollars of hard earned tax payers money on what is essentially a video entertainment system."
| Co2 is weightless apparently
MR CHILLED is offline   Reply With Quote
Old 20th November 2012, 12:23 AM   #14
samwise123
Member
 
samwise123's Avatar
 
Join Date: Aug 2006
Location: Brisbane, QLD
Posts: 407
Default

Install pfsense on an old computer, configure it to block ip's that try and scan for open port or whatever after 10 connections or so. Load some black lists on there too.
samwise123 is offline   Reply With Quote
Old 20th November 2012, 12:25 AM   #15
flain
Member
 
Join Date: Oct 2005
Posts: 1,917
Default

hmm no offence but this should not be a front page linked thread. "my firewall says i'm getting attacked" isn't OCAU front page caliber, i hope.
flain is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 11:28 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd. -
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Internode!