Im being hit with DoS scans / attacks like crazy

Discussion in 'Networking, Telephony & Internet' started by Taco_k1ng, Nov 17, 2012.

  1. Taco_k1ng

    Taco_k1ng Member

    Joined:
    Sep 5, 2012
    Messages:
    40
    Location:
    Gold Coast, Queensland
    so my router log is showing all these scans and attacks from different ips i live pretty woop woop no one would be in range of our wireless n even so its locked. im curious to what these means and why is it cause my net speed to slow right down to dial up like speeds and even quite frequently causing the net to drop out.

    heres what the logs look like:
    (note i recently restarted it which wipes the logs but we get 100s of these a day)

    [DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:54:22
    [DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:52:54
    [Time synchronized with NTP server time-h.netgear.com] Saturday, November 17,2012 07:52:14
    [DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:52:11
    [DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:51:49
    [DoS attack: ACK Scan] from source: 161.69.199.7:443 Saturday, November 17,2012 07:51:28
    [Internet connected] IP address: 121.222.187.185 Saturday, November 17,2012 07:50:47
    [DSL: Up] Saturday, November 17,2012 07:49:39
    [DHCP IP: (192.168.0.5)] to MAC address 94:44:52:89:FF:89 Saturday, November 17,2012 07:49:12
    [UPnP set event:AddPortMapping] from source 192.168.0.4 Saturday, November 17,2012 07:49:07
    [DHCP IP: (192.168.0.4)] to MAC address 00:24:8D:21:AA:24 Saturday, November 17,2012 07:49:07
    [admin login] from source 192.168.0.2 Saturday, November 17,2012 07:49:04
    [DHCP IP: (192.168.0.3)] to MAC address 00:15:B7:1F:C1:F3 Saturday, November 17,2012 07:48:47
    [DHCP IP: (192.168.0.2)] to MAC address 50:E5:49:54:5D:62 Saturday, November 17,2012 07:48:41
    [Initialized, firmware version: V1.1.00.08_1.00.08 ] Saturday, November 17,2012 07:48:23

    HELP PLEASE :S
     
  2. JoJoker

    JoJoker (Banned or Deleted)

    Joined:
    Apr 1, 2010
    Messages:
    2,490
    Location:
    NOPE
    Let your ISP know you are being DDoSed. Do you have a static IP? If you don't, powercycle your modem and leave it off for a good 30 seconds. You should get a new IP and whoever is targeting you should lose you.

    Then you can try and figure out who you pissed off.
     
  3. kilebantick

    kilebantick Member

    Joined:
    Feb 18, 2010
    Messages:
    780
    Location:
    Victoria, Maldon
    Whoever it is is located in Santa Clara, California.
    I've a feeling it's a shell-based attack (think that's the name. Upload PHP shell, use it to Ssyn/UDP flood an address), as most of the servers I've come across in my shitty history of being DDoSED, come from around there.



    Edit: Do you have McAffee Installed?
    NetRange: 161.69.0.0 - 161.69.255.255
    CIDR: 161.69.0.0/16
    OriginAS:
    NetName: NETWORK-ASSOCIATES-INC
    NetHandle: NET-161-69-0-0-1
    Parent: NET-161-0-0-0-0
    NetType: Direct Assignment
    RegDate: 1992-06-15
    Updated: 2010-04-21
    Ref: http://whois.arin.net/rest/net/NET-161-69-0-0-1

    OrgName: McAfee, Inc.
    OrgId: MCAFE-2
    Address: 3965 Freedom Circle
    City: Santa Clara
    StateProv: CA
    PostalCode: 95054
    Country: US
    RegDate: 2006-07-05
    Updated: 2011-09-24
    Ref: http://whois.arin.net/rest/org/MCAFE-2

    OrgTechHandle: INO25-ARIN
    OrgTechName: McAfee Network Operations
    OrgTechPhone: +1-408-346-5200
    OrgTechEmail: netadmin (at) mcafee.com
    OrgTechRef: http://whois.arin.net/rest/poc/INO25-ARIN

    OrgAbuseHandle: INO25-ARIN
    OrgAbuseName: McAfee Network Operations
    OrgAbusePhone: +1-408-346-5200
    OrgAbuseEmail: netadmin (at) mcafee.com
    OrgAbuseRef: http://whois.arin.net/rest/poc/INO25-ARIN
     
  4. Taco_k1ng

    Taco_k1ng Member

    Joined:
    Sep 5, 2012
    Messages:
    40
    Location:
    Gold Coast, Queensland
    i don't anymore on this PC i use to a while ago, Not sure about the other computers in the house. so should i ring this number and report it or?
     
  5. HeXa

    HeXa Member

    Joined:
    Jul 7, 2001
    Messages:
    10,217
    Location:
    Canberra, ACT
    doubt it is a DoS... more likely a port scan

    ignore and get on with your life
     
  6. Taco_k1ng

    Taco_k1ng Member

    Joined:
    Sep 5, 2012
    Messages:
    40
    Location:
    Gold Coast, Queensland
    i would go on with my life but i'm having major net issues with my net dropping multipal times per day like 10-20 with 100s of these logged always around the time of the speeds being slowed down to dial up or lower and it dropping out.
     
  7. Dodge M4S

    Dodge M4S Member

    Joined:
    Jul 31, 2006
    Messages:
    3,132
    Location:
    6061
    Cant you block them?
     
  8. MR CHILLED

    MR CHILLED D'oh!

    Joined:
    Jan 2, 2002
    Messages:
    126,640
    Location:
    Canadia
    Interesting! I've been having a couple of issues recently with slow cable connection, only fixable with a modem reboot....maybe this is the cause?
     
  9. disco frank

    disco frank Member

    Joined:
    Mar 14, 2008
    Messages:
    1,897
    Location:
    perth
    mmmmm
    since seeing this i looked at my router and found

    11/19/2012 17:58:12 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 17:47:00 **Smurf** 212.98.184.255->> 10.1.1.7, Type:3, Code:3 (from LAN1 Outbound)
    11/19/2012 17:36:41 **Smurf** 210.195.239.0, 14602->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 17:29:52 **Smurf** 213.87.132.255, 27294->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 17:18:30 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 17:07:13 NTP Date/Time updated.
    11/19/2012 17:00:25 **Smurf** 208.103.249.0, 6881->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 16:54:58 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 16:42:40 **Smurf** 201.167.19.0, 20981->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 16:33:35 **Smurf** 210.195.239.0, 14602->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 16:15:29 **Smurf** 202.152.86.0, 2277->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 16:03:48 **Smurf** 210.195.239.0, 14602->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 15:54:44 **Smurf** 222.67.213.0, 12500->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 15:50:15 **Smurf** 213.138.80.0, 57175->> 10.1.1.7, 6881 (from PPPoE1 Inbound)
    11/19/2012 15:50:05 sending ACK to 10.1.1.4



    i have ZERO idea! considering its a wired network
    the only thing i know is that 10.1.1.7 is my nas box!
     
  10. Wako

    Wako Member

    Joined:
    Jun 4, 2006
    Messages:
    482
    you nas may be running a torrent client listening on port 6881
     
  11. disco frank

    disco frank Member

    Joined:
    Mar 14, 2008
    Messages:
    1,897
    Location:
    perth

    it does have a torrent client which i dont use and have now disabled

    cheers!
     
  12. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    8,222
    Location:
    Melbourne
    possibly, but cable normally has fairly sticky IPs that only expire after quite a while. if all you're rebooting is the modem then it might be on the way out. check your WAN IP with whatismyip.com or ipchicken.com between reboots and see.
     
  13. MR CHILLED

    MR CHILLED D'oh!

    Joined:
    Jan 2, 2002
    Messages:
    126,640
    Location:
    Canadia
    Thanks, bit of a backstory with this. I'll pm you some details soon, if you have some time to assess. Curious to get your input on the situation.
     
  14. samwise123

    samwise123 Member

    Joined:
    Aug 3, 2006
    Messages:
    415
    Location:
    Brisbane, QLD
    Install pfsense on an old computer, configure it to block ip's that try and scan for open port or whatever after 10 connections or so. Load some black lists on there too.
     
  15. flain

    flain Member

    Joined:
    Oct 5, 2005
    Messages:
    1,980
    hmm no offence but this should not be a front page linked thread. "my firewall says i'm getting attacked" isn't OCAU front page caliber, i hope.
     
  16. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,909
    I'm curious at why people think this will work. To use my favorite car analogy.

    Your local firewall is your front door.
    and the connection between your ISP and You is your Driveway

    You've got some guests coming over, and they want to drive down your driveway to park in your yard.

    If you've got 1000 bad people all driving up to knock on your front door. Your actual guests are unable to get in.

    Stopping these bad people knocking on your door, does not stop them driving up your driveway. As a result, your wanted guests are still unable to get in.

    If you want to stop this, you need to head out to the street or highway where all these bad cars are coming from (your ISP, or your ISP's transit provider).

    However, in this case, you aren't being attacked, default firewalls on consumer level report almost anything as a DOS :). It's the illusion of protection that's important.
     
  17. eyeLikeCarrots

    eyeLikeCarrots Member

    Joined:
    Jan 1, 2002
    Messages:
    4,297
    Location:
    Canberra Is Shit Sex: Yes
    That...

    I was going to post something like that without the driveway analogy this morning.

    A pfSense box isint going to be much use unless its on the outside of the modem and the firewall on the modem is turned off.

    Pablo is IMHO (without being there with tcpdump running) correct, you're not being attacked. What you are seeing is 'noise'...

    The internet is constantly awash with traffic scans. I've seen some analysis of how sharply this sort of thing drops during chinese new year.....
     
  18. AMLagonda

    AMLagonda Member

    Joined:
    Jun 15, 2002
    Messages:
    2,238
    Location:
    Perth, South of the River
    I hate to say this But I am also getting a tonne of these lately:

    [DOS Attack] : 1 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.1.101]
    Tuesday, Nov 20,2012 07:27:34

    (could it be Xbox Live? I have a good reason to think its something new thats only just started for me about the time a xbox was pluged in)
     
    Last edited: Nov 20, 2012
  19. eyeLikeCarrots

    eyeLikeCarrots Member

    Joined:
    Jan 1, 2002
    Messages:
    4,297
    Location:
    Canberra Is Shit Sex: Yes
    192.168.1.101 <-- a host on your local network....

    I think the best advice here would be to DDoS that IP in revenge.
     
  20. SpudBoy

    SpudBoy Member

    Joined:
    Jul 30, 2001
    Messages:
    5,246
    Location:
    Under the Bed.
    except the driveway analogy doesnt exactly work in the way it is described. (i.e. it does, UNTIL you filter out connections)

    if you drop the connections they are not "parked", they do not exist, they do not suck your bandwidths.

    the minute fraction of cpu time required to identify and squash the packet/filter future requests is not enough to degrade performance.

    that is, unless you are getting hit by a motherload of a ddos.
     

Share This Page