topic Re: DDOS to my router in Tech Help - Software/Hardware etc

DDOS to my router

VileReynard — Tue, 31 Oct 2017 23:03:31 GMT

Why would someone attack my router continuously for the last several days (at least)?

[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:57
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:44
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:33
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:19
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:09
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:58
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:48
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:35
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:23
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:13
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:03
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:50
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:40
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:27
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:14

etc...

Re: DDOS to my router

7up — Tue, 31 Oct 2017 23:41:45 GMT

Who have you been upsetting now?

Re: DDOS to my router

Browni — Wed, 01 Nov 2017 00:37:14 GMT

Perhaps they know you?

Re: DDOS to my router

Oldjim — Wed, 01 Nov 2017 08:24:08 GMT

the anti fox hunting brigade

Re: DDOS to my router

jelv — Wed, 01 Nov 2017 09:17:47 GMT

I think you can report that by email to abuse@plus.net

Do you have the Plusnet firewall on?

Re: DDOS to my router

VileReynard — Wed, 01 Nov 2017 13:15:32 GMT

I don't have the Plusnet firewall switched on, I never had had.

A SYN attack uses random ports in an attempt to overload a connection.

My 65/18 connection was severely impacted at times.

I've just tried disconnecting the router for a few minutes and Plusnet have finally allocated me a new IP address.

So it is now "cured".

But if your IP address is x.x.89.61 then you may encounter problems.

Re: DDOS to my router

7up — Thu, 02 Nov 2017 12:20:44 GMT

@VileReynard wrote:

But if your IP address is x.x.89.61 then you may encounter problems.

So for your sins you've passed the buck to some other poor soul.

Re: DDOS to my router

VileReynard — Fri, 03 Nov 2017 07:18:57 GMT

And after a few hours delay it followed me to my IP address (146.198.x.x) - there doesn't appear to be much point in secrecy since every man and his dog has decided to practice SYN attacks on it.

I expect the entire Plusnet IP range is being attacked?

It's so pointless, especially when I have no port forwarding.

A whois gives

whois 146.198.x.x

...

NetRange:       146.198.0.0 - 146.198.255.255
CIDR:           146.198.0.0/16
NetName:        PLUSNET3
NetHandle:      NET-146-198-0-0-1
Parent:         NET146 (NET-146-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS6871
Organization:   INFONET Services Corporation (INFO)
RegDate:        1991-02-28
Updated:        2015-03-12
Ref:            https://whois.arin.net/rest/net/NET-146-198-0-0-1

OrgName:        INFONET Services Corporation
OrgId:          INFO
Address:        2160 East Grand Avenue
City:           El Segundo
StateProv:      CA
PostalCode:     90245-1022
Country:        US
RegDate:
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/INFO

...

Is this right?

Moderator's note by Mike (Mav): Full IP address edited in a public forum.

Re: DDOS to my router

7up — Thu, 02 Nov 2017 20:48:10 GMT

So get yourself a plusnet hubone. That has no visible logging so you won't be able to see the attacks to worry about them

EDIT: Actually it does log stuff.. sorry i only found that around 10 minutes later when trying to do something else in the admin pages.

Incidentally I have port 80 open and redirected to my desktop PC for the apache webserver. When i look in the database i can see loads of bots have been trying to exploit phpmyadmin setup script logs and various other things. People are out there scanning and attempting to attack all the time. In my case they make contact with the default host on my apache which has one web page and nothing else. My actual websites are all on virtual hosts and the admin site with phpmyadmin installed is on a virtual host only accessible to the local network.

I've accepted that they'll always be there trying.. it's just one of those things.

Re: DDOS to my router

Mustrum — Thu, 02 Nov 2017 20:44:13 GMT

I would be checking my PC's/Laptops with Malwarebytes ad all the antivirus software I could find, there is a good chance that something on one of your devices is call somewhere to start these DDOS attacks.

As for the IP address, it is well known that PN have used other BT division addresses when they expanded their network, and that many of the IP address checkers are out of date. It can cause access difficulty's with some sites, but these seem to be getting less troublesome.