cancel
Showing results for 
Search instead for 
Did you mean: 

Attacks from Plusnet address space

VileReynard
Seasoned Pro
Posts: 10,673
Thanks: 209
Fixes: 9
Registered: 01-09-2007

Attacks from Plusnet address space

My router log for the last 24 hour reads:
Quote
[DoS attack: STORM] attack packets in last 20 sec from ip [84.227.197.91], Saturday, Jan 05,2013 23:38:42
...
[DoS attack: STORM] attack packets in last 20 sec from ip [84.227.197.91], Saturday, Jan 05,2013 21:23:28
...
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.25], Saturday, Jan 05,2013 18:52:13
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.25], Saturday, Jan 05,2013 18:51:28
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.25], Saturday, Jan 05,2013 18:51:05
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.25], Saturday, Jan 05,2013 18:50:37
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [84.93.235.210], Saturday, Jan 05,2013 18:10:09
...
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [84.93.235.210], Saturday, Jan 05,2013 15:35:09
[DoS attack: ACK Scan] attack packets in last 20 sec from ip 84.93.225.58], Saturday, Jan 05,2013 15:34:27
...
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [84.93.225.59], Saturday, Jan 05,2013 11:44:49
...
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [84.93.235.210], Saturday, Jan 05,2013 00:01:06

I assume IP addresses 84.93.0.0 lie in the Plusnet region [Note my WAN address is 146.90.151.99]
Quote
jeremy@HECTOR:~$ traceroute 84.93.255.255
traceroute to 84.93.255.255 (84.93.255.255), 30 hops max, 60 byte packets
1  ROUTER (192.168.1.1)  1.845 ms  1.813 ms  1.793 ms
2  lo0-central10.ptw-ag03.plus.net (195.166.128.197)  37.421 ms  38.539 ms  38.524 ms
3  link11-central10.ptw-gw01.plus.net (84.93.248.84)  37.376 ms  37.875 ms  39.063 ms
4  xe-7-2-0.ptw-cr01.plus.net (212.159.1.20)  39.044 ms  39.937 ms  39.918 ms
5  ae1.pcl-cr01.plus.net (195.166.129.1)  39.895 ms  39.885 ms  40.449 ms
6  * * *
...
16  * * po2.pcl-gw01.plus.net (195.166.129.41)  96.530 ms

5 REPLIES
Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: 07-02-2012

Re: Attacks from Plusnet address space

The whole of the 84.93.nnn.nnn range is Plusnet's.
However 84.227.197.91 returns
Quote
inetnum:        84.227.0.0 - 84.227.255.255
netname:        SUNRISE-ADSL
descr:          sunrise
descr:          TDC Switzerland AG
descr:          Ruemlang, Switzerland
country:        CH
remarks:        abuse -> abuse@sunrise.net
Community Veteran
Posts: 4,969
Thanks: 362
Fixes: 16
Registered: 10-06-2010

Re: Attacks from Plusnet address space

nslookup 84.93.225.58 = portal04.servers.plus.net
nslookup 84.93.225.59 = portal05.servers.plus.net
nslookup 84.93.235.210 = 84.93.235.210.broadband.plus.dyn.plus.net
So only 84.93.235.210 appears to be a Plusnet broadband customer.
The "attack" from portal04.servers.plus.net was probably just the portal being a bit slow, and then a whole bunch of packets suddenly arrive all at the same time.
VileReynard
Seasoned Pro
Posts: 10,673
Thanks: 209
Fixes: 9
Registered: 01-09-2007

Re: Attacks from Plusnet address space

Estragon: The sun seems to have set on Sunrise.  Cheesy
Quote
jeremy@HECTOR:~$ ping 84.227.197.91
PING 84.227.197.91 (84.227.197.91) 56(84) bytes of data.
^C
--- 84.227.197.91 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12094ms

ejs: Thanks for that - I seem to get a small number of all three kinds of "attack" messages.

Estragon
Rising Star
Posts: 811
Thanks: 10
Registered: 07-02-2012

Re: Attacks from Plusnet address space

sunrise.net "Record expires on 01-01-2014".
If I ping you and your router isn't set to respond t pings, I'd get the same result as we get from sunrise.
VileReynard
Seasoned Pro
Posts: 10,673
Thanks: 209
Fixes: 9
Registered: 01-09-2007

Re: Attacks from Plusnet address space

Quite true!