DOS attacks and IP Spoofs

StephenF · ‎02-10-2009

hey guys,
im not too savvy on hacking but i think people are trying to hack me, multiple ip addresses have tried to hack me on my netgear router log, it lists them as denial of service attacks and IP Spoofs whatever they are, the ip spoofs shows 192.168.0.10 etc trying to hack me, even though i only have 2 computers on 192.168.0.2 and .3, 0.1 being router access.
should i be worried and what can i do?
worth mentioning that on the DOS attacks, it was ip's starting with 254, 95, and 83. something like that. i don't have the exact ip's because i cleared the log so i could see if it happened again, as i have installed eset smart security on all my computer and laptop.
what are the ramifications of somebody hacking me? what can they actually achieve?
cheers

Anonymous · ‎24-11-2009

For the 192.168.0.10 and similar that don't match your machines, do you have an unencrypted or WEP wireless connection ? - as it could be your neighbours wirelessly connecting to your router.
For all the other addresses, have you tried switching on the PlusNet Broadband Firewall to the HIGH setting ? - this should block almost anything.
To do this, log into your PlusNet account, go to "My Account", then "Connection Settings", then "Broadband Firewall", and then choose your settings.

StephenF · ‎02-10-2009

yup im on wep, didnt think any of the fuckers would try tbh, im in a really low key area lol
will putting the plusnet firewall on high mess up my games or out?

Anonymous · ‎24-11-2009

Are you able to increase your wireless encryption to WPA on all your hardware ?
While I am not an expert on gaming, I think that by experimenting with the various options available in the "Broadband Firewall", that you should be able to increase your protection without stopping your gaming.
Try starting on "LOW" and see how it goes, and keep increasing the levels (in ADVANCED) until something breaks, then take one step back. It costs nothing to try and is easy to do, so why not !

Anonymous · ‎24-11-2009

Just a couple of other ideas -
You should also ensure your router has NAT switched ON, which will help block anonymous connections.
If you have the router DMZ directed at a PC, then make sure that PC has a decent firewall that only allows connections that you are expecting !

StephenF · ‎02-10-2009

ok ive put my plusnet firewall to low, i have smart security on both computers, and ive changed my netgear settings to wpa-psk and have a wireless access station list setup so only mac addresses i allow should be able to connect right?
hope that stops the beestards

Anonymous · ‎24-11-2009

Sounds good so far !
Let us know if this fixes the problem, and what level of Broadband Firewall you end up with for your gaming !

StephenF · ‎02-10-2009

[Admin login] from source 192.168.0.3, Wednesday, Nov 25,2009 00:32:26
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:35:10
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:33:01
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:31:57
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:30:52
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:29:49
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:28:44
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:27:41
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:26:37
[DOS Attack] : 3 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:25:32
[DOS Attack] : 2 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:24:36
[DOS Attack] : 1 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.0.6]
Tuesday, Nov 24,2009 19:24:08
-------------------------

This is today. after ive changed all my settings to wpa-psk secure, mac authorization only and plusnet firewall on.
what the [Censored] can i do? does this mean they are hacking me? or does it just mean they tried?
the admin logon is me btw

VileReynard · ‎01-09-2007

You need do no more!
Each DNS "attack" is only 2 attempts - so it won't deny much service!
The source address is faked (as it says, it's spoofed) - so your system could not send a sensible response to the attacker (apart from the fact that your ip address exists).

"In The Beginning Was The Word, And The Word Was Aardvark."

Anonymous · ‎25-11-2009

What setting did you have the Plusnet Broadband Firewall set to ?

Anonymous · ‎25-11-2009

Did you also check to ensure your router has NAT enabled ?

StephenF · ‎02-10-2009

ok ive just done a bit of research into what a dos attack is etc. obviously something is wrong and im not getting dos attacked properly or i wouldnt be talking here right now.
but can anyone explain why this is happening? is somebody actually trying to dos me? why is it showing ip's that dont exist on my network? and are they actually achieving the hack or just trying?
plusnet firewall is on low and my router has nat enabled yeah.
im trying to keep my main ports available for hosting and downloading, if i use high firewall settings theres no way for me to open the ports i want too. also, i have windows 7 firewall up to date and ESET smart security firewall up to date and all running
thanks
steve

Anonymous · ‎25-11-2009

I must admit that I can't quite see the point of a DOS attack with a spoofed Class-C IP address ?
On my own system, my router gets probed regularly all day, every day, on various TCP port numbers. It is quite interesting to lookup the host addresses to find out who's probing you, although I have never seen spoofed addresses like yours of type 192.168.?.?.
The number of probes can be reduced considerably by setting the PlusNet Broadband Firewall to the highest setting that you can get away with, as the higher the level that is set, the more ports are blocked.
This reduces attempted connections from the internet reaching your router.
Next, ideally you should use your router firewall to block as many unused TCP ports as possible, from reaching your local network. In addition by having NAT enabled, this will effectively make your local machines become anonymous when viewed from the internet side of the router, and therefore makes it very difficult to initiate remote communications to your PCs.
Finally if you have properly configured firewalls on your PCs, then in the unlikely event that anything gets past the router, then hopefully you should get a warning of an unexpected event being blocked.

If it was me, I would first set the highest Plusnet Firewall setting that still allows you to play games.
Make sure the DMZ and any unnecessary port forwarding in your router is switched off.
I personally would switch off the DHCP server in the router, and set all my local PCs to static IP addresses, to reduce the chance of a casual wireless connection requesting a local network address.
I would also change those local static IP address numbers from 192.168.0.XXX to something more unusual, such as 192.168.7.XXX. - and see if the spoofs are still 192.168.0.XXX or whether they become 192.168.7.XXX. !
So you could have for example -
Router address = 192.168.7.1
PC address = 192.168.7.10
Laptop address = 192.168.7.20

VileReynard · ‎01-09-2007

I wouldn't bother.