Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
should this be concerning ? (router logfile)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: should this be concerning ? (router logfile)
should this be concerning ? (router logfile)
21-09-2013 12:49 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
been getting a lot of this in the last few days, I have been ip blocked from the broadbandbuyer website for apparently requesting to many url searches (I was browsing the store) and several websites have been acting up,
I went into the connection page of the router and dropped/connected to get a new wan ip and all seems to be working normally (the pages that refused to work before are now working again)
but I am wondering why my ip address was being targeted in such a fashion and should I be worried about that sort of thing ?
I realise I could just turn off spi logging but I turned it on because I was having problems getting things to load up
Quote Sep 18 16:24:05 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 80.190.166.111 to 146.90.77.102
Sep 18 18:27:02 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
Sep 18 18:28:39 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
Sep 18 18:31:59 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
Sep 18 18:31:59 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
Sep 18 20:14:19 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
Sep 19 01:42:58 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 180.231.250.72 to 146.90.77.102
Sep 19 01:42:58 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 180.231.250.72 to 146.90.77.102
Sep 19 15:56:27 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
Sep 19 18:08:18 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 110.77.217.91 to 146.90.77.102
Sep 19 20:09:03 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 141.255.164.98 to 146.90.77.102
Sep 20 02:36:11 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 50.7.182.98 to 146.90.77.102
Sep 20 02:55:03 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 184.75.220.210 to 146.90.77.102
Sep 20 03:24:59 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 184.75.220.210 to 146.90.77.102
Sep 20 03:35:04 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 80.82.64.72 to 146.90.77.102
Sep 20 07:46:44 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
Sep 20 14:17:34 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 67.202.66.202 to 146.90.77.102
Sep 20 17:45:18 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 212.183.159.229 to 146.90.77.102
Sep 20 18:06:35 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
Sep 20 18:30:37 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
Sep 20 18:30:37 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.195.89.18 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 173.192.70.142 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 173.192.70.142 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 173.192.70.142 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 198.105.212.100 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 198.105.212.100 to 146.90.77.102
Sep 20 18:40:40 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 198.105.212.100 to 146.90.77.102
Sep 20 22:29:47 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
Sep 21 02:37:22 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_ewan_1] 213.157.218.54:0 to 146.90.77.102:0
Sep 21 04:55:39 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 161.69.13.6 to 146.90.77.102
Sep 21 07:01:42 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
Sep 21 09:57:45 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 50.57.189.103 to 146.90.77.102
Sep 21 11:55:48 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.158 to 146.90.77.102
Sep 21 11:55:48 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.158 to 146.90.77.102
Sep 21 12:33:46 timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
I went into the connection page of the router and dropped/connected to get a new wan ip and all seems to be working normally (the pages that refused to work before are now working again)
but I am wondering why my ip address was being targeted in such a fashion and should I be worried about that sort of thing ?
I realise I could just turn off spi logging but I turned it on because I was having problems getting things to load up
just because your paranoid doesn't mean they aren't out to get you
Message 1 of 5
(2,186 Views)
4 REPLIES 4
Re: should this be concerning ? (router logfile)
23-09-2013 11:36 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Message 2 of 5
(607 Views)
Re: should this be concerning ? (router logfile)
23-09-2013 12:47 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
yeah I spoke too soon, I started getting the same traffic registered within the day but having checked by disconnecting (physically) everything from the router soft dropping to get a new WANIP on 2 separate machines (with different software running) I noticed that one of the addreses that's apparently attempting to initiate syn flood is fairly consistently traffic that's bouncing off the euro peer in the Netherlands (if its not originating behind it)
as for av scanning I do run a full scan every few days and have onaccess scanner running 24/7 on all the pc's anyway, on top of that I regularly use trend micro's housecall scanner as well (because its free and a good double check system) incase mcafee misses anything. (
I probably should of mentioned that seeing them means the firewall stopped the traffic, but the deliberate persistent number of tries to initiate a syn flood against dynamic ip address's is concerning particularly when taken into consideration with how sluggish the entire online experience has become over recent weeks at certain times of the day
as for av scanning I do run a full scan every few days and have onaccess scanner running 24/7 on all the pc's anyway, on top of that I regularly use trend micro's housecall scanner as well (because its free and a good double check system) incase mcafee misses anything. (
I probably should of mentioned that seeing them means the firewall stopped the traffic, but the deliberate persistent number of tries to initiate a syn flood against dynamic ip address's is concerning particularly when taken into consideration with how sluggish the entire online experience has become over recent weeks at certain times of the day
just because your paranoid doesn't mean they aren't out to get you
Message 3 of 5
(607 Views)
Re: should this be concerning ? (router logfile)
23-09-2013 6:54 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Does the log really have "ICMP packer" rather than "ICMP packet"?
Message 4 of 5
(607 Views)
Re: should this be concerning ? (router logfile)
23-09-2013 7:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
yes which indicate that its a payload packet (not normal size) containing an executable most likely to trigger a denial of service attack,
if its designed to overload my ip then that's not as bad as the thought it could be a bounce packet designed to auto forward and trigger the attack somewhere else effectively masking it as originating from me....
and the reason it being an attack aimed at me not being so bad is I would notice my connection not working and thus get a new ip (dynamic links and all that) but if its trying ot bounce of me all I might notice would be a slightly higher latency if I was gaming but otherwise be oblivious to the problem until some plod kicked my door in......
normal snoop entries like that occur maybe 10 times a day normally from random ip addresses but the last two weekends the rate has been getting higher and higher, this weekend I changed gateway 3 times and on both sat + sun I saw the log file overwriting itself several times (it has a stat counter for number of times overwritten)
but the wider implications of this are that it could be the root cause of the massive latency spikes being experienced during peek times and where some people don't have a hardware firewall protecting there connection all there seeing is massive throughput loss without understanding why and believing it to be a capacity issue , the downside of my device is it doesn't describe what port or protocol is being targeted, just he delivery method as being standard ping ......
if its designed to overload my ip then that's not as bad as the thought it could be a bounce packet designed to auto forward and trigger the attack somewhere else effectively masking it as originating from me....
and the reason it being an attack aimed at me not being so bad is I would notice my connection not working and thus get a new ip (dynamic links and all that) but if its trying ot bounce of me all I might notice would be a slightly higher latency if I was gaming but otherwise be oblivious to the problem until some plod kicked my door in......
normal snoop entries like that occur maybe 10 times a day normally from random ip addresses but the last two weekends the rate has been getting higher and higher, this weekend I changed gateway 3 times and on both sat + sun I saw the log file overwriting itself several times (it has a stat counter for number of times overwritten)
but the wider implications of this are that it could be the root cause of the massive latency spikes being experienced during peek times and where some people don't have a hardware firewall protecting there connection all there seeing is massive throughput loss without understanding why and believing it to be a capacity issue , the downside of my device is it doesn't describe what port or protocol is being targeted, just he delivery method as being standard ping ......
just because your paranoid doesn't mean they aren't out to get you
Message 5 of 5
(607 Views)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: should this be concerning ? (router logfile)