cancel
Showing results for 
Search instead for 
Did you mean: 

should this be concerning ? (router logfile)

nanotm
Pro
Posts: 5,682
Thanks: 111
Fixes: 1
Registered: 11-02-2013

should this be concerning ? (router logfile)

been getting a lot of this in the last few days, I have been ip blocked from the broadbandbuyer website for apparently requesting to many url searches  (I was browsing the store) and several websites have been acting up,
Quote
Sep 18 16:24:05  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 80.190.166.111 to 146.90.77.102
  Sep 18 18:27:02  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
  Sep 18 18:28:39  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
  Sep 18 18:31:59  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
  Sep 18 18:31:59  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
  Sep 18 20:14:19  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 69.89.74.66 to 146.90.77.102
  Sep 19 01:42:58  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 180.231.250.72 to 146.90.77.102
  Sep 19 01:42:58  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 180.231.250.72 to 146.90.77.102
  Sep 19 15:56:27  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
  Sep 19 18:08:18  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 110.77.217.91 to 146.90.77.102
  Sep 19 20:09:03  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 141.255.164.98 to 146.90.77.102
  Sep 20 02:36:11  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 50.7.182.98 to 146.90.77.102
  Sep 20 02:55:03  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 184.75.220.210 to 146.90.77.102
  Sep 20 03:24:59  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 184.75.220.210 to 146.90.77.102
  Sep 20 03:35:04  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 80.82.64.72 to 146.90.77.102
  Sep 20 07:46:44  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
  Sep 20 14:17:34  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 67.202.66.202 to 146.90.77.102
  Sep 20 17:45:18  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 212.183.159.229 to 146.90.77.102
  Sep 20 18:06:35  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
  Sep 20 18:30:37  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
  Sep 20 18:30:37  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.195.89.18 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 173.192.70.142 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 173.192.70.142 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 173.192.70.142 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 198.105.212.100 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 198.105.212.100 to 146.90.77.102
  Sep 20 18:40:40  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 198.105.212.100 to 146.90.77.102
  Sep 20 22:29:47  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102
  Sep 21 02:37:22  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] TCP packet from [ppp_ewan_1] 213.157.218.54:0 to 146.90.77.102:0
  Sep 21 04:55:39  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 161.69.13.6 to 146.90.77.102
  Sep 21 07:01:42  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.92.214.217 to 146.90.77.102
  Sep 21 09:57:45  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 50.57.189.103 to 146.90.77.102
  Sep 21 11:55:48  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.158 to 146.90.77.102
  Sep 21 11:55:48  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.158 to 146.90.77.102
  Sep 21 12:33:46  timsplace user.info kernel: HackAttack: [SPI:Illegal connection state attack] ICMP packer from [ppp_ewan_1] 85.12.5.205 to 146.90.77.102

I went into the connection page of the router and dropped/connected to  get a new wan ip and all seems to be working normally (the pages that refused to work before are now working again)
but I am wondering why my ip address was being targeted in such a fashion and should I be worried about that sort of thing ?
I realise I could just turn off spi logging but I turned it on because I was having problems getting things to load up
just because your paranoid doesn't mean they aren't out to get you
4 REPLIES
Plusnet Help Team
Plusnet Help Team
Posts: 13,017
Thanks: 145
Fixes: 48
Registered: 27-04-2007

Re: should this be concerning ? (router logfile)

Glad to hear that's stopped at least, I'd scan your machine if you haven't done so already just to be on the safe side.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
nanotm
Pro
Posts: 5,682
Thanks: 111
Fixes: 1
Registered: 11-02-2013

Re: should this be concerning ? (router logfile)

yeah I spoke too soon, I started getting the same traffic registered within the day but having checked by disconnecting (physically) everything from the router soft dropping to get a new WANIP on 2 separate machines (with different software running) I noticed that one of the addreses that's apparently attempting to initiate syn flood is fairly consistently traffic that's bouncing off the euro peer in the Netherlands (if its not originating behind it)
as for av scanning I do run a full scan every few days and have onaccess scanner running 24/7 on all the pc's anyway, on top of that I regularly use trend micro's housecall scanner as well (because its free and a good double check system) incase mcafee misses anything. (

I probably should of mentioned that seeing them means the firewall stopped the traffic, but the deliberate persistent number of tries to initiate a syn flood against  dynamic ip address's is concerning particularly when taken into consideration with how sluggish the entire online experience has become over recent weeks at certain times of the day 
just because your paranoid doesn't mean they aren't out to get you
Community Veteran
Posts: 5,061
Thanks: 426
Fixes: 16
Registered: 10-06-2010

Re: should this be concerning ? (router logfile)

Does the log really have "ICMP packer" rather than "ICMP packet"?
nanotm
Pro
Posts: 5,682
Thanks: 111
Fixes: 1
Registered: 11-02-2013

Re: should this be concerning ? (router logfile)

yes which indicate that its a payload packet (not normal size) containing an executable most likely to trigger a denial of service attack,
if its designed to overload my ip then that's not as bad as the thought it could be a bounce packet designed to auto forward and trigger the attack somewhere else effectively masking it as originating from me....
and the reason it being an attack aimed at me not being so bad is I would notice my connection not working and thus get a new ip (dynamic links and all that) but if its trying ot bounce of me all I might notice would be a slightly higher latency if I was gaming but otherwise be oblivious to the problem until some plod kicked my door in......
normal snoop entries like that occur maybe 10 times a day normally from random ip addresses but the last two weekends the rate has been getting higher and higher, this weekend I changed gateway 3 times and on both sat + sun I saw the log file overwriting itself several times (it has a stat counter for number of times overwritten)

but the wider implications of this are that it could be the root cause of the massive latency spikes being experienced during peek times and where some people don't have a hardware firewall protecting there connection all there seeing is massive throughput loss without understanding why and believing it to be a capacity issue , the downside of my device is it doesn't describe what port or protocol is being targeted, just he delivery method as being standard ping ......
just because your paranoid doesn't mean they aren't out to get you