cancel
Showing results for 
Search instead for 
Did you mean: 

DOS attack from 84.11*.*.*

N/A

DOS attack from 84.11*.*.*

My netgear router is reporting DOS attaches from 84.114/114/113.*.8 on a daily basis and has done since day one on Plusnet. Logs look like:
Quote
Fri, 2004-12-10 18:06:55 - TCP Packet - Source:84.112.44.93,1825 Destination:84.92.51.1x,6129 - [DOS]
Fri, 2004-12-10 18:51:03 - TCP Packet - Source:84.115.69.233,3984 Destination:84.92.51.1x,5000 - [DOS]
Fri, 2004-12-10 18:51:06 - TCP Packet - Source:84.115.69.233,3976 Destination:84.92.51.1x,5554 - [DOS]
Fri, 2004-12-10 18:51:06 - TCP Packet - Source:84.115.69.233,3977 Destination:84.92.51.1x,1433 - [DOS]
Fri, 2004-12-10 18:57:04 - TCP Packet - Source:84.113.195.146,4051 Destination:84.92.51.1x,3127 - [DOS]
Tue, 2004-12-07 11:10:23 - TCP Packet - Source:84.113.193.106,4484 Destination:84.92.51.1x,,6129 - [DOS]
Tue, 2004-12-07 11:10:29 - TCP Packet - Source:84.113.193.106,4514 Destination:84.92.51.1x,139 - [DOS]
Tue, 2004-12-07 20:33:29 - TCP Packet - Source:84.114.147.38,3801 Destination:84.92.51.1x,6129 - [DOS]
Tue, 2004-12-07 20:33:33 - TCP Packet - Source:84.114.147.38,3802 Destination:84.92.51.1x,139 - [DOS]
Tue, 2004-12-07 20:57:22 - TCP Packet - Source:84.114.154.161,1744 Destination:84.92.51.1x,3127 - [DOS]
Tue, 2004-12-07 20:57:26 - TCP Packet - Source:84.114.154.161,1770 Destination:84.92.51.1x,6129 - [DOS]
Tue, 2004-12-07 20:57:29 - TCP Packet - Source:84.114.154.161,1773 Destination:84.92.51.1x,139 - [DOS]


Whilst I am not aware that this is not causing any specific issue, I do wonder what the source is likely to be.

Anyone else get this ?

James
6 REPLIES
the_norris
Grafter
Posts: 463
Registered: 02-08-2007

DOS attack from 84.11*.*.*

Look to me someone out there as a trojan virus.

See http://www.sans.org/resources/idfaq/oddports.php for some port info.

Phil
N/A

DOS attack from 84.11*.*.*

email the full log to abuse@plus.net and hope to get a response, however last time i brought this up they didnt seemt o care, so good luck
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DOS attack from 84.11*.*.*

If that log represents the frequency they are occuring just ignore it (they are not DoS attacks anyway, the router is being overoptimistic in it's reporting). A Dos attack would produce 100s/1000s of entries in a very short time (seconds/minutes) and you would not be able to use your internet connection. What you are seeing is normal 'internet noise' from port scans, probes and infected systems that everyone is getting and is what your firewall is there to protect against..

Abuse would just ignore this - in any case, it's coming from outside plusnet's network so there is zero abuse can do about it anyway.
N/A

DOS attack from 84.11*.*.*

I only posted extracts but your right it is a regular occurrance rather than an intense attack. The only reason I asked the qn was that just about every occurrance has been from the same address range starting 84. 11* and I wondered if it was just this account that was getting these.

James
N/A

DOS attack from 84.11*.*.*

whois the ip range, find out which ISP it belongs to and then email logs to abuse@THATISP, see if they can do anything about it.

Buz
N/A

DoS attack

I too have been getting the NetGear warnings from my router, from the same IP grouping.
Using a WhoIs site (http://www.altaser.com/whois.php) I got back the following listing:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 84.112.0.0 - 84.119.255.255
org: ORG-CBG1-RIPE
netname: AT-TELEKABEL-20040407
descr: PROVIDER Local Registry
descr: Chello Broadband GmbH
country: AT
country: BE
country: FR
country: NL
country: NO
country: SE
admin-c: HTK1-RIPE
tech-c: HTK1-RIPE
notify: hostmaster@chello.at
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: CHELLO-MNT
mnt-routes: CHELLO-MNT
changed: hostmaster@ripe.net 20040407
source: RIPE

route: 84.112.0.0/14
descr: UPC Austria
origin: AS6830
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20040525
source: RIPE

organisation: ORG-CBG1-RIPE
org-name: Chello Broadband GmbH
org-type: LIR
address: Erlachgasse 116
address: Vienna
address: 1100
address: Austria
phone: +43 1 96068 5000
fax-no: +43 1 96068 5666
e-mail: hostmaster@chello.at
admin-c: AK991-RIPE
admin-c: SB9000-RIPE
admin-c: HTK1-RIPE
admin-c: HMCB1-RIPE
admin-c: MS2509-RIPE
mnt-ref: CHELLO-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20040415
changed: bitbucket@ripe.net 20041007
changed: bitbucket@ripe.net 20041007
changed: bitbucket@ripe.net 20041007
source: RIPE

role: Hostmaster Telekabel Wien
address: UPC Telekabel Wien GmbH
address: Erlachgasse 116
address: A-1100 Vienna
address: Austria
phone: +43 1 96068 5000
fax-no: +43 1 96068 5666
e-mail: hostmaster@chello.at
trouble: help@chello.at
admin-c: AK991-RIPE
tech-c: SB666-RIPE
tech-c: AK991-RIPE
tech-c:
MS2509-RIPE
nic-hdl: HTK1-RIPE
notify: hostmaster@chello.at
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20040609
source: RIPE


So it might be worth sending them an email, or simply blocking their IP ranges.
I'm also getting hits from 84.99.*

As Peter Vaughan has said, I think the router is being a little sensitive as although this happens regularly, it is not an attack as this would try to flood the router. I am not sure why this is happening though and it would be nice to find out!

Piers McGinn.