cancel
Showing results for 
Search instead for 
Did you mean: 

Denial of Service Attack?

wandelaar
Grafter
Posts: 186
Registered: 17-08-2007

Denial of Service Attack?

I connect to the internet via ISDN using a Draytek Vigor 2600 router (with inbuilt firewall).

I have found today that the router syslog is showing the following:-

DoS ip option Block 192.168.1.10 -> 224.0.0.22 CD ra PR 2

On my network 192.168.1.10 is obviously me..

Am I correct in thinking that attempts are being made to use my machine for a DoS attack?

If so, any ideas?

I have up to date anti virus software (nothing found), and use Spybot regularly.

I have used various online sites to check the firewall and all have reported back that they cannot detect any ports etc. I also run with active scripting and java disabled as I found that active scripting could be used to open my cd rom etc remotely. (http\\www.auditmypc.com)

Any info gratefully received.
9 REPLIES
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Denial of Service Attack?

DNS reports it as IGMP.MCAST.NET

Found a few results via google, so you have some reading to find the problem.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

Denial of Service Attack?

Some of the info I read, sugest this is normal for a Windows XP boot.

The address 224.0.0.22 is a multicast address, and not normaly addrssable in normal IP space (baffled you huh?).

Messages are sent to this address to when you wish to join a multicast group.

What your logs didn't show you, was the TTL setting inside the packet.

Quick explanation of TTL

TTL (Time To Live), is a setting in each internet packet, that states the maximum number of hops (routers or machines the data passes through), before it is considered dead.

The basic idea, is to stop data that can't reach its destination, from going around and around and around, clogging up bandwidth. Without TTL, the data would simply float around the internet forever, without being stopped.

<end>

In the higher end of the IPv4 spectrum (lost ya again? OK, in a few higher end IP addresses), there is are 2 extra classes. Experimental/future use, and Multicast.

Multicast can be on any and every machine/device. The idea being, if you broadcast to a group of machines, in a single set of data output.

This is use for broadcasting video over a single network. IE, only 1 outgoing connection, but all terminals can receive the video feed.

When a system sends a packet to the address 224.0.0.22, the TTL setting is set to 1. This means, that your router will not send the data anywhere, as it is set to go no more that 1 hop.

AKA, this packet is destiuned for nothing more than your own network.

It is 100% safe, and your router is reporting a false positive.

If you find the above too technical, try asking specific questions about the above, and I will clarify.
wandelaar
Grafter
Posts: 186
Registered: 17-08-2007

Denial of Service Attack?

Many thanks for the info Philip.

Yes I am a little baffled, but at least the firewall is doing its job albeit a bit too well.
It would appear that I get two attempts to do the mcast link thing within about 2 seconds, each time I log onto XP.


Best Regards


Dave
N/A

Denial of Service Attack?

get a port viewer to see what ports its opening and were its going. Theres loads to choose from or firewalls like outpost will ask before letting it go out.

It may be nothing or something more serios
wandelaar
Grafter
Posts: 186
Registered: 17-08-2007

Denial of Service Attack?

Thanks for the reply.

The iffy connection only occurs on a cold boot of the machine.

According to my syslog my port 1030 is connecting to 66.197.138.235 port 80?

My machine is also listening on ports139 but does nothing else?

Any ideas would be greatly appreciated.

Regards

Dave
wandelaar
Grafter
Posts: 186
Registered: 17-08-2007

Denial of Service Attack?

Aha!!

Just downloaded the latest update to spybot.

It found a load of extra stuff including smg.exe.

I had previously tried to delete smg.exe and smg.dll but they were 'in use'.

Spbot removed the registry entries and guess what?

'Cold boot' now does not connect to the internet and no 'DOS' warnings!!

Now going to attempt to delete smg.* again..

Fingers crossed etc..

Regards

Dave
wandelaar
Grafter
Posts: 186
Registered: 17-08-2007

Denial of Service Attack?

Update!!

Managed to delete the smg directory and all appears well!!

Hope this helps someone else as well..

Regards

Dave
N/A

Denial of Service Attack?

Is your system still listening on port 139?

Port 139 is identd, and is used to verify which user of the computer system is connecting to a site.

In Windows, it serves no purpose (in all moder use too), as a reply can be faked.

It is used in (nix to see which user is conecting though.

The most common system to use it, is IRC servers.

Many trojans use IRC servers as there method of phoning home these days. So port 139 is a sign that there may be a trojan.
plusnetsux
Grafter
Posts: 122
Registered: 05-08-2007

Denial of Service Attack?

Port 139 is NetBIOS, used for Windows file and printer sharing. Identd runs on port 113.