cancel
Showing results for 
Search instead for 
Did you mean: 

Genuine DOS attacks, or Trigger-Happy Router?

N/A

Genuine DOS attacks, or Trigger-Happy Router?

Yesterday & today I've had what my router logged as DOS attacks from four Plusnet networked PCs. I received 55 TCP packets over 4 hours, which probably isn't very many, I suppose, but they were all aimed at ports 1025, 139, 5000, 1025 & other favourites Smiley . I've sent two e-mails with log excerpts to the hardpressed people at abuse@plus.net.

I'm not too concerned, as my router is doing its job, & is stealthed. However, I know that it's generally accepted that someone determined & knowledgeable enough can get past a router & software firewall.

Do others think that these are likely to have been deliberate DOS attacks, or do trojan-infected PCs churn out TCP data? I would just love to post my logs here (!), but I know that that's not really the done thing.

(BTW, I looked carefully at the Sasser Worm & port scan posts, but they don't really cover what I'm thinking about - I'll keep an eye out for the Plusnet development that was mooted, by D.Tomlinson on that Sasser Worm thread, altho' I've already seen a post from someone who was directed to a 'Poss Worm alert' page so Plusnet are obviously trying being pro-active)
30 REPLIES
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Sorry - forgot to add that I'm quite sure that they were deliberate attacks, because they were aimed at my router IP address, rather than my static IP address. However, I stand to be corrected.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Genuine DOS attacks, or Trigger-Happy Router?

55 port scans in 4 hours = normal network noise and indicating your firewall is doing it's job.

Even though your firewall may have reported these as a DoS attacks, they are not at the rates you are seeing them. I suspect it's just a standard firewall log message being used rather than a specific identification of a DoS attack.

This amount of 'noise' is really not worth bothering abuse as there is no real grounds for them to act. You have to be in the hundreds or thousands of port scans before it is worth their time to investigate.

Ignore it unless you see an effect on your ADSL throughput. i.e. it effects your normal browsing activities.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Genuine DOS attacks, or Trigger-Happy Router?

Quote
Sorry - forgot to add that I'm quite sure that they were deliberate attacks, because they were aimed at my router IP address, rather than my static IP address. However, I stand to be corrected.


is your router IP address really different to your PlsNet assigned IP address. Normally they are one and the same. Please clarify what you mean by the above quoting examples of what the two are (i.e. add xxx to some numbers to remain anonomous but leave enough for us to determin the difference between them).
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Netgear DG834's tend to wrongly indicate DoS attacks for a number of normal "port scans".
As said, 55 instances in 4 hours is not a great deal and will make practically no difference to your connection speed.

I have been emailing people who appear in my firewall log, to help reduce the pressure on PlusNet abuse, only getting a less than 10% reply. 95% of those appearing in my log have no webpage. Two, which have commercial looking sites have not responded to emails sent directly to postmaster and the address appearign on the webpage. Obviously, they do no business off those websites.
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Genuine DOS attacks, or Trigger-Happy Router?

If you ever get a True DDos attack you will know it. I've had 2 in the last 6 years of IRC, down to a idiot on IRC. Think more along the lines of thousands of probes that last as long as the abuser has bots that have a connection active or the idiot gets bored and hits someone else.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

Genuine DOS attacks, or Trigger-Happy Router?

yea if it was a DoS attack it would be a few hundred a second.. and ur line wouldnt last 4 hours :p
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Thanks to all for the clarification, including to petervaughan for the context in which it might be worth reporting intrusions.

Having said that, I'm still wondering whether there's deliberate targetting of my router. petervaughan wrote:
Quote
is your router IP address really different to your PlsNet assigned IP address. Normally they are one and the same. Please clarify what you mean by the above quoting examples of what the two are


I think that my router IP address is 192.xxx.x.x whereas my static IP address is 80.229.x.x. I thought that I used to get intrusions aimed at the ports of the latter, but I'm certainly getting them coming at my 192 address.

What cqg4uzg says about the Netgear does strike a chord, as when I had only my ZA firewall, I never had anything which was reg'd as a DOS attack.

I probably need to read up a bit more about normal network noise. I'll do a google, and check some of the PN tutorial pages.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Genuine DOS attacks, or Trigger-Happy Router?

The 80.229.x.x will be your internet (i.e. PlusNet) side of your router and the 192.168.x.x will be your local network side of your router.

Anyone from the internet who wanted to connect to your router would use the 80.229.x.x address, anyone from your internal network who wanted to connect to your router would use 192.168.x.x (like you do when you set it up). So an internet scan would have 80.229.x.x as the destination port and something else as the source. An internal scan will have 192.168.x.x as the destination port and some other IP as the source. In both cases the source port may be spoofed.

It is not possible for people on the internet to try to connect to your 192.168.x.x IP address so if you are seeing any firewall logs with that address in the destination port, then they are coming from your internal network and not from the internet.

It is not possible to use 192.168.X.X addresses to route packets over the internet as it is classed as a private non-routing address. i.e. I could not try to connect to 192.168.X.X because no router on the internet would know where that is.

So to try and clear up any confusion, can you post some lines from your firewall log suitably anonamised so we can explain exactly what you are getting.
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Thanks for the clear explanation. It's always good to learn.

I attach an excerpt from my router log below (suitably anonymised):

Quote
Sun, 2004-06-06 17:30:08 - TCP Packet - Source:80.229.23.xxx,4122 Destination:192.168.x.x,139 - [DOS]
Sun, 2004-06-06 17:48:17 - TCP Packet - Source:80.229.23.xxx,1702 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 17:48:17 - TCP Packet - Source:80.229.23.xxx,1703 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 17:48:20 - TCP Packet - Source:80.229.23.xxx,1699 Destination:192.168.x.x,6129 - [DOS]
Sun, 2004-06-06 17:48:20 - TCP Packet - Source:80.229.23.xxx,1701 Destination:192.168.x.x,139 - [DOS]
Sun, 2004-06-06 17:48:20 - TCP Packet - Source:80.229.23.xxx,1702 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 17:48:20 - TCP Packet - Source:80.229.23.xxx,1703 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 17:48:25 - TCP Packet - Source:80.229.23.xxx,1690 Destination:192.168.x.x,1025 - [DOS]
Sun, 2004-06-06 17:48:25 - TCP Packet - Source:80.229.23.xxx,1687 Destination:192.168.x.x,2745 - [DOS]
Sun, 2004-06-06 18:33:35 - TCP Packet - Source:80.229.163.xx,3410 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 18:33:35 - TCP Packet - Source:80.229.163.xx,3411 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 18:33:35 - TCP Packet - Source:80.229.163.xx,3412 Destination:192.168.x.x,80 - [DOS]
Sun, 2004-06-06 18:33:37 - TCP Packet - Source:80.229.163.xx,3403 Destination:192.168.x.x,3127 - [DOS]
Sun, 2004-06-06 18:33:37 - TCP Packet - Source:80.229.163.xx,3407 Destination:192.168.x.x,6129 - [DOS]
Sun, 2004-06-06 18:33:37 - TCP Packet - Source:80.229.163.xx,3408 Destination:192.168.x.x,139 - [DOS]
Sun, 2004-06-06 18:33:37 - TCP Packet - Source:80.229.163.xx,3410 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 18:33:37 - TCP Packet - Source:80.229.163.xx,3411 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 18:33:37 - TCP Packet - Source:80.229.163.xx,3412 Destination:192.168.x.x,80 - [DOS]
Sun, 2004-06-06 18:33:43 - TCP Packet - Source:80.229.163.xx,3403 Destination:192.168.x.x,3127 - [DOS]
Sun, 2004-06-06 18:33:43 - TCP Packet - Source:80.229.163.xx,3398 Destination:192.168.x.x,1025 - [DOS]
Sun, 2004-06-06 18:33:43 - TCP Packet - Source:80.229.163.xx,3396 Destination:192.168.x.x,2745 - [DOS]
Sun, 2004-06-06 19:36:02 - TCP Packet - Source:80.229.50.xxx,4615 Destination:192.168.x.x,6129 - [DOS]
Sun, 2004-06-06 19:36:02 - TCP Packet - Source:80.229.50.xxx,4617 Destination:192.168.x.x,139 - [DOS]
Sun, 2004-06-06 19:36:02 - TCP Packet - Source:80.229.50.xxx,4618 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 19:36:02 - TCP Packet - Source:80.229.50.xxx,4624 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 19:36:02 - TCP Packet - Source:80.229.50.xxx,4637 Destination:192.168.x.x,80 - [DOS]
Sun, 2004-06-06 19:36:05 - TCP Packet - Source:80.229.50.xxx,4611 Destination:192.168.x.x,3127 - [DOS]
Sun, 2004-06-06 19:36:05 - TCP Packet - Source:80.229.50.xxx,4615 Destination:192.168.x.x,6129 - [DOS]
Sun, 2004-06-06 19:36:05 - TCP Packet - Source:80.229.50.xxx,4617 Destination:192.168.x.x,139 - [DOS]
Sun, 2004-06-06 19:36:05 - TCP Packet - Source:80.229.50.xxx,4618 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 19:36:05 - TCP Packet - Source:80.229.50.xxx,4624 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 19:36:05 - TCP Packet - Source:80.229.50.xxx,4637 Destination:192.168.x.x,80 - [DOS]
Sun, 2004-06-06 19:36:11 - TCP Packet - Source:80.229.50.xxx,4595 Destination:192.168.x.x,135 - [DOS]
Sun, 2004-06-06 19:36:11 - TCP Packet - Source:80.229.50.xxx,4590 Destination:192.168.x.x,2745 - [DOS]
Sun, 2004-06-06 19:36:11 - TCP Packet - Source:80.229.50.xxx,4637 Destination:192.168.x.x,80 - [DOS]
Sun, 2004-06-06 19:36:11 - TCP Packet - Source:80.229.50.xxx,4624 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 19:36:11 - TCP Packet - Source:80.229.50.xxx,4618 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 20:12:56 - TCP Packet - Source:80.229.166.xx,4303 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 20:12:56 - TCP Packet - Source:80.229.166.xx,4305 Destination:192.168.x.x,5000 - [DOS]
Sun, 2004-06-06 20:12:56 - TCP Packet - Source:80.229.166.xx,4306 Destination:192.168.x.x,80 - [DOS]
Sun, 2004-06-06 20:12:59 - TCP Packet - Source:80.229.166.xx,4299 Destination:192.168.x.x,3127 - [DOS]
Sun, 2004-06-06 20:12:59 - TCP Packet - Source:80.229.166.xx,4300 Destination:192.168.x.x,6129 - [DOS]
Sun, 2004-06-06 20:12:59 - TCP Packet - Source:80.229.166.xx,4302 Destination:192.168.x.x,139 - [DOS]
Sun, 2004-06-06 20:12:59 - TCP Packet - Source:80.229.166.xx,4303 Destination:192.168.x.x,1433 - [DOS]
Sun, 2004-06-06 20:12:59 - TCP Packet - Source:80.229.166.xx,4306 Destination:192.168.x.x,80 - [DOS]


Hope that this helps.
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Genuine DOS attacks, or Trigger-Happy Router?

Thats just someone with a virus/trojan thats trying spread. If a true attack it would be hundreds of probes from each IP every second so filling your inbound traffic completely, leaving you with no useable connection.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Thanks, adp 450. So if I understand this correctly, then, the four different PCs in my router log have been infected, the 2nd-4th probably in tandem from the 1st, & all of them are then spraying out packets of data to various IP addresses in the PN network. What intrigues is that they seem to do this in relay, or perhaps that's how this particular virus has been set up, I suppose.

I'm off to google Net virus behaviour...
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Quote
What intrigues is that they seem to do this in relay


Pure coincidence I think.

However, you should not be getting anything getting to your 192.168.x.x internal network to trigger a report. The scans should all show up as going to your 80.229.x.x
I would say there is something wrong.

Do you have any firewall bypass rules set up ??. Have you changed any configs from the default settings to host games, set up a DMZ or anything similar ?Huh
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Yep - after setting up my router, I went to the Shields up site & discovered that ports 1024-1030, 1720 & 5000 showed as closed, not stealthed.

Someone in the PN forums suggested a workaround, which involved my forwarding all incoming data to a non-existent PC on my LAN. That worked very well. Memory tells me that it's only been recently that I've been getting intrusions logged as going to my LAN, though (I don't have a Syslog server address to save logs to, so I can't check). I don't have a DMZ, as I don't play any games.

(BTW, I've just found that the DG 834 router settings show that it does log DOS attacks & port scans together)
N/A

Genuine DOS attacks, or Trigger-Happy Router?

Ahhh, a few possible problems

Firstly, the DG834 in default settings should show all ports as being stealthed by default. Well, mine and at least two others I know to do.
I would certainly look at the results again, making sure nothing on your machine is opening the ports (Messenger, Chat programmes, servers, malware, viruses). Have you got UPnP enabled?? Unless you are using Messenger, disable it.

Now a possible problem. have you got the router set as DHCP server, and the "black hole IP" set as fixed. If so, it is possible that at some time, the router could assign the "black hole IP" as your PC's gateway and then, you are open to the net with absolutely no protection. You are in affect setting up a DMZ, but without quarantineing the IP.