cancel
Showing results for 
Search instead for 
Did you mean: 

DDOS to my router

FIXED
VileReynard
Seasoned Pro
Posts: 10,824
Thanks: 249
Fixes: 10
Registered: 01-09-2007

DDOS to my router

Why would someone attack my router continuously for the last several days (at least)?

[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:57
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:44
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:33
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:19
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:02:09
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:58
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:48
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:35
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:23
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:13
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:01:03
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:50
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:40
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:27
[DoS attack: TCP SYN Flood] multi-source syn flood attack in last 20 sec , Tuesday, Oct 31,2017 23:00:14

etc...

9 REPLIES
Community Veteran
Posts: 14,345
Thanks: 685
Fixes: 10
Registered: 01-08-2007

Re: DDOS to my router

Who have you been upsetting now? Knuppel

I need a new signature... i'm bored of the old one!
Browni
Aspiring Hero
Posts: 2,178
Thanks: 746
Fixes: 45
Registered: 02-03-2016

Re: DDOS to my router

Perhaps they know you?
I must have been really bad in a previous life as this was my 3rd ISP in a row that used lithium.
Now you're stuck with me because my new ISP doesn't run a forum Cheesy
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: DDOS to my router

the anti fox hunting brigade Shocked

Community Veteran
Posts: 26,678
Thanks: 900
Fixes: 10
Registered: 10-04-2007

Re: DDOS to my router

I think you can report that by email to abuse@plus.net

Do you have the Plusnet firewall on?

jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
VileReynard
Seasoned Pro
Posts: 10,824
Thanks: 249
Fixes: 10
Registered: 01-09-2007

Re: DDOS to my router

Fix

I don't have the Plusnet firewall switched on, I never had had.

A SYN attack uses random ports in an attempt to overload a connection.

My 65/18 connection was severely impacted at times.

I've just tried disconnecting the router for a few minutes and Plusnet have finally allocated me a new IP address.

So it is now "cured".

But if your IP address is x.x.89.61 then you may encounter problems.Angry

Community Veteran
Posts: 14,345
Thanks: 685
Fixes: 10
Registered: 01-08-2007

Re: DDOS to my router


VileReynard wrote:

 

But if your IP address is x.x.89.61 then you may encounter problems.Angry


So for your sins you've passed the buck to some other poor soul.

I need a new signature... i'm bored of the old one!
VileReynard
Seasoned Pro
Posts: 10,824
Thanks: 249
Fixes: 10
Registered: 01-09-2007

Re: DDOS to my router

And after a few hours delay it followed me to my IP address (146.198.x.x) - there doesn't appear to be much point in secrecy since every man and his dog has decided to practice SYN attacks on it.

I expect the entire Plusnet IP range is being attacked?

It's so pointless, especially when I have no port forwarding.

A whois gives

whois 146.198.x.x

...

NetRange:       146.198.0.0 - 146.198.255.255
CIDR:           146.198.0.0/16
NetName:        PLUSNET3
NetHandle:      NET-146-198-0-0-1
Parent:         NET146 (NET-146-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS6871
Organization:   INFONET Services Corporation (INFO)
RegDate:        1991-02-28
Updated:        2015-03-12
Ref:            https://whois.arin.net/rest/net/NET-146-198-0-0-1

OrgName:        INFONET Services Corporation
OrgId:          INFO
Address:        2160 East Grand Avenue
City:           El Segundo
StateProv:      CA
PostalCode:     90245-1022
Country:        US
RegDate:        
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/INFO

...

Is this right?

Moderator's note by Mike (Mav): Full IP address edited in a public forum.

Community Veteran
Posts: 14,345
Thanks: 685
Fixes: 10
Registered: 01-08-2007

Re: DDOS to my router

 So get yourself a plusnet hubone. That has no visible logging so you won't be able to see the attacks to worry about them Tongue

EDIT: Actually it does log stuff.. sorry i only found that around 10 minutes later when trying to do something else in the admin pages.

Incidentally I have port 80 open and redirected to my desktop PC for the apache webserver. When i look in the database i can see loads of bots have been trying to exploit phpmyadmin setup script logs and various other things. People are out there scanning and attempting to attack all the time. In my case they make contact with the default host on my apache which has one web page and nothing else. My actual websites are all on virtual hosts and the admin site with phpmyadmin installed is on a virtual host only accessible to the local network.

 

I've accepted that they'll always be there trying.. it's just one of those things.

I need a new signature... i'm bored of the old one!
Community Veteran
Posts: 1,442
Thanks: 229
Fixes: 31
Registered: 13-08-2015

Re: DDOS to my router

I would be checking my PC's/Laptops with Malwarebytes ad all the antivirus software I could find, there is a good chance that something on one of your devices is call somewhere to start these DDOS attacks.

 

As for the IP address, it is well known that PN have used other BT division addresses when they expanded their network, and that many of the IP address checkers are out of date. It can cause access difficulty's with some sites, but these seem to be getting less troublesome.