DOS Attack

Brumboy · 29 Apr 2011 at 22:50

Alright something weird has been going on in the past few days, I've been a vitctim of Dos attacks.

Here is a log from my router:

[DOS Attack] : 1 [Teardrop] packets detected in last 20 seconds, source ip [88.115.245.32]
Thursday, Apr 28,2011 08:17:23
[DOS Attack] : 1 [ACK Scan] packets detected in last 20 seconds, source ip [92.123.154.223]
Thursday, Apr 28,2011 00:14:47
[DOS Attack] : 1 [FIN Scan] packets detected in last 20 seconds, source ip [92.123.154.223]
Tuesday, Apr 26,2011 23:39:05
[DOS Attack] : 1 [ACK Scan] packets detected in last 20 seconds, source ip [92.123.154.119]
Tuesday, Apr 26,2011 23:35:55
[Admin login] from source 192.168.0.2, Tuesday, Apr 26,2011 23:33:10

Anyone know why this is happening and what might be doing this?

I've considered emailing my ISP and changing my IP address. The only forum I visit is this one so not sure why this is happening to me!

Rroff · 29 Apr 2011 at 22:52

Doubt its a DOS attack targetted at you, router DOS detection is fairly strict and easily tripped, its probably just some random bot scanning PCs for open ports and other weaknesses or the person who had that IP last was connected to a lot of torrents and they are still clearing connections, etc.

Brumboy · 29 Apr 2011 at 22:57

Rroff said:
Doubt its a DOS attack targetted at you, router DOS detection is fairly strict and easily tripped, its probably just some random bot scanning PCs for open ports and other weaknesses or the person who had that IP last was connected to a lot of torrents and they are still clearing connections, etc.

Right that makes sense. I am constantly downloading torrents so that is probably it. Just thought it was weird when I checked my router log

Any tips to prevent this? I only have the standard Windows firewall.

Azuse05 · 29 Apr 2011 at 23:23

If it's netgear then the router's blocking legit traffic. Been a decade and they still can't fix their crap timings. Steam > server browser > refresh (all filters off) and they think you're being dosed. Linksys are guilty of this too, but less so and their routers tend to accept tomato which never had this problem.

Then again, no correctly configured firewall would unless it was deliberate but I see no logical reason for a consumer router to be so paranoid when anyone that needed that level of protection at home wouldn't have bought a netgear over something like a cisco/sonic wall to begin with :-/

Dist · 30 Apr 2011 at 00:59

Unless you notice a performance drop on your connection then I would just ignore it. I once had my old netgear router set to log all incoming traffic and it is supprising just how much random port scans and what not happen every single day. As mentioned torrents can often cause DoS attack like traffic to show up in logs because when you close a torrent client the people you were connected to and downloading/uploading from may still think you are running the client and will spam upload/download requests for sections of the torrent.

It is nothing unusual and not much can be done about it so just ignore it unless it is having a negative impact.

Brumboy · 2 May 2011 at 19:39

Alright can anyone give me advice on what to do? it's really annoying now. I'm being disconnected every hour, can barely download anything and browse sites. I've emailed my ISP and they have changed my IP address. Is there anything else I can do? I'm using Windows Firewall and Microsoft Security Essentials. My brother uses a laptop, could that have anything to do with it?

[Admin login] from source 192.168.0.2, Monday, May 02,2011 18:34:30
[DOS Attack] : 103 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:34:12
[DOS Attack] : 3 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:32:40
[DOS Attack] : 5 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:31:57
[DOS Attack] : 154 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:31:33
[DOS Attack] : 3 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:31:09
[DOS Attack] : 4 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:30:22
[DOS Attack] : 45 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:30:01
[DOS Attack] : 4 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:29:39
[DOS Attack] : 3 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:27:22
[DOS Attack] : 53 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:27:01
[DOS Attack] : 10 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:26:37
[DOS Attack] : 10 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:25:49
[DOS Attack] : 63 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:25:28
[DOS Attack] : 32 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:25:06
[DOS Attack] : 27 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:22:05
[Admin login] from source 192.168.0.2, Monday, May 02,2011 18:20:52
[DOS Attack] : 1 [STORM] packets detected in last 20 seconds, source ip [192.168.0.2]
Monday, May 02,2011 18:20:35

Dist · 2 May 2011 at 20:49

Well from the looks of it, it is something on your PC doing it. It says the admin logged in from 192.168.0.2 and if you are that admin then you are the one spamming all those packets as that is the IP on the source of those packets.

Main causes of problems like this can be torrents with too many connections, or when playing online games that use a server browser that opens up tons of connections (like TF2). I know my old netgear router would constantly slow to a crawl and have tons of issues when there are too many connections.

23JMZ07 · 2 May 2011 at 23:01

CMD - Type "netstat -n"

Post the result here please.

Brumboy · 2 May 2011 at 23:24

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Ross>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49844 127.0.0.1:80 SYN_SENT
TCP 127.0.0.1:56682 127.0.0.1:56683 ESTABLISHED
TCP 127.0.0.1:56683 127.0.0.1:56682 ESTABLISHED
TCP 127.0.0.1:56684 127.0.0.1:56685 ESTABLISHED
TCP 127.0.0.1:56685 127.0.0.1:56684 ESTABLISHED
TCP 192.168.0.2:49450 75.176.53.121:63691 ESTABLISHED
TCP 192.168.0.2:49527 116.15.26.188:55887 ESTABLISHED
TCP 192.168.0.2:49577 142.167.166.92:54126 TIME_WAIT
TCP 192.168.0.2:49639 95.211.88.54:80 TIME_WAIT
TCP 192.168.0.2:49658 209.85.143.104:80 ESTABLISHED
TCP 192.168.0.2:49667 193.107.16.156:2710 TIME_WAIT
TCP 192.168.0.2:49669 209.85.143.104:80 ESTABLISHED
TCP 192.168.0.2:49686 94.228.210.86:6969 TIME_WAIT
TCP 192.168.0.2:49694 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49695 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49696 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49698 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49700 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49708 69.237.48.255:23116 ESTABLISHED
TCP 192.168.0.2:49720 93.184.221.133:80 LAST_ACK
TCP 192.168.0.2:49721 93.184.221.133:80 LAST_ACK
TCP 192.168.0.2:49722 93.184.221.133:80 LAST_ACK
TCP 192.168.0.2:49723 93.184.221.133:80 LAST_ACK
TCP 192.168.0.2:49724 93.184.221.133:80 LAST_ACK
TCP 192.168.0.2:49734 193.107.209.242:2710 TIME_WAIT
TCP 192.168.0.2:49739 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49740 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49746 95.211.88.49:80 TIME_WAIT
TCP 192.168.0.2:49776 72.19.49.245:23315 ESTABLISHED
TCP 192.168.0.2:49777 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49778 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49779 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49780 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49781 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49782 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49783 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49784 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49786 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49788 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49789 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49793 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49794 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49795 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49797 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49801 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49812 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49813 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49815 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49816 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49818 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49819 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49821 91.151.218.11:80 TIME_WAIT
TCP 192.168.0.2:49828 94.228.210.47:6969 SYN_SENT
TCP 192.168.0.2:49829 80.236.122.63:33609 SYN_SENT
TCP 192.168.0.2:49830 209.85.143.101:80 ESTABLISHED
TCP 192.168.0.2:49832 208.73.210.29:6997 SYN_SENT
TCP 192.168.0.2:49833 93.103.129.64:61099 SYN_SENT
TCP 192.168.0.2:49834 117.194.196.220:59351 LAST_ACK
TCP 192.168.0.2:49837 89.107.187.165:6969 SYN_SENT
TCP 192.168.0.2:49838 66.29.81.115:80 SYN_SENT
TCP 192.168.0.2:49839 178.21.22.110:2710 SYN_SENT
TCP 192.168.0.2:49840 218.145.160.136:8080 SYN_SENT
TCP 192.168.0.2:49841 69.43.160.175:6969 SYN_SENT
TCP 192.168.0.2:64749 207.46.124.202:80 ESTABLISHED
TCP 192.168.0.2:65125 24.56.200.140:49694 FIN_WAIT_1
TCP 192.168.0.2:65126 184.79.233.190:48732 ESTABLISHED
TCP [2001:0:4137:9e76:24aa:48c:a1e1:cae0]:49703 [2001:0:4137:9e76:308a:1f7
a:e7c7:3773]:49694 ESTABLISHED
TCP [2001:0:4137:9e76:24aa:48c:a1e1:cae0]:49836 [2001:0:5ef5:79fd:2493:35f
a:2a41:3716]:47758 ESTABLISHED
TCP [2001:0:4137:9e76:24aa:48c:a1e1:cae0]:49842 [2001:0:4137:9e76:1035:16a
7:a17b:adec]:58513 SYN_SENT
TCP [2001:0:4137:9e76:24aa:48c:a1e1:cae0]:49843 [2002:7680:507::7680:507]:
46250 SYN_SENT

I've barely been able to do anything today, the internet speed drops every 2-3 minutes. I have to click "refresh" in the wireless network tray to make the internet do anything. I've restarted the router several times. I have no idea what could be causing this, it's extremely frustrating. Hope someone can help

23JMZ07 · 2 May 2011 at 23:26

Can you close your browser (ensure it is shut with CTRL ALT DEL-Processes), wait 3 mins and then do that procedure again. You have a LOT of web sessions open there (Mostly OCUK ;P)

Brumboy · 2 May 2011 at 23:28

Alright I'll do that now then. I've scanned my computer with a few spyware/virus/malware programs and I've not got any viruses.

Brumboy · 2 May 2011 at 23:35

C:\Users\Ross>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 192.168.0.2:50272 192.168.0.1:5000 TIME_WAIT

I download torrents a lot and I've never had this problem before, I haven't changed any settings on utorrent or my router so I can't understand why my internet is messing up like this

Any idea what could be wrong mate?

23JMZ07 · 2 May 2011 at 23:40

Netstat looks fine!
Only one connection open and that looks like its to your router.

Does your net drop out even without torrenting?

Brumboy · 2 May 2011 at 23:42

Yeah it did a few times about a hour ago. I click a webpage, part of it loads, then it stops. I then click the little refresh icon when I click the wireless tray icon and the rest of the web page loads. Then it just hangs there and I have to wait a minute for the internet to come back or restart my router. When I have utorrent open my torrent speeds go up and down a lot (from 550kb to 30kb)

23JMZ07 · 2 May 2011 at 23:45

I would suggest turning off the firewall services on your router. I take it that its a Netgear router? If so the firewalls are shockingly bad for blocking legit data. It is worth a try just to see if this is causing issues.

Brumboy · 2 May 2011 at 23:51

How I do that? I've gone into firewall rules on my netgear router and there's nothing there. Is there anything else I need to do mate?

Stormyx · 2 May 2011 at 23:52

Hmm ive never had that problem, only time ive had this is when ive been playing a game and its got attacked >.<

23JMZ07 · 2 May 2011 at 23:53

what router model exactly?

Brumboy · 2 May 2011 at 23:54

Netgear Wireless ADSL2+ Modem Router DG834G

23JMZ07 · 3 May 2011 at 00:03

Hm it doesnt seem to have any configurable firewall settings. In this case I would suggest contacting your ADSL provider and explain the speed issues that you are having. From what you have said it seems like you are clean of any viruses and the netstat output shows no connections being made during idle time. I think these "DOS" reports from your router are just false positives and somewhat of a coincidence.

Definately get on to your ISP mate.