DOS attacks. help please

crazyDAJT · 13 Feb 2008 at 22:48

Ok a bit worried at the moment...

I have bean having a few problems with my internet connection dropping out. have bean looking at my log files in my wireless router.

to give you a taste

Wed, 2008-02-13 23:15:41 - TCP Packet - Source:71.181.171.152,50603 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:41 - TCP Packet - Source:71.181.171.152,50608 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:41 - TCP Packet - Source:71.181.171.152,50609 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:41 - TCP Packet - Source:71.181.171.152,50604 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:41 - TCP Packet - Source:71.181.171.152,50607 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:41 - TCP Packet - Source:189.131.229.182,1629 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:47 - TCP Packet - Source:71.181.171.152,50606 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:47 - TCP Packet - Source:71.181.171.152,50607 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:47 - TCP Packet - Source:71.181.171.152,50602 Destination:my ip,37729 - [DOS]
Wed, 2008-02-13 23:15:47 - TCP Packet - Source:71.181.171.152,50603 Destination:my ip,37729 - [DOS]

me thinks this is not good.

But what can I do about it, call sky??

EDIT: there are NO P2P users on my network and no bittorant. I currently have two laptops web browsing, that is it.

Dist · 13 Feb 2008 at 23:26

Are you sure you havnt had any torrents running previously in the day/week? sometimes even after you close a torrent client the connections can still continue for a long time, and this is often what routers confuse as a DOS attack.

If you are sure it has nothing to do with torrents, you can try getting a new IP if you have a dynamic IP address, im not sure how sky does this if thats your ISP, but with a lot of ISPs you can simply turn your modem off for 10-15min, then turn it on again and hope youve been assigned a new IP.

crazyDAJT · 13 Feb 2008 at 23:35

Dist said:
Are you sure you havnt had any torrents running previously in the day/week? sometimes even after you close a torrent client the connections can still continue for a long time, and this is often what routers confuse as a DOS attack.

If you are sure it has nothing to do with torrents, you can try getting a new IP if you have a dynamic IP address, im not sure how sky does this if thats your ISP, but with a lot of ISPs you can simply turn your modem off for 10-15min, then turn it on again and hope youve been assigned a new IP.

No torrenting in the last months, have done a fresh install about 4 weeks ago so the softwhere isn't even on my computer. my girlfriend doesn't even know what P2P is and I have a rule of absolutely now crap on my vista desktop PC, which is only 4 weeks old.

by the looks of my logs, i have bean given about 6 different IP's in the last 24hrs.

crazyDAJT · 13 Feb 2008 at 23:59

Wed, 2008-02-13 22:47:34 - UDP Packet - Source:24.83.111.222,60011 Destination*****,15041 - [DOS]
Wed, 2008-02-13 22:47:34 - UDP Packet - Source:85.179.192.103,34915 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:47:41 - UDP Packet - Source:80.197.250.187,35798 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:48:23 - UDP Packet - Source:77.250.48.179,60000 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:48:52 - UDP Packet - Source:88.172.111.119,32781 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:48:54 - UDP Packet - Source:81.35.35.53,49152 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:48:59 - UDP Packet - Source:85.14.81.69,27292 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:49:12 - TCP Packet - Source:69.112.124.141,45687 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:49:15 - TCP Packet - Source:90.200.60.252,3250 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:49:15 - TCP Packet - Source:69.112.124.141,45687 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:49:53 - UDP Packet - Source:82.69.117.120,10208 Destination:*****,15041 - [DOS]
Wed, 2008-02-13 22:49:55 - UDP Packet - Source:82.49.28.86,38604 Destination:*****,15041 - [DOS]

sample from earlier. i had a different IP then, different attacking IP and different port

V-Spec · 14 Feb 2008 at 11:37

Don't worry about it, the internet is full of thousands of infected machines constantly scanning provider ranges and trying to connect on specific port numbers, the only way to get rid of them is to unplug your internet connection.
So long as you have a firewall/router and your using NAT (almost definitley) you won't have any problems..

matja · 14 Feb 2008 at 18:04

If it were a DOS attack, you'd get a few thousand packets per second, not 10 over a few seconds/minutes

I wouldn't worry.

Fr0dders · 14 Feb 2008 at 21:46

its just one of the many port scanners that are out there

if you look its a allmost a different port everytime

as said above, only way to stop these is not to use the internet. Just make sure you set yourself up properly and dont worry too much

Curiosityx · 14 Feb 2008 at 23:37

I would be more concerned if the log was empty. The ports are randomised above the standard range it does look like a p2p tracker though, you client isnt on port 15041 is it?

crazyDAJT · 14 Feb 2008 at 23:58

Curiosityx said:
I would be more concerned if the log was empty. The ports are randomised above the standard range it does look like a p2p tracker though, you client isnt on port 15041 is it?

i don't have any P2P clients installed, at all.

I don't seam to be getting as many at the moment anymore, I have bean having to restart my router a lot at the moment, also it is running a bit slow.

but if its random port scans I'm not too worried.

Curiosityx · 15 Feb 2008 at 00:20

crazyDAJT said:
i don't have any P2P clients installed, at all.

I don't seam to be getting as many at the moment anymore, I have bean having to restart my router a lot at the moment, also it is running a bit slow.

but if its random port scans I'm not too worried.

There is a chance that your IP is still active on the tracker, these random incoming connections are simply clients trying to connect.

bledd · 15 Feb 2008 at 08:39

what make is your router, and what type of connection do you have?

i've found linksys routers never quit..

artaxerxes · 15 Feb 2008 at 16:49

BBC iPLayer and E4 use kontiki which is akin to bit torrent in in some ways... do you have either of them installed?

crazyDAJT · 15 Feb 2008 at 22:10

bledd. said:
what make is your router, and what type of connection do you have?

I've found linksys routers never quit..

netgear, the one that came with sky, would like to use my Belkin one, as i think its better, but i believe this is next to impossible... maybe not impossible, i just don't know how.

crazyDAJT · 15 Feb 2008 at 22:12

artaxerxes said:
BBC iPLayer and E4 use kontiki which is akin to bit torrent in in some ways... do you have either of them installed?

Nope none of these installed..

got a few more on port 137, but no where near as many as i was having

tolien · 15 Feb 2008 at 22:20

Port 137 is related to Windows file sharing - it's almost certainly general internet noise.