Omega Owners Forum
Chat Area => General Discussion Area => Topic started by: Gaffers on 22 February 2010, 20:44:56
-
Hi gents, one for the IT experts. Log from the router:
INF 2010-02-22T18:40:53Z fw,fwmon src=58.185.12.116 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF 2010-02-22T18:40:53Z fw,fwmon src=66.216.1.98 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
INF 2010-02-22T18:40:53Z fw,fwmon src=86.16.47.137 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
INF 2010-02-22T18:40:53Z Previous log entry repeated 1 times
INF 2010-02-22T18:40:54Z fw,fwmon src=66.216.1.98 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
INF 2010-02-22T18:40:54Z fw,fwmon src=98.212.30.30 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=13 ICMP Dest Unreachable, session terminated
INF 2010-02-22T18:40:55Z fw,fwmon src=86.151.251.247 dst=86.155.207.183 ipprot=6 sport=49799 dport=80 Unknown inbound session stopped
INF 2010-02-22T18:40:57Z fw,fwmon src=58.185.12.116 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF 2010-02-22T18:40:58Z fw,fwmon src=66.216.1.98 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
reset the ip address earlier as I found the c#@t culprit using torrents and explained what was happening and why the connection was dropping. Was a port scan looking for an open port to his computer but now it seems to be looking for some unexplained ip address... Hence why I think it ay be DoS.
The connection is awful and it keeps forcing the modem to reboot and dropping the connection. Any ideas?
-
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back ;D
-
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back ;D
Nope I think that in modern routers they only accept pings from inside the network not from exterior by default....this 'session' hit maybe a way around it. If it is a DoS it is having the desired effect :'(
Misuse of IT is illegal plomein :D :D :D :y
-
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back ;D
A Pingon attack? I love star trek :y
-
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back ;D
A Pingon attack? I love star trek :y
I now have images of Steve in a Spok costume saying "eh eh eh, live long and rather prosper you git!" ;D ;D ;D
-
I checked from
http://ws.arin.net/whois/
very different places..
and if you dont own a server for a bank or a web service provider attacks are meaningless.. :-/
imho it may be a virus in those places which gets your ip from the places you visit.. :-/
-
I checked from
http://ws.arin.net/whois/
very different places..
and if you dont own a server for a bank or a web service provider attacks are meaningless.. :-/
imho it may be a virus in those places which gets your ip from the places you visit.. :-/
Im thinking that too but there are 20+ computers on this net...cant be arsed to go through each one and find out who's been downloading dodgy porn :(
-
I checked from
http://ws.arin.net/whois/
very different places..
and if you dont own a server for a bank or a web service provider attacks are meaningless.. :-/
imho it may be a virus in those places which gets your ip from the places you visit.. :-/
Im thinking that too but there are 20+ computers on this net...cant be arsed to go through each one and find out who's been downloading dodgy porn :(
;D dont search for another reason :y
-
actually if one of the pcs got worm or virus it may be bombarding your local net :-/
try a net sniffer :y
-
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back ;D
A Pingon attack? I love star trek :y
I now have images of Steve in a Spok costume saying "eh eh eh, live long and rather prosper you git!" ;D ;D ;D
;D ;D ;D ;D ;D ;D ;D ;D
Did you have to put that image in my head :o :o ;D ;D
-
actually if one of the pcs got worm or virus it may be bombarding your local net :-/
try a net sniffer :y
Fishnet or hairnet ? ;D ;D ;D ;D ;D ;D ;) :y
-
actually if one of the pcs got worm or virus it may be bombarding your local net :-/
try a net sniffer :y
Fishnet or hairnet ? ;D ;D ;D ;D ;D ;D ;) :y
erm.. not sure, which ;D ;D :y :y
-
Hmmm, wise to have ICMP type 3 open (o/g. i/c as well if you have services behind it).
The logs in question dont look too bad - I wouldn't be overly concerend, and doubt they are cause of your issue. If I posted my f/w logs, you'd have a heart attack ;).
Also, looks suspiciously like a crappy netgear?
-
Hmmm, wise to have ICMP type 3 open (o/g. i/c as well if you have services behind it).
The logs in question dont look too bad - I wouldn't be overly concerend, and doubt they are cause of your issue. If I posted my f/w logs, you'd have a heart attack ;).
Also, looks suspiciously like a crappy netgear?
Might be, its a BT Business Hub (not my choice)
The crappy thing keeps falling over especially when more than say a dozen are connected to anyone of the 3 WLANs it manages. Firmware then?
Getting mighty peeved, it took an hour to reboot yesterday evening and as the only one on the course who has any experience in IT (which is ironic due to the nature of the course) I get all the responsability of getting it sorted :-/
-
Incoming ICMP type 3s might indicate that a machine on the network is poking around trying to find open ports perhaps?
Maybe you've got a machine that's infected and generating enough outgoing sessions that the router's NAT table is filling up?
Can you look at the NAT entries on the router?
Failing that, put a machine running wireshark or similar on the same segment as the router and watch what's coming and going?
Kevin
-
Incoming ICMP type 3s might indicate that a machine on the network is poking around trying to find open ports perhaps?
Maybe you've got a machine that's infected and generating enough outgoing sessions that the router's NAT table is filling up?
Can you look at the NAT entries on the router?
Failing that, put a machine running wireshark or similar on the same segment as the router and watch what's coming and going?
Kevin
This is where my train of thought lies but being fairly inexperienced in this I am not sure. I have downloaded and tried wireshark, nice tool! I shall run it again tonight when the internet is having difficulty. I have no control over the other computers and I dont have access to them all.
The wierd things is that when there is an outage I still get Skype access (although v poor) and I sometimes get access to OOF yet nothing else...
-
Bear in mind that if the router is also a switch you won't see all the traffic on a single port as the switch will learn what machines are on what segments and route the traffic accordingly. In fact you'll see very little other than broadcast traffic. I find the best thing to do is to get an old hub (not a switch) and place it between the router and the rest of the network, WLAN routers, etc. By connecting a machine to that hub and running wireshark you will see everything that goes out or in.
The fact that some connections work normally does make me wonder if it's a logical problem within the router (i.e. NAT table full, not accepting new connections) rather than the link being maxxed out.
You can also try running wireshark on your local machine and see what the symptoms are when you are getting poor connections. Are you getting "unreachable" responses, are packets getting dropped or is throughput just slow, etc?
I find wireshark is a good educational tool. You can read books about how networks work but there's nothing like seeing it in real time. :y
Kevin
-
Ok interesting findings.
Just spent 15 mins trying to get online and couldnt, every time I tried to get onto a website it failed even though I was connected. Looking through the wireshark logs it seems the router is performing a "Source Quench (flow Control)" on the requests from my computer (dont know about the others as I am not seeing all their data.
And then as if by magic the ping gets through and it all starts working. There is obviously something going on with the router, I think a call to customer services Mumbai is on the cards :y
-
Sounds like a resources issue in the router. Maybe it's out of NAT table entries or a misbehaving host on the network has flooded it with cr@p and filled its' buffers.
Either that or it's leaked all its' memory and needs a reboot. ::)
Kevin
-
Sounds like a resources issue in the router. Maybe it's out of NAT table entries or a misbehaving host on the network has flooded it with cr@p and filled its' buffers.
Either that or it's leaked all its' memory and needs a reboot. ::)
Kevin
It reboots regularly, automatically or manually I dont know as I am not guarding over it. When it does reboot it takes as long as an hour to sort itself out....
-
It reboots regularly, automatically or manually I dont know as I am not guarding over it. When it does reboot it takes as long as an hour to sort itself out....
:o
-
It reboots regularly, automatically or manually I dont know as I am not guarding over it. When it does reboot it takes as long as an hour to sort itself out....
:o
Sounds like there is an internal setup issue or timr for a new modem/router.
-
Right, than ks to KW I think I found the issue or at least a workaround.
Looks like the DHCP or the NAT memory is fubarred like Kevin said. I manually entered my TCP/IP details and boom! Everything worked! To check it wasn't a fluke I went to another computer that wasn;t working and did thesame thing, with positive result!
Cheers to all that contributed :y
-
Good result. :y