Topic: DoS Attack? (Read 1962 times)

Gaffers · « **on:** 22 February 2010, 20:44:56 »

Hi gents, one for the IT experts. Log from the router:

INF    2010-02-22T18:40:53Z    fw,fwmon    src=58.185.12.116 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF    2010-02-22T18:40:53Z    fw,fwmon    src=66.216.1.98 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
INF    2010-02-22T18:40:53Z    fw,fwmon    src=86.16.47.137 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
INF    2010-02-22T18:40:53Z    Previous log entry repeated 1 times
INF    2010-02-22T18:40:54Z    fw,fwmon    src=66.216.1.98 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated
INF    2010-02-22T18:40:54Z    fw,fwmon    src=98.212.30.30 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=13 ICMP Dest Unreachable, session terminated
INF    2010-02-22T18:40:55Z    fw,fwmon    src=86.151.251.247 dst=86.155.207.183 ipprot=6 sport=49799 dport=80 Unknown inbound session stopped
INF    2010-02-22T18:40:57Z    fw,fwmon    src=58.185.12.116 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF    2010-02-22T18:40:58Z    fw,fwmon    src=66.216.1.98 dst=86.155.207.183 ipprot=1 icmp_type=3 icmp_code=1 ICMP Dest Unreachable, session terminated

reset the ip address earlier as I found the ~~c#@t~~ culprit using torrents and explained what was happening and why the connection was dropping. Was a port scan looking for an open port to his computer but now it seems to be looking for some unexplained ip address... Hence why I think it ay be DoS.

The connection is awful and it keeps forcing the modem to reboot and dropping the connection. Any ideas?

Plomien · « **Reply #1 on:** 22 February 2010, 20:50:48 »

does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back

Gaffers · « **Reply #2 on:** 22 February 2010, 20:52:47 »

Quote

does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back

Nope I think that in modern routers they only accept pings from inside the network not from exterior by default....this 'session' hit maybe a way around it. If it is a DoS it is having the desired effect

Misuse of IT is illegal plomein

STMO999 · « **Reply #3 on:** 22 February 2010, 20:55:45 »

Quote

does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back

A Pingon attack? I love star trek

Gaffers · « **Reply #4 on:** 22 February 2010, 20:58:37 »

Quote

Quote
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back

A Pingon attack? I love star trek

I now have images of Steve in a Spok costume saying "eh eh eh, live long and rather prosper you git!"

cem_devecioglu · « **Reply #5 on:** 22 February 2010, 20:59:44 »

I checked from
http://ws.arin.net/whois/

very different places..

and if you dont own a server for a bank or a web service provider attacks are meaningless.. :-/

imho it may be a virus in those places which gets your ip from the places you visit.. :-/

Gaffers · « **Reply #6 on:** 22 February 2010, 21:02:09 »

Quote

I checked from
http://ws.arin.net/whois/

very different places..

and if you dont own a server for a bank or a web service provider attacks are meaningless.. :-/

imho it may be a virus in those places which gets your ip from the places you visit.. :-/

Im thinking that too but there are 20+ computers on this net...cant be arsed to go through each one and find out who's been downloading dodgy porn

cem_devecioglu · « **Reply #7 on:** 22 February 2010, 21:11:54 »

Quote

Quote
I checked from
http://ws.arin.net/whois/

very different places..

and if you dont own a server for a bank or a web service provider attacks are meaningless.. :-/

imho it may be a virus in those places which gets your ip from the places you visit.. :-/

Im thinking that too but there are 20+ computers on this net...cant be arsed to go through each one and find out who's been downloading dodgy porn

dont search for another reason

cem_devecioglu · « **Reply #8 on:** 22 February 2010, 21:13:33 »

actually if one of the pcs got worm or virus it may be bombarding your local net :-/

try a net sniffer

Lazydocker · « **Reply #9 on:** 22 February 2010, 21:30:36 »

Quote

Quote
Quote
does your firewall have a command respond to ping?
and is it turned off?
failing that respond with a ping attack back

A Pingon attack? I love star trek

I now have images of Steve in a Spok costume saying "eh eh eh, live long and rather prosper you git!"

Did you have to put that image in my head

PhilRich · « **Reply #10 on:** 22 February 2010, 21:37:31 »

Quote

actually if one of the pcs got worm or virus it may be bombarding your local net :-/

try a net sniffer

Fishnet or hairnet ?

cem_devecioglu · « **Reply #11 on:** 22 February 2010, 21:40:07 »

Quote

Quote
actually if one of the pcs got worm or virus it may be bombarding your local net :-/

try a net sniffer

Fishnet or hairnet ?

erm.. not sure, which

TheBoy · « **Reply #12 on:** 23 February 2010, 18:59:41 »

Hmmm, wise to have ICMP type 3 open (o/g. i/c as well if you have services behind it).

The logs in question dont look too bad - I wouldn't be overly concerend, and doubt they are cause of your issue. If I posted my f/w logs, you'd have a heart attack

.

Also, looks suspiciously like a crappy netgear?

Gaffers · « **Reply #13 on:** 23 February 2010, 22:27:24 »

Quote

Hmmm, wise to have ICMP type 3 open (o/g. i/c as well if you have services behind it).

The logs in question dont look too bad - I wouldn't be overly concerend, and doubt they are cause of your issue. If I posted my f/w logs, you'd have a heart attack .

Also, looks suspiciously like a crappy netgear?

Might be, its a BT Business Hub (not my choice)

The crappy thing keeps falling over especially when more than say a dozen are connected to anyone of the 3 WLANs it manages. Firmware then?

Getting mighty peeved, it took an hour to reboot yesterday evening and as the only one on the course who has any experience in IT (which is ironic due to the nature of the course) I get all the responsability of getting it sorted :-/

Kevin Wood · « **Reply #14 on:** 24 February 2010, 10:08:35 »

Incoming ICMP type 3s might indicate that a machine on the network is poking around trying to find open ports perhaps?

Maybe you've got a machine that's infected and generating enough outgoing sessions that the router's NAT table is filling up?

Can you look at the NAT entries on the router?

Failing that, put a machine running wireshark or similar on the same segment as the router and watch what's coming and going?

Kevin

News:

Author Topic: DoS Attack? (Read 1962 times)

Gaffers

DoS Attack?

Plomien

Re: DoS Attack?

Gaffers

Re: DoS Attack?

STMO999

Re: DoS Attack?

Gaffers

Re: DoS Attack?

cem_devecioglu

Re: DoS Attack?

Gaffers

Re: DoS Attack?

cem_devecioglu

Re: DoS Attack?

cem_devecioglu

Re: DoS Attack?

Lazydocker

Re: DoS Attack?

PhilRich

Re: DoS Attack?

cem_devecioglu

Re: DoS Attack?

TheBoy

Re: DoS Attack?

Gaffers

Re: DoS Attack?

Kevin Wood

Re: DoS Attack?