DOS Attack?

zappaDPJ · Sep 04, 2009, 12:05:12

My router informs me I'm receiving daily DOS attacks.

Quote[DOS Attack] : 3 [FIN Scan] packets detected in last 20 seconds, source ip [209.85.227.99]
Wednesday, Sep 02,2009 00:54:04
[DOS Attack] : 1 [ACK Scan] packets detected in last 20 seconds, source ip [207.241.148.80]
Wednesday, Sep 02,2009 00:51:04

Most (but not all) of the IPs resolve to google. Can anyone shed any light on what might be going on?

Rik · Sep 04, 2009, 12:21:56

You need So, Zap. Hopefully he'll be along shortly. Were you on a website that uses Google Analyticals at the time, do you know?

zappaDPJ · Sep 04, 2009, 12:38:39

That I'm not 100% sure about but at the time of the two log entries listed above I was watching something on BBC iPlayer.

Rik · Sep 04, 2009, 12:39:15

They may well do. Visit the IDNet site and see if you get the alert there.

somanyholes · Sep 04, 2009, 13:05:31

Hi

The two ip's mentioned above are to different locations / networks

209.85.227.99 is wy-in-f99.google.com.
207.241.148.80 is gcny.about.com.

I wouldn't say these are dos attacks at all. The log from this one is quite unclear tbh.

If this where a dos attack the chances are that you would be seeing more than 1 or two packets. Dos attacks generally involve large amounts of traffic / connections.
It also lists it is a scan, but doesn't list port numbers which is a bit of a pain.

Could do with more data than is contained in the logs tbh, some routers provide more info than others. If you provide a larger amount of data it might make things a bit clearer, but we are still going to be limited ... This is probably your router reporting things incorrectly tbh. It doesn't seem to know if it's a scan (as in something trying to map your network) or a denial of service (dos) which would try to deny you service. Does your router support syslog to an internal host?

I should add the chances of this actually being a dos attack from the data provided is pretty much 0

Rik · Sep 04, 2009, 13:07:54

Thanks, So.

somanyholes · Sep 04, 2009, 13:25:35

also if your not sure if you have been visiting the locations in the logs, i.e. browsing to them. Turn off all box's bar one on your network. Intall this http://networkminer.sourceforge.net/ and start sniffing your data. You will then be able to compare the data from your router logs, to the data in the capture file the sniffer will provide. You could also play with something like wireshark, however network miner is generally easier to use, and more fun, and much easier on the eye of someone not particular with tcp/ip.

The screenie on the page above gives a good idea of what it's capable of.

zappaDPJ · Sep 04, 2009, 13:56:54

Thanks So

You've confirmed my gut feeling. I thought it unlikely google or about.com would be doing anything untoward. It's just odd that the IPs always fall within their range. The only other information that I can give at this time is that these log entries don't appear to correlate with my activity on the PC. The last entry recorded happened this morning while I was out and the PC was sitting at the desktop with no browser or application open.

I'm not sure if my router (which is a Netgear DG834Gv5) supports syslog but I will look into it.

Thanks again

PS Just read your last post, I'll try that out. Your advice is much appreciated

esh · Sep 04, 2009, 17:16:45

The last time I saw something vaguely close to a DoS attack was when NTL cable's network decided to repeatedly broadcast ARPs for everyone every few seconds. It peaked out at 15 ARPs per second, which was silly, but certainly manageable.

I have noticed here we get brute force attacks from *.internetserviceteam.com for *hours* on end, usually port 22 (ssh) but it then moves on to SQL and HTTP administration ports. This is usually 3-4 hour stints. Apparently it's a known bot domain though.