DoS attack security logs

mankatron2009 · Feb 22, 2010, 12:30:06

Hi all,

Since logging online this morning, my router has gone bonkers sending an almost constant flood of emails alerting me to DoS attacks. I get these alerts infrequently but I've had 50+ email alerts in under an hour, from a number of different IP addresses.

For instance:

TCP Packet - Source:69.48.39.178,63517 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:69.114.51.117,43547 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:213.89.194.28,40744 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:71.10.224.82,52147 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:82.171.56.210,18899 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:72.231.166.180,35945 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:70.69.57.0,60406 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:82.139.115.10,3675 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:68.198.155.96,54232 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:69.48.39.178,63517 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:85.24.222.173,40728 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:24.131.215.182,63179 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:212.117.169.36,33942 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:66.90.77.250,48801 Destination:**.**.***.***,50889 - [DOS]
TCP Packet - Source:24.6.141.24,35535 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:85.24.222.173,40728 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:24.131.215.182,63179 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:71.10.224.82,52147 Destination:**.**.***.***,34382 - [DOS]
TCP Packet - Source:98.151.246.202,54897 Destination:**.**.***.***,50846 - [DOS]

I've ran the Norton online scan a couple of times and it shows everything as safe.

Any help greatly appreciated, thanks

Rik · Feb 22, 2010, 12:34:22

Your router firewall is just doing it's job, there's nothing to worry about (though I'd turn off the email alerts

).

mankatron2009 · Feb 22, 2010, 12:38:27

I thought as much, cheers. The sheer volume of 'em made me a bit paranoid!

Rik · Feb 22, 2010, 12:47:26

It happens from time to time. Is your router 'stealthed', ie set not to respond to ICMP traffic. That helps in time.

mankatron2009 · Feb 22, 2010, 12:49:23

No, I don't think it is - I had a look for the setting and couldn't find it, though I may be looking for the wrong thing. I'm on a DG834G.

Rik · Feb 22, 2010, 12:53:39

It's so long since I looked at a Netgear that I can't remember whether it has the option and, if it does, where it is. Sorry.

Gary · Feb 22, 2010, 13:01:55

My DGND3300 has a setting to not respond to ICMP traffic, but my Firewall on this router has some more advanced features. I'll have a quick look in my router and find out where it is so mankatron2009 can see if he has the same section

JB · Feb 22, 2010, 13:03:30

I run a linux server so that I can access my home system when abroad. The number of (aparently) automated failed attempts to get into the system (as shown in the auth log) is incredible.

Rik · Feb 22, 2010, 13:04:53

Quote from: Gary on Feb 22, 2010, 13:01:55
My DGND3300 has a setting to not respond to ICMP traffic, but my Firewall on this router has some more advanced features. I'll have a quick look in my router and find out where it is so mankatron2009 can see if he has the same section

Thanks, Gary.

Gary · Feb 22, 2010, 13:11:53

The DG834 has inbuilt firewall rules to not respond, Rik I have Denial-of-service (DoS) attack prevention as well, but the DG834G is set to not respond and is fully stealthed from what I can tell, shields up should show that it does not respond as well, I had a similar router many years ago and it was fully stealthed when tested.

Rik · Feb 22, 2010, 13:12:38

mankatron2009 · Feb 22, 2010, 13:32:13

Thanks all.

Whilst I'm here, can I just mention how much I love IDNet as an ISP? After bad experiences with Nildram and a horrific nightmare with O2 - who still persist in giving me a headache six months since I left - I have had no issues with IDNet at all and am lucky to get such good speeds out here in the sticks.

Three cheers for IDNet!

Baz · Feb 22, 2010, 14:42:53

I have a GD834PN and had the same paranoia

with help from Rik I found the setting you are looking for,maybe, is in 'Advanced' sectionthen 'WAN Set up' and in there is a tick box for 'Respond To Ping On Internet Port'. is that the one Rik.mine is unticked.

HTH

Rik · Feb 22, 2010, 15:43:03

Thanks, Baz.

Rik · Feb 22, 2010, 15:43:37

Quote from: mankatron2009 on Feb 22, 2010, 13:32:13
Three cheers for IDNet!

We'll second that.