Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User Discord
(member) Thu 14-Feb-13 20:43:23
Print Post

Router DOS attacks


[link to this post]
 
Should I be concerned?
sample of DOS attacks in router log.

Don't remember seeing any in the past.

[DoS Attack: ACK Scan] from source: 188.121.36.176, port 80, Friday, February 08, 2013 18:59:27
[DoS Attack: ACK Scan] from source: 84.93.229.131, port 11000, Thursday, February 07, 2013 20:32:55
[DoS Attack: ACK Scan] from source: 84.93.229.133, port 11000, Monday, February 11, 2013 20:50:42
[DoS Attack: ACK Scan] from source: 84.93.229.135, port 11000, Saturday, February 09, 2013 10:10:57
[DoS Attack: ACK Scan] from source: 84.93.229.135, port 11000, Thursday, February 07, 2013 20:49:59
[DoS Attack: ACK Scan] from source: 84.93.229.135, port 11000, Thursday, February 14, 2013 19:04:48
[DoS Attack: ACK Scan] from source: 84.93.229.135, port 11000, Tuesday, February 12, 2013 10:06:14
[DoS Attack: ACK Scan] from source: 84.93.229.135, port 11000, Tuesday, February 12, 2013 12:24:04
[DoS Attack: ACK Scan] from source: 84.93.229.227, port 11000, Sunday, February 10, 2013 17:07:40
[DoS Attack: ACK Scan] from source: 84.93.229.227, port 11000, Sunday, February 10, 2013 21:03:51
[DoS Attack: ACK Scan] from source: 84.93.229.227, port 11000, Thursday, February 14, 2013 19:04:48
[DoS Attack: ACK Scan] from source: 84.93.229.227, port 11000, Tuesday, February 12, 2013 10:50:23
[DoS Attack: ACK Scan] from source: 84.93.229.227, port 11000, Tuesday, February 12, 2013 21:04:39
[DoS Attack: ACK Scan] from source: 84.93.229.229, port 11000, Tuesday, February 12, 2013 11:03:31
[DoS Attack: ACK Scan] from source: 84.93.229.67, port 11000, Monday, February 11, 2013 20:50:41
[DoS Attack: ACK Scan] from source: 84.93.229.67, port 11000, Saturday, February 09, 2013 09:59:45
[DoS Attack: ACK Scan] from source: 84.93.229.67, port 11000, Thursday, February 07, 2013 22:39:18
[DoS Attack: ACK Scan] from source: 84.93.229.67, port 11000, Tuesday, February 12, 2013 09:42:30
[DoS Attack: ACK Scan] from source: 84.93.229.67, port 11000, Tuesday, February 12, 2013 11:24:03
[DoS Attack: ACK Scan] from source: 87.248.210.254, port 80, Sunday, February 10, 2013 10:12:01
[DoS Attack: ACK Scan] from source: 92.122.123.199, port 1935, Sunday, February 10, 2013 10:25:34
[DoS Attack: ACK Scan] from source: 92.122.123.199, port 80, Monday, February 11, 2013 07:52:07
[DoS Attack: ACK Scan] from source: 94.236.85.114, port 80, Sunday, February 10, 2013 13:07:55
[DoS Attack: RST Scan] from source: 188.121.36.177, port 80, Saturday, February 09, 2013 07:55:21
Standard User XRaySpeX
(eat-sleep-adslguide) Thu 14-Feb-13 20:59:46
Print Post

Re: Router DOS attacks


[re: Discord] [link to this post]
 
Are you with Plusnet? Most of those come from them. Maybe they are trying to admin a PN router when you are not using one.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
Standard User Discord
(member) Thu 14-Feb-13 22:34:54
Print Post

Re: Router DOS attacks


[re: XRaySpeX] [link to this post]
 
Hmm, not sure I understand that. But yes, I'm with Plusnet. Looking at other IPs some seem to come from Ask Toolbar (I don't have one - perhaps my daughters laptop?) and Go Daddy Netherlands - which I think is a web hosting company.

So they are perhaps not malicious. Just surprised me.

Reason I looked was I noticed that while playing World of Tanks recently I would get disconnect fairly frequently, but perhaps these 'attacks' are not the reason

Thanks


Register (or login) on our website and you will not see this ad.

Moderator billford
(moderator) Thu 14-Feb-13 22:48:17
Print Post

Re: Router DOS attacks


[re: Discord] [link to this post]
 
The port numbers might mean something.

Port 80 is usually an http request, but not always.

Port 1935 seems to be Flash-related.

Port 11000 is mainly gaming, but a couple of doubtful entries

Almost certainly nothing to worry about, it's when they turn up in hundreds every second that some concern is indicated tongue

Bill
bill@thinkbroadband.com __________________Planes and Boats and ... __________________BQMs: IPv4 IPv6
The author of the above post is a thinkbroadband moderator but it does not constitute an official statement on behalf of thinkbroadband.
Standard User Discord
(member) Thu 14-Feb-13 23:33:00
Print Post

Re: Router DOS attacks


[re: billford] [link to this post]
 
ok, cheers. I'll keep an eye on it.
Standard User XRaySpeX
(eat-sleep-adslguide) Thu 14-Feb-13 23:46:36
Print Post

Re: Router DOS attacks


[re: Discord] [link to this post]
 
I mean that some ISPs administer or configure their own routers from afar, but if you happened not to be using their router at the time of such attempts then they would not be recognised by the "foreign" router and might be interpreted as a DoS attack.

I don't know if PN does such things but, you must admit, it's rather a coincidence that you are with PN and most of those attempts were from a PN IP.

One other possibility is could those 84.93.229.n IPs been your own IP at that time? Then it's somehow something to do with your own network. Have a check the next time it happens.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
Standard User camieabz
(sensei) Fri 15-Feb-13 10:39:06
Print Post

Re: Router DOS attacks


[re: Discord] [link to this post]
 
I would sort by date and time for future analysis. It helps to ascertain the frequency of the log entries.

Run a DOS box, and try: netstat- ano

See if you can see port 11000 in the listings. If so, is there a PID assigned to the port number? If so, go into the task manager and see if the PID matches anything you're running, and is it above board.

Also see:

http://www.speedguide.net/port.php?port=11000

If you can't ID the 11000 usage, I would install Wireshark and see what shows up for the port 11000 stuff.

It might very well be legit. Or it might not. smile

~ Camieabz ~

All Connection Data ~ Some plusnet links

mod'er·a'tion n.
Synonyms: temperance, restraint, modesty.
Moderator billford
(moderator) Fri 15-Feb-13 10:43:40
Print Post

Re: Router DOS attacks


[re: camieabz] [link to this post]
 
In reply to a post by camieabz:
Also see:

http://www.speedguide.net/port.php?port=11000
* cough *

Third link in post tongue

Bill
bill@thinkbroadband.com __________________Planes and Boats and ... __________________BQMs: IPv4 IPv6
The author of the above post is a thinkbroadband moderator but it does not constitute an official statement on behalf of thinkbroadband.
Standard User camieabz
(sensei) Fri 15-Feb-13 11:30:13
Print Post

Re: Router DOS attacks


[re: billford] [link to this post]
 
You should see someone about that cough Bill. wink

~ Camieabz ~

All Connection Data ~ Some plusnet links

mod'er·a'tion n.
Synonyms: temperance, restraint, modesty.
Standard User XRaySpeX
(eat-sleep-adslguide) Fri 15-Feb-13 11:51:05
Print Post

Re: Router DOS attacks


[re: camieabz] [link to this post]
 
Punctuation:
In reply to a post by camieabz:
netstat -ano


1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
  Print Thread

Jump to