I hope this is the right place for this.
Recently, we received an e-mail from plusnet stating that our connection had made over 40 thousand failed DNS requests to "an internal dell system". They have asked us to find the source of the connection attempts and stop it. They haven't replied to my e-mail asking for help on finding the source, so I'm coming here.
That isn't the only problem. Recently the connection has been cutting out with windows troubleshooting reporting a DNS Lookup failure. When this happens, the router configuration page refuses to load, it wont even respond to the reboot command which is set to a physical button on the router, and needs to be manually power cycled.
Tonight I decided to keep an eye on the router logs and when this happend again, I got this:
"<12>Jun 9 22:43:38 kernel: mroute: pending queue full, dropping entries."
repeated several times. A further 21 of those messages then got suppressed.
The router then stopped updating the log and locked up again. This router runs the tomato firmware, by the way. I don't know if this is relevant but throughout the day I also got "kernel: DROP IN=ppp0" followed by a whole bunch of info I don't know how to interpret.
Also, we're usually on the Google DNS, and had only switched to the default plusnet one recently, which is when we got the e-mail. While on the Google DNS, we randomly got a captcha when trying to use google services, I believe it said something about unusual activity or connections, I don't recall... I didn't think much of it as I was not aware of any unusual activity until now.
After the lock-up tonight I temporarily replaced the router with an older Belkin one.
Very quickly it's firewall log filled up with:
"Thu 2016-06-09 23:25:59 UDP flood From 126.96.36.199 port:5412 To xxx.xxx.xxx.xxx port:5082 droped"
(Our IP removed) for about a minute. Every instance tried a different port to connect with, such as 2000, 1111, 5099, 5085, to list a few random ones. Additionally, our (dynamic) IP address often shows as being in the wrong country (no VPN), but I don't know if that's related to whatever is going on.
Sorry for the text wall, but I'm a bit stuck with trying to figure the weirdness out. I'd rather get it sorted before plusnet get cross, but I don't know where to begin.