Following the advice from someone in the ISP section, I thought I would start a thread here.
For the past few months, my dynamically assigned IP address has been the target for numerous DoS attacks and I would like some advice on finding out the cause of them please. The vast majority of the attacks originate in Turkey (Turk Telekom) but I have noticed a couple from the USA today. There's also one or two from Malaysia from time to time. All the ones from Turkey target TCP port 23 and the ones from America today were targeted at TCP port 22. Also, the ones from the States trace back to Lafayette Consolidated Government. WTF is that all about???
Here's a sample from my router logs:
Mon, 2009-12-07 03:06:16 - TCP Packet - Source:85.110.102.206,4564 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:85.96.200.106,2401 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:88.242.4.159,4150 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:88.227.108.21,2402 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:81.213.174.206,3990 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:81.214.24.155,4997 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:88.242.181.71,3692 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:78.185.62.95,4730 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:81.214.121.76,2982 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:81.213.167.174,2976 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:88.254.98.242,3932 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:60.52.68.20,2834 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:06:17 - TCP Packet - Source:88.252.65.112,4292 Destination:X.X.X.X,23 - [DOS]
Mon, 2009-12-07 03:40:35 - TCP Packet - Source:69.1.176.194,43513 Destination:X.X.X.X,22 - [DOS]
Mon, 2009-12-07 03:40:36 - TCP Packet - Source:69.1.176.2,43513 Destination:X.X.X.X,22 - [DOS]
Mon, 2009-12-07 03:40:36 - TCP Packet - Source:69.1.176.132,43513 Destination:X.X.X.X,22 - [DOS]
I've replaced my IP address for obvious reasons. At the time of the attacks, my computer was off and I was tucked up in bed. The attacks will sometimes happen when the computer is off so I think it's unlikely that the traffic is somehow being triggered from my computer. Also, i've checked my firewall logs and none of the IP addresses are present.
When using Google, Project Honeypot and IP check tools, the majority of the Turkish based IP addresses are identified as mail servers and/or dictionary attackers.
I've raised the point to my ISP but they were not helpful at all. It seems my internet safety and privacy is not their concern. I've also reported the attacks to the source ISP a number of times but they have failed to acknowledge the emails or take any action.
I'm just at a loss of what's causing this. Every now and again, I refresh my IP address and within a few days, there's some fresh attacks in my router logs. I suspect that the attackers may be scanning ranges belonging to my ISP (Madasafish) but if that was the case, surely it is in the interests of my ISP to investigate and take action?? It would be interesting to hear from other MAAF customers to see if they have been experiencing the same problems.
My router is set to not respond to WAN ping requests, has decent WPA2 encryption and all devices that connect to my router are filtered by MAC address so I feel my network is safe...i'm just confused as to what is causing the attacks.
Any help of advice would be gratefully accepted.
Many thanks



Pages in this thread:
Print Thread
deleted