DNS Related issues?

Hi
I hope this is the right place for this.
Recently, we received an e-mail from plusnet stating that our connection had made over 40 thousand failed DNS requests to "an internal dell system". They have asked us to find the source of the connection attempts and stop it. They haven't replied to my e-mail asking for help on finding the source, so I'm coming here.

That isn't the only problem. Recently the connection has been cutting out with windows troubleshooting reporting a DNS Lookup failure. When this happens, the router configuration page refuses to load, it wont even respond to the reboot command which is set to a physical button on the router, and needs to be manually power cycled.

Tonight I decided to keep an eye on the router logs and when this happend again, I got this:

"<12>Jun 9 22:43:38 kernel: mroute: pending queue full, dropping entries."

repeated several times. A further 21 of those messages then got suppressed.
The router then stopped updating the log and locked up again. This router runs the tomato firmware, by the way. I don't know if this is relevant but throughout the day I also got "kernel: DROP IN=ppp0" followed by a whole bunch of info I don't know how to interpret.

Also, we're usually on the Google DNS, and had only switched to the default plusnet one recently, which is when we got the e-mail. While on the Google DNS, we randomly got a captcha when trying to use google services, I believe it said something about unusual activity or connections, I don't recall... I didn't think much of it as I was not aware of any unusual activity until now.

After the lock-up tonight I temporarily replaced the router with an older Belkin one.
Very quickly it's firewall log filled up with:

"Thu 2016-06-09 23:25:59 UDP flood From 188.214.128.22 port:5412 To xxx.xxx.xxx.xxx port:5082 droped"

(Our IP removed) for about a minute. Every instance tried a different port to connect with, such as 2000, 1111, 5099, 5085, to list a few random ones. Additionally, our (dynamic) IP address often shows as being in the wrong country (no VPN), but I don't know if that's related to whatever is going on.

Sorry for the text wall, but I'm a bit stuck with trying to figure the weirdness out. I'd rather get it sorted before plusnet get cross, but I don't know where to begin.
Thanks!

It may not be relevant, but are the machines connecting to your router running WindowsXXX, and are there any Dell machines?

It is likely to be malware on one of the machines, I would personally run the following tools on every system

1) Malware bytes full scan (Threat scan)
2) Avira antivirus full scan

If that does not detect anything I would be surprised.

I'm afraid I've already run avast and malware bytes scans on all the computers on the network, and there aren't any dell systems on it. It seems what the "internal dell system" line means is that the failed dns requests were for a server on dell.com that exists but has no browser view-able page. All computers are connected to the router either through secured wireless or wired on a switch. I blocked the dell address they mentioned, but haven't seen it appear in the firewall log.

A who.is check shows the 188.214.128.22 IP address originates in Lithuania. A Google search of the IP address also found it on a SIP attack (a type of flood attack against internet VoIP phones and clients) IP block list.

Have you tried the following?

Power down the Belkin router (I'm assuming this uses standard unmodified firmware) for 5 to 10 minutes to close all connections and increase the chance of being assigned a new IP address. In this time also disconnect all computers / systems from the router.

Power up the router and allow it to connect to Plusnet. Allow the router to run for about 5 min before choosing one of the computers to connect to the router and to the internet. Check the router logs and see if there is any suspicious behavior and if there is did it occur before or after the computer was connected to the router.

If there is no suspicious behavior in the log then disconnect the computer you just used and try connecting another computer to the router. Hopefully this will allow you to find which computer is requesting / starting the suspicious traffic. From your description in the original post I suspect that the router is crashing periodically due to excessive traffic. The DROP IN=ppp0 error means that you have been disconnected from the Plusnet gateway hence no internet connectivity which will then mean that Windows will not be able to resolve DNS requests leading to the DNS errors.

A very useful program for monitoring outgoing internet connections from Windows systems can be found here:

https://technet.microsoft.com/en-us/sysinternals/tcp...

You will need to run it in administrator mode (right click on icon and select "run as administrator").

As for your Plusnet IP address not originating in the UK I believe this is because of Plusnet have purchased blocks of IP addresses from other ISP's and then have been slow updating the country location with the various IP databases. This can lead to problems when trying to use a UK credit card as a fraud alert can be generated (many internet credit card transactions will check the location of the card against the location of the IP address and expect them to match). I believe there have been messages about this in the Plusnet forums in the past but I am not sure if this is still an on going issue.

Hope this helps.

I saw this sort of thing the other day on an Asus router.

The time server settings were corrupted. The time server attempts to connect to a list of severs and fails.

Time servers also cause issues with the router firmware.

It can't do any harm to flash the firmware and check your time settings.