My router has been very unreliable recently, locking up and rebooting randomly, so I enabled verbose logging. I was shocked to find my log filling up at an alarming rate, almost one page every 5 seconds, with entries like this:


Apr/07/2007 23:14:09
Drop TCP packet from WAN src:87.230.183.150:4671 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:14:08
Drop TCP packet from WAN src:87.88.213.104:3910 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:14:06
Drop TCP packet from WAN src:86.218.150.90:57840 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:14:04
Drop UDP packet from WAN src:74.120.44.217:62037 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:14:03
Drop TCP packet from WAN src:86.218.150.90:57840 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:14:03
Drop UDP packet from WAN src:77.49.30.178:40938 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:14:03
Drop TCP packet from WAN src:74.100.194.213:16881 dst:<IP removed>:61749 Rule: Default deny
Apr/07/2007 23:13:42
Drop TCP packet from WAN src:62.209.238.122:1976 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:41
Drop UDP packet from WAN src:24.155.108.147:61651 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:13:40
Drop TCP packet from WAN src:24.239.234.128:33609 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:39
Drop TCP packet from WAN src:62.209.238.122:1976 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:34
Drop UDP packet from WAN src:76.24.22.199:37994 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:13:34
Drop TCP packet from WAN src:24.137.118.232:41035 dst:<IP removed>:61629 Rule: Default deny
Apr/07/2007 23:13:33
Drop TCP packet from WAN src:142.68.185.164:3925 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:32
Drop TCP packet from WAN src:207.46.216.62:80 dst:<IP removed>:60019 Rule: Default deny
Apr/07/2007 23:13:31
Drop TCP packet from WAN src:82.34.48.9:4027 dst:<IP removed>:61658 Rule: Default deny
Apr/07/2007 23:13:30
Drop TCP packet from WAN src:24.160.130.214:49824 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:30
Drop TCP packet from WAN src:81.153.37.43:1771 dst:<IP removed>:60031 Rule: Default deny
Apr/07/2007 23:13:29
Drop TCP packet from WAN src:24.190.41.96:40825 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:28
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:27
Drop TCP packet from WAN src:195.226.235.229:1985 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:25
Drop UDP packet from WAN src:86.153.82.10:59487 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:13:25
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:24
Drop TCP packet from WAN src:24.160.130.214:49824 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:23
Drop TCP packet from WAN src:24.190.41.96:40825 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:23
Drop UDP packet from WAN src:81.233.92.60:59214 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:13:23
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60014 Rule: Default deny
Apr/07/2007 23:13:22
Drop TCP packet from WAN src:64.233.183.103:80 dst:<IP removed>:60008 Rule: Default deny
Apr/07/2007 23:13:22
Drop TCP packet from WAN src:82.79.160.201:1179 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:21
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:21
Drop TCP packet from WAN src:195.226.235.229:1985 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:21
Drop TCP packet from WAN src:24.160.130.214:49824 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:24.190.41.96:40825 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60016 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60009 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60012 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60010 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60011 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60015 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60013 Rule: Default deny
Apr/07/2007 23:13:20
Drop TCP packet from WAN src:66.249.93.147:80 dst:<IP removed>:60007 Rule: Default deny
Apr/07/2007 23:13:19
Drop TCP packet from WAN src:195.226.235.229:1985 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:19
Drop TCP packet from WAN src:82.79.160.201:1179 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:18
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:13:16
Drop TCP packet from WAN src:212.96.178.60:61341 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:15
Drop UDP packet from WAN src:82.75.152.5:54447 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:13:15
Drop UDP packet from WAN src:89.98.46.48:6882 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:13:14
Drop TCP packet from WAN src:82.79.160.201:1153 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:13
Drop TCP packet from WAN src:212.96.178.60:61341 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:13:00
Drop TCP packet from WAN src:207.46.216.62:80 dst:<IP removed>:60019 Rule: Default deny
Apr/07/2007 23:12:57
Drop TCP packet from WAN src:217.255.95.89:1140 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:55
Drop UDP packet from WAN src:218.164.95.2:31789 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:12:54
Drop TCP packet from WAN src:217.255.95.89:1140 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:52
Drop TCP packet from WAN src:88.72.235.76:12906 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:51
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60014 Rule: Default deny
Apr/07/2007 23:12:51
Drop UDP packet from WAN src:68.111.44.182:42642 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:12:50
Drop TCP packet from WAN src:64.233.183.103:80 dst:<IP removed>:60008 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60016 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60012 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60009 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60010 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60011 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60015 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60013 Rule: Default deny
Apr/07/2007 23:12:48
Drop TCP packet from WAN src:66.249.93.147:80 dst:<IP removed>:60007 Rule: Default deny
Apr/07/2007 23:12:47
Drop UDP packet from WAN src:89.209.81.89:17810 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:12:47
Drop TCP packet from WAN src:88.72.235.76:12906 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:46
Drop UDP packet from WAN src:70.128.183.135:13502 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:12:45
Drop TCP packet from WAN src:68.194.111.169:49723 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:45
Drop TCP packet from WAN src:88.72.235.76:12906 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:39
Drop TCP packet from WAN src:68.194.111.169:49723 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:36
Drop TCP packet from WAN src:68.194.111.169:49723 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:36
Drop UDP packet from WAN src:219.95.193.176:53726 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:12:34
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:33
Drop TCP packet from WAN src:24.160.130.214:49782 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:32
Drop TCP packet from WAN src:88.72.235.76:12880 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:30
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:30
Drop TCP packet from WAN src:207.46.216.62:80 dst:<IP removed>:60019 Rule: Default deny
Apr/07/2007 23:12:30
Drop TCP packet from WAN src:213.220.205.66:1352 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:27
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:27
Drop TCP packet from WAN src:24.160.130.214:49782 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:26
Drop TCP packet from WAN src:88.72.235.76:12880 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:24
Drop TCP packet from WAN src:82.79.160.201:1153 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:24
Drop TCP packet from WAN src:88.72.235.76:12880 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:24
Drop UDP packet from WAN src:24.160.130.214:27679 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:24
Drop TCP packet from WAN src:24.160.130.214:49782 dst:<IP removed>:18294 Rule: Default deny
Apr/07/2007 23:12:22
Drop TCP packet from WAN src:87.223.165.110:1497 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:21
Drop TCP packet from WAN src:82.79.160.201:1153 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:21
Drop TCP packet from WAN src:86.218.150.90:57191 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:20
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60014 Rule: Default deny
Apr/07/2007 23:12:20
Drop TCP packet from WAN src:64.233.183.103:80 dst:<IP removed>:60008 Rule: Default deny
Apr/07/2007 23:12:19
Drop TCP packet from WAN src:195.226.235.229:1950 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60016 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60009 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60012 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60010 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60011 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60015 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:64.233.183.99:80 dst:<IP removed>:60013 Rule: Default deny
Apr/07/2007 23:12:18
Drop TCP packet from WAN src:66.249.93.147:80 dst:<IP removed>:60007 Rule: Default deny
Apr/07/2007 23:12:15
Drop TCP packet from WAN src:82.79.160.201:1134 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:13
Drop TCP packet from WAN src:195.226.235.229:1950 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:11
Drop TCP packet from WAN src:88.72.235.76:12845 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:10
Drop UDP packet from WAN src:81.15.156.35:31560 dst:<IP removed>:61548 Rule: Default deny
Apr/07/2007 23:12:10
Drop TCP packet from WAN src:195.226.235.229:1950 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:08
Drop TCP packet from WAN src:142.68.185.164:3815 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:05
Drop TCP packet from WAN src:88.72.235.76:12845 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:05
Drop TCP packet from WAN src:142.68.185.164:3815 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:04
Drop TCP packet from WAN src:74.100.194.213:16881 dst:<IP removed>:61749 Rule: Default deny
Apr/07/2007 23:12:04
Drop TCP packet from WAN src:212.96.178.60:63043 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:12:03
Drop TCP packet from WAN src:88.72.235.76:12845 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:11:58
Drop TCP packet from WAN src:207.46.216.62:80 dst:<IP removed>:60019 Rule: Default deny
Apr/07/2007 23:11:55
Drop TCP packet from WAN src:212.96.178.60:63043 dst:<IP removed>:51219 Rule: Default deny
Apr/07/2007 23:11:55
Drop TCP packet from WAN src:82.207.0.125:1051 dst:<IP removed>:51219 Rule: Default deny


Mod edit (Gavin): IPs removed for your own security.

I am sure that this is the problem, and I am sure it is indeed a DDoS attack as many of the IPs involved appear to be common household connections (hostnames point to Comcast, AOL, Sky etc.).

I would like to know what action I am able to take from this point onwards, taking into consideration a few facts:


I used to run a home server, these issues have made it inaccessible.
These issues are almost halving my connection speeds.
These issues may be shortening the life of my modem or router hardware.


Is there anything I can do to prevent this from happening again, and am I entitled to anything because of these attacks?

You need to remove your ip from that post, in fact forcing an ip change would probably be a good idea all round since you've probably inherited an ip of someone running a server, possibly even a malicious one considering the frequency of the connections.

I done fixed my post ;)

---------- Post added at 01:11 ---------- Previous post was at 01:09 ----------

I used to have a ddns @ yserv.no-ip.org, but I refreshed my IP yesterday, and I haven't updated it...

---------- Post added at 01:15 ---------- Previous post was at 01:11 ----------

I've examined the packet statistics further and it seems that over half of the incoming packets are dropped by the router's firewall, so my connection must be taking quite a hit.

Which router are you using? Have you got anything running on your home network that could now be attracting attention, or was getting attention. TBH there are so many idiots out there on the net forever scanning in the hope they can get a hit using zombie PCs you'll never get hits and that's why you rely on your router's firewall being up to the job.

Which router are you using? Have you got anything running on your home network that could now be attracting attention, or was getting attention. TBH there are so many idiots out there on the net forever scanning in the hope they can get a hit using zombie PCs you'll never get hits and that's why you rely on your router's firewall being up to the job.
It's a D-Link DI-624, I have no server applications running on my network at all.

Have you been using Bit Torrent in the past or indeed have it on when u are getting those firewall logs?

if yoru firewall is blocking it whats the problem? I take it of course you have run ad sweeps and virus scans in case your sending out an invite to zombies

D-Link routers are notorious for reporting DDoS attacks when they are unable to determine what the traffic actually is. I'd not worry about it, the router is doing the blocking. Even if it wasn't you'd not notice the activity if your system is secure and not listening on any unusual ports.

I have scanned using NOD32 for viruses and adware, comes up clean.

Although the router is blocking the attacks, it 'crashes' (all the lights come on and it drops the connection) at semi-regular intervals.

---------- Post added at 18:03 ---------- Previous post was at 17:59 ----------

Also, I find this quite strange, as I ran a web server hosting negligible content on the connection at my other house, and this has never seen such activity, except when my poorly configured mail server was being used to relay spam messages without my knowledge.

Also, I find this quite strange, as I ran a web server hosting negligible content on the connection at my other house, and this has never seen such activity, except when my poorly configured mail server was being used to relay spam messages without my knowledge.

Ahh, has your IP address changed since you sorted out your poorly configured mail server?

If not, it is possible these are bots trying to see if its still online.

Can you configure your router firewall not to record the DDoS hits? They would still be blocked, but the recording mechanism could be causing the lockups.

Do you use torrents at all, you can end up getting a lot of apparently random connection attempts similar to that if you do.

hi i dont no much about routers but i seem to be having the same problems as you, it started today morning, i also have the same router as you and im on the 4mb virgin broadband. does anybody know some sort of solution
thanks

OK, I'm sure this was a problem with the D-Link firmware, so I did a bit of checking.

3 D-Link & Stratum 1 NTP

In the late summer of 2005 Poul-Henning Kamp discovered that a very high proportion of the traffic to gps.dix.dk (the stratum 1 NTP server he operated in Denmark) consisted of obsolete NTP version 1 requests. All of the machines who should have been "chiming" against his system were using the current, NTP version 4, request packets, so the specious traffic was easy to quantify. He concluded that he was suffering a DDoS attack from zombie-infested computers and asked for help in tracking down the "botnet" he thought was responsible.

He collected the traffic in tcpdump format over a number of days and made it available for analysis to the present author. On a typical day, 1 Nov 2005, 3.19 million NTPv1 packets arrived (37 per second) from 276256 unique IP addresses. Collating these IP addresses by AS (ISP) made it clear that if the source of the traffic, which uses UDP for transport, was spoofed, then the perpetrator had made an excellent job of mimicking the actual usage of IP addresses. It was far more likely that the source addresses were valid. After identifying a source IP address in the UK and contacting the user, it was possible -- having eliminated a number of other possibilities -- to identify that the traffic had been sent by a "DI-624" wireless router manufactured by D-Link.

An identical DI-624 was purchased, which arrived with v2.42 firmware dated 31 Mar 2004. In its default state (with no NTP server specified by the user), the device used a preset list of 63 NTP servers (including gps.dix.dk). Every 2.2 seconds the device made a DNS request to resolve a name selected from this list (in an unpredictable order, often resolving the same host several times in a row), and every 30 seconds it issued an NTPv1 request packet. Although initially the NTP requests were to the most recently resolved server, later requests could immediately precede the re-resolving of the relevant hostname. Hence the device was issuing many pointless DNS requests, ignoring the DNS conventions on the validity of cached results, and -- by sending out two NTP requests a minute -- ignoring the NTP conventions as well.

It will be noted that there is some discrepancy between the average arrival rate of NTPv1 packets at gps.dix.dk (averaging one per 2 hours per source) and the rate at which they are being sent (about once every 30 minutes to any particular NTP server). This can be partly explained by the use of dynamic IP addresses, but may well be because other D-Link products (several models were found to be using stratum 1 NTP servers) retry slightly less often.

Of the 63 NTP servers in the v2.42 firmware list, 52 remain (April 2006) in the isc.org canonical list of stratum 1 servers [10]. Of these, 24 are "Open Access" and do not require users to notify the owners of usage; 6 are "Open Access" but require notification; 5 are "Restricted Access" but don't require notification; 15 are "Restricted Access" and require notification; and the last 2 are "Closed Access". Although "Open Access" servers "may be used without restrictions by any client in any location", they are also documented to have particular "Service Areas", showing which particular countries or networks they are "intended to serve". More importantly, the standard "Rules of Engagement" (http://ntp.isc.org/bin/view/Servers/RulesOfEngagement) require clients that access stratum 1 servers to be in synchronisation subnets of two or more systems and to themselves be providing service to more than 100 other clients. Quite clearly, the D-Link DI-624 falls well outside all of these criteria.

The latest version of the firmware available for UK devices (in April 2006) is v2.59b3 (dated 30 Nov 2005). The server list is markedly changed from v2.42 (but identical to the list in v2.53 -- 20 Apr 2005), with 31 entries removed (including gps.dix.dk) and 36 added to give a total of 68, all bar one of which is on the current canonical list. However, although 30 are now classed as "Open Access" the other systems still have restrictions and the two "Closed Access" systems remain. Also, although the server list has changed, the dynamic behaviour -- synchronising the time every 30 seconds -- is unaltered.

http://www.cl.cam.ac.uk/~rnc1/risingtide.html

I'm not sure if that helps, but this does appear to be a problem peculiar to the D-Link routers.

I use torrents sometimes, but this only appears to start at about 1am in the morning, when I'm not running any.

I have my NTP set to ntp1.dlink.com, so that shouldn't be causing any bother.

The mail server was on a totally different connection, which no longer receives any unwanted traffic.

As for disabling the logs, the logs were disabled until very recently, and the router still locked up.