Cable Forum - DOS ATTACK,should I be worried

Cable Forum (https://www.cableforum.uk/board/index.php)

- Networking (https://www.cableforum.uk/board/forumdisplay.php?f=87)

- - DOS ATTACK,should I be worried (https://www.cableforum.uk/board/showthread.php?t=33657002)

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by pabscars (Post 34894600)

Hi Ladies and Gents, Ive just nipped home at lunchtime to see if I'd had a reply from some of the guys on the vm newsgroups, and while I was mooching I had a quick look at the router logs.

It showed a dos attack on port 80 at the weekend, whilst I wasnt using the internet I might add.

Should I be concerned.:shocked:

any advice for a relative novice.

Head over to www.grc.com and use the free software there. :)

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by budwieser (Post 34894891)

Head over to www.grc.com and use the free software there. :)

Thanks again guys, I had a quick look last night, and I could only see the one mention of a dos attack, and it mentioned ACK attack whatever that is.

I think it did show the ip address of where the attack came from, so I will nip home at lunch and copy and paste on here for you to peruse.

Re: DOS ATTACK,should I be worried

On the grc.com site pabscars, use the Shields UP thing in the Hot Spots section, proceed / then common ports, what that will do is test your firewall / router settings for you.

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by Wayfair (Post 34895159)

On the grc.com site pabscars, use the Shields UP thing in the Hot Spots section, proceed / then common ports, what that will do is test your firewall / router settings for you.

Cool, I wasnt sure what it was all about,

mucho gratsi :D

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by pabscars (Post 34895132)

Let us know, then we can trace the owner of the IP and report it.

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by webcrawler2050 (Post 34895209)

Let us know, then we can trace the owner of the IP and report it.

Does that mean I can then send the boys round ;)

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by pabscars (Post 34895214)

Does that mean I can then send the boys round ;)

Yeah :)

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by webcrawler2050 (Post 34895209)

Let us know, then we can trace the owner of the IP and report it.

As requested guys

[LAN access from remote] from 121.14.229.199:6000 to 192.168.1.5:80, Wednesday, October 21,2009 04:38:24
[DoS Attack: ACK Scan] from source: 213.199.149.148, port 80, Wednesday, October 21,2009 01:18:40

I dont know if you can glean any info from this, and I didnt want to post any more info from the logs as it contained mac address's.

Re: DOS ATTACK,should I be worried

213.199.144.0

Code:

netname: MSFT-IDC

org: ORG-MA42-RIPE

descr: Microsoft London Internet Data Center

descr: Distribution of Microsoft content

descr: London

country: GB

admin-c: CXN-RIPE

tech-c: CXN-RIPE

status: ASSIGNED PA

mnt-by: MICROSOFT-MAINT

mnt-domains: MICROSOFT-MAINT

source: RIPE # Filtered



organisation: ORG-MA42-RIPE

org-name: Microsoft Limited

org-type: LIR

address: Microsoft

Allie Settlemyre

One Microsoft Way

WA 98052 Redmond

UNITED STATES

phone: +1 (425) 705 0516

fax-no: +1 425 936 7329

e-mail: [Who Is Domain][trace][Reverse DNS Search]

admin-c: AS9763-RIPE

admin-c: BR329-ARIN

admin-c: EN603-RIPE

mnt-ref: MICROSOFT-MAINT

mnt-ref: RIPE-NCC-HM-MNT

mnt-by: RIPE-NCC-HM-MNT

source: RIPE # Filtered



person: Christian Nielsen

address: One Microsoft Way

address: Redmond, WA 98052

address: US

phone: +1 (425) 706 1083

nic-hdl: CXN-RIPE

source: RIPE # Filtered



% Information related to '213.199.144.0[Who Is IP][trace][Reverse IP Search]/20AS8068'



route: 213.199.144.0/20

descr: Microsoft European IDCs

origin: AS8068

mnt-by: MICROSOFT-MAINT

source: RIPE # Filtered

AS NUMBER: AS8068 = MICROSOFTEU Microsoft European Data Center

Ripe: http://www.db.ripe.net/whois?object_...rchtext=AS8068

http://www.microsoft.com/emea/pressc...PR_240909.mspx

More info:

IP address country: ip address flag United Kingdom
IP address state: London, City of
IP address city: London
IP address latitude: 51.5000
IP address longitude: -0.1167
ISP of this IP [?]: Microsoft
Organization: Microsoft London Internet Data Center
Local time in United Kingdom: 2009-10-22 12:51

Very likely to be MSN / Windows updates - I think - I do believe they have transit in Telehouse

121.14.229.199

Code:

netname: HENGXIN-COMPANY

descr: Shantou Hengxin Techonlogy Co.,Ltd

country: CN

admin-c: ST-AP

tech-c: IC83-AP

mnt-by: MAINT-CHINANET-GD

changed: [Who Is Domain][trace][Reverse DNS Search] 20090122

status: Allocated non-portable

source: APNIC

AS NUMBER: AS4134 role: Asia Pacific Network Information Centre
address: APNIC, see http://www.apnic.net

RIPE: http://www.db.ripe.net/whois?form_ty..._search=Search

CONTACT: helpdesk@apnic.net

Should help

Re: DOS ATTACK,should I be worried

I believe the 213.199 range belongs to Microsoft?

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by danielf (Post 34895295)

I believe the 213.199 range belongs to Microsoft?

Yup look above

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by webcrawler2050 (Post 34895294)

213.199.144.0

Code:

netname: MSFT-IDC

org: ORG-MA42-RIPE

descr: Microsoft London Internet Data Center

descr: Distribution of Microsoft content

descr: London

country: GB

admin-c: CXN-RIPE

tech-c: CXN-RIPE

status: ASSIGNED PA

mnt-by: MICROSOFT-MAINT

mnt-domains: MICROSOFT-MAINT

source: RIPE # Filtered



organisation: ORG-MA42-RIPE

org-name: Microsoft Limited

org-type: LIR

address: Microsoft

Allie Settlemyre

One Microsoft Way

WA 98052 Redmond

UNITED STATES

phone: +1 (425) 705 0516

fax-no: +1 425 936 7329

e-mail: [Who Is Domain][trace][Reverse DNS Search]

admin-c: AS9763-RIPE

admin-c: BR329-ARIN

admin-c: EN603-RIPE

mnt-ref: MICROSOFT-MAINT

mnt-ref: RIPE-NCC-HM-MNT

mnt-by: RIPE-NCC-HM-MNT

source: RIPE # Filtered



person: Christian Nielsen

address: One Microsoft Way

address: Redmond, WA 98052

address: US

phone: +1 (425) 706 1083

nic-hdl: CXN-RIPE

source: RIPE # Filtered



% Information related to '213.199.144.0[Who Is IP][trace][Reverse IP Search]/20AS8068'



route: 213.199.144.0/20

descr: Microsoft European IDCs

origin: AS8068

mnt-by: MICROSOFT-MAINT

source: RIPE # Filtered

Code:

netname: HENGXIN-COMPANY

descr: Shantou Hengxin Techonlogy Co.,Ltd

country: CN

admin-c: ST-AP

tech-c: IC83-AP

mnt-by: MAINT-CHINANET-GD

changed: [Who Is Domain][trace][Reverse DNS Search] 20090122

status: Allocated non-portable

source: APNIC

Sorry to be a numb nuts but this doesn't mean much to me, are you saying you don't think its anything malicious.

Re: DOS ATTACK,should I be worried

Im saying the first one could be MSN / Windows updates etc.

I think the second one, could be anything a very possible DDOS attack..

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by pabscars (Post 34895311)

Sorry to be a numb nuts but this doesn't mean much to me, are you saying you don't think its anything malicious.

It looks like the 'DOS attack' you experienced originated from Microsoft, which would suggest it was not a DOS attack, but you received a number of hits for some other reason.

What is the reason you suspected a DOS attack?

Re: DOS ATTACK,should I be worried

Quote:

Originally Posted by danielf (Post 34895315)

Purely because it says so in the router logs