Re: DOS ATTACK,should I be worried
 

Hmmm - first one might not be a DDOS - 2nd one might be - send their helpdesk an email.

Re: DOS ATTACK,should I be worried
 

Do you mean this one, helpdesk@apnic.net

sorry if i,m asking a silly question but what should I say to them.

"Oi you, you been dossing me you swines, quit it or I'll send the boys round, iiiiiiiiiiiiiiiiiiiite":D

Re: DOS ATTACK,should I be worried
 

Yes this one. Something on the lines of

"This IP has DDOS'ing me - can you advsie etc"

Re: DOS ATTACK,should I be worried
 

Done, I will let you know if they respond.

thanks again much appreciated :)

Re: DOS ATTACK,should I be worried
 

Let me know how you get on

Re: DOS ATTACK,should I be worried
 

Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?

Re: DOS ATTACK,should I be worried
 

Yes :erm:

Re: DOS ATTACK,should I be worried
 

I'll go on to explain shall I?

The 'Dos Attack' is originating from a MS IP address, so there's no point in complaining to APNIC about it. The one that's listed as LAN access is the only one that APNIC might be interested in, but I doubt it.

Microsoft won't be able to do anything about the ACK attack, nor sould they even try I suspect. This particular attack is caused by a malicious host (somewhere) on the Internet sending a SYN packet to Microsoft's servers with a spoofed originating IP address (that of the OP). The TCP/IP specification then requires Microsoft's servers to send an 'ACK' in response, this is what the OP is seeing in that one, single, lonesome, firewall log entry that we're seeing.

The other entry, the one with the Chines IP address, is the one that I'd be worried about. A lot more worried than I would be about the Microsoft one. Even then though I think I'd be tempted to ignore it, if the firewall's blocking port 80 then that connection attempt will have failed. So, again, no need to worry.

My advice, find a friend that knows something about network security, give them your IP address, and ask them to run a couple of manual scans for you - they should be able to tell you in a few minutes whether you've got anything you need to worry about. I'd offer to do it for you, but you don't know me from Adam and I don't trust me so I don't see why you should :D

The main things to ensure are:

1. You have an external firewall (preferably on your router) that is set to block all incoming traffic, reject anonymous Internet requests (ping, etc), and to perform SPI.

2. The web interface for your router is NOT exposed to the Internet.

3. The management console on the router is protected by a STRONG password.

4. That you have properly secured any wireless technologies that you might have employed on the inside of your LAN.

Re: DOS ATTACK,should I be worried
 

Not MS noo, no chance. Could be a variety of things.

However, APNIC - will be able to provide "more" information on this IP - could be a simple issue - either way, as the issuer of the IP - like RIPE - so they may provide some information or point the OP in the right place.

Re: DOS ATTACK,should I be worried
 

But APNIC issued the remote access IP, not the one that the OP thinks is behind his DDOS attack.....

There's no point asking APNIC to look at a DDOS attack, and then giving them either an IP address they didn't issue or a firewall log for a remote access attempt.....

Re: DOS ATTACK,should I be worried
 

Yes but they issued the ip so will have contact details for the owner. Which seems to point to "GSTA.COM" and or "Shantou Hengxin Techonlogy Co.,Ltd"

Re: DOS ATTACK,should I be worried
 

This IP address:

Not listed as a suspected DDOS attack, but maintained by APNIC.

This IP address:

Listed as a suspected DOS attack, NOT maintained by APNIC.

If you want to complain to someone, or get more information from someone about the origins of the IP address that's involved with the 'attack' you need to either talk to Microsoft (who will not be interested as there's nothing they can do) or RIPE (who will tell you that it's an IP address issued to Microsoft, and that there's nothing they can do).

Personally, I think that the first IP address is more likely to be the 'suspect' one and that it's far more likely that any 'attack' will have come from there. The second one is more likely a backrground Internet request that's gottent picked up by an overly sensitive firewall.

You really can spend your entire life trying to chase these things down and get bloody nowhere.

---------- Post added at 15:08 ---------- Previous post was at 15:07 ----------

Yes, but the OP wants to talk to them about a DOS ATTACK, and the IP listed as being responsible for the DOS ATTACK isn't one of theirs, it's one of RIPE's and is assigned to Microsoft.

Re: DOS ATTACK,should I be worried
 

Hay guys, I didn't want to cause anyone any hassle, just an opinion whether it was a concern or not.

The first IP posted was listed lots of times in the logs if that makes any difference, I didnt really mean to post that one, just the one mentioning the dos attack.

I rightly or wrongly assumed that was the one to be concerned about.

Re: DOS ATTACK,should I be worried
 

Not causing any hassle, just don't like to see people left with any confusion.

In my professional opinion......there is little/nothing to be gained from chasing down the DOS attack (or the remote access line, although that's the one I'd be more concerned about of the two).

You will gain most value from your time by investing it in ensuring that your external network defences are as robustly configured as they can be, and then ensuring that the security providing/enhancing features of any software installed on the inside of your LAN are configured and maintained correctly.

If the 'DOS' attack persists, and your connection is severely degraded as a result, THEN it might be worth taking the matter further.

Re: DOS ATTACK,should I be worried
 

Ok Cheers Rob, I was never that interested in tracking down where it originated from but given the help from you guys on CF I thought maybe you were curious.

Current security comes via VM, as in the one that comes on the installation disc when you first enroll, and seems to be doing a good enough job so far.

On the router, SPI is enabled at present but has in the past been disabled, on my LAN side Ive assigned fixed IP's to the MAC address of each appliance I want to connect to, so I can turn off broadcast SSID.

It may sound like I have a clue what I,m doing but I dont really,

thanks for bottoming this one out