DOS ATTACK,should I be worried
 

Hi Ladies and Gents, Ive just nipped home at lunchtime to see if I'd had a reply from some of the guys on the vm newsgroups, and while I was mooching I had a quick look at the router logs.

It showed a dos attack on port 80 at the weekend, whilst I wasnt using the internet I might add.

Should I be concerned.:shocked:

any advice for a relative novice.

Re: DOS ATTACK,should I be worried
 

If the port's closed on your router (ie. rejecting inbound traffic on that port, or better still dropping inbound traffic on that port), and if your router is sufficiently robust to handle that amount of traffic directed at a single port, then I wouldn't worry about it at all.

Re: DOS ATTACK,should I be worried
 

Chances are it may be open due to the port forwarding/triggering ive done for the xbox and ps3, the router is the one supplied by vm "netgear WNR2000" I think.

I also have spi turned on

Re: DOS ATTACK,should I be worried
 

I agree with Rob M. This stuff happens and this at least proves that your router is doing it's job properly.

I'd check your router settings and see if there is any facility for 'remote management' or words to that effect. If it has that function make sure it's switched off.

Re: DOS ATTACK,should I be worried
 

They shouldn't open port 80 inbound unless you're running a web server of some sort on them.

Re: DOS ATTACK,should I be worried
 

Thanks for that, :tu:I will check when I get home later on, I do recall seeing something for remote management but Im not sure what its set too.

---------- Post added at 14:06 ---------- Previous post was at 14:03 ----------

No, No web server ( whatever they are ), are dos attack like one off attacks, or can they happen over prolonged periods.:confused:

Re: DOS ATTACK,should I be worried
 

it's very likely a port scanner of some description. Port 80 should be closed and your routers firewall should of kicked in anywho.

DDOS attacks can last for days an be every 10 seconds, if the "hacker / software" knows what they are doing. Seems like the attack wen't ment for a webserver as is was taketing port 80 httpd. Nothing to worry about.

Re: DOS ATTACK,should I be worried
 

Port scan seems a likely option. A serious DDOS attack involves packet volumes in excess of 100/second and can get up to the thousands if a botnet attack is occurring.

Probably just someone casually probing.

Re: DOS ATTACK,should I be worried
 

Port scan is very very likely.

Re: DOS ATTACK,should I be worried
 

You'll normally find that port scanners scan a range of ports, not the same port multiple times. A DOS is normally caused my sending massive amounts of traffic to a single socket, which is what the OP seems to be describing. If they were seeing a port scanner I'd expect to see them complaining of lots of ports being scanned not just port 80.

Re: DOS ATTACK,should I be worried
 

It could be both to be fair.

Re: DOS ATTACK,should I be worried
 

Thank you all for your responses, its all a bit alien to me I,m afraid, I will have another mooch tonight and see if there is any more evidence.

Just one more question if I may,

Would these attacked influence my connectivity in anyway, because up until Thursday of last week, my connection had been very stable all week, yet since then its been all over the place.

Ive been having issues with slow speeds for some time, but like I say it had been rock steady for a week and now its back (worse than before) to being pants, so just wondered if there may be a connection?

Re: DOS ATTACK,should I be worried
 

If the connection to your router is being flooded with packets, and if your router is attempting to process them all (instead of just dropping them without trying to do anything with them), then yes it could affect your connection speed.

Re: DOS ATTACK,should I be worried
 

Going back to your router logs for a moment, you say they show attacks to port 80. Do they also indicate the attacking IP address?

It would be useful to know if all the hits originate from one IP or if they are coming from a range. If they are from different addresses a couple of examples would be interesting.

Re: DOS ATTACK,should I be worried
 

It's likely it's coming from a "budget" rented server or some script.

if you can paste a bulk of your logs. The able here, will be able to see instantly.

And yes, if your router is under heavy DDOS then yes, speed will be effected

Re: DOS ATTACK,should I be worried
 

Head over to www.grc.com and use the free software there. :)

Re: DOS ATTACK,should I be worried
 

Thanks again guys, I had a quick look last night, and I could only see the one mention of a dos attack, and it mentioned ACK attack whatever that is.

I think it did show the ip address of where the attack came from, so I will nip home at lunch and copy and paste on here for you to peruse.

Re: DOS ATTACK,should I be worried
 

On the grc.com site pabscars, use the Shields UP thing in the Hot Spots section, proceed / then common ports, what that will do is test your firewall / router settings for you.

Re: DOS ATTACK,should I be worried
 

Cool, I wasnt sure what it was all about,

mucho gratsi :D

Re: DOS ATTACK,should I be worried
 

Let us know, then we can trace the owner of the IP and report it.

Re: DOS ATTACK,should I be worried
 

Does that mean I can then send the boys round ;)

Re: DOS ATTACK,should I be worried
 

Yeah :)

Re: DOS ATTACK,should I be worried
 

As requested guys

[LAN access from remote] from 121.14.229.199:6000 to 192.168.1.5:80, Wednesday, October 21,2009 04:38:24
[DoS Attack: ACK Scan] from source: 213.199.149.148, port 80, Wednesday, October 21,2009 01:18:40

I dont know if you can glean any info from this, and I didnt want to post any more info from the logs as it contained mac address's.

Re: DOS ATTACK,should I be worried
 

213.199.144.0

AS NUMBER: AS8068 = MICROSOFTEU Microsoft European Data Center

Ripe: http://www.db.ripe.net/whois?object_...rchtext=AS8068

http://www.microsoft.com/emea/pressc...PR_240909.mspx

More info:

IP address country: ip address flag United Kingdom
IP address state: London, City of
IP address city: London
IP address latitude: 51.5000
IP address longitude: -0.1167
ISP of this IP [?]: Microsoft
Organization: Microsoft London Internet Data Center
Local time in United Kingdom: 2009-10-22 12:51

Very likely to be MSN / Windows updates - I think - I do believe they have transit in Telehouse


121.14.229.199

AS NUMBER: AS4134 role: Asia Pacific Network Information Centre
address: APNIC, see http://www.apnic.net


RIPE: http://www.db.ripe.net/whois?form_ty..._search=Search

CONTACT: helpdesk@apnic.net

Should help

Re: DOS ATTACK,should I be worried
 

I believe the 213.199 range belongs to Microsoft?

Re: DOS ATTACK,should I be worried
 

Yup look above

Re: DOS ATTACK,should I be worried
 

Sorry to be a numb nuts but this doesn't mean much to me, are you saying you don't think its anything malicious.

Re: DOS ATTACK,should I be worried
 

Im saying the first one could be MSN / Windows updates etc.

I think the second one, could be anything a very possible DDOS attack..

Re: DOS ATTACK,should I be worried
 

It looks like the 'DOS attack' you experienced originated from Microsoft, which would suggest it was not a DOS attack, but you received a number of hits for some other reason.

What is the reason you suspected a DOS attack?

Re: DOS ATTACK,should I be worried
 

Purely because it says so in the router logs

Re: DOS ATTACK,should I be worried
 

Hmmm - first one might not be a DDOS - 2nd one might be - send their helpdesk an email.

Re: DOS ATTACK,should I be worried
 

Do you mean this one, helpdesk@apnic.net

sorry if i,m asking a silly question but what should I say to them.

"Oi you, you been dossing me you swines, quit it or I'll send the boys round, iiiiiiiiiiiiiiiiiiiite":D

Re: DOS ATTACK,should I be worried
 

Yes this one. Something on the lines of

"This IP has DDOS'ing me - can you advsie etc"

Re: DOS ATTACK,should I be worried
 

Done, I will let you know if they respond.

thanks again much appreciated :)

Re: DOS ATTACK,should I be worried
 

Let me know how you get on

Re: DOS ATTACK,should I be worried
 

Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?

Re: DOS ATTACK,should I be worried
 

Yes :erm:

Re: DOS ATTACK,should I be worried
 

I'll go on to explain shall I?

The 'Dos Attack' is originating from a MS IP address, so there's no point in complaining to APNIC about it. The one that's listed as LAN access is the only one that APNIC might be interested in, but I doubt it.

Microsoft won't be able to do anything about the ACK attack, nor sould they even try I suspect. This particular attack is caused by a malicious host (somewhere) on the Internet sending a SYN packet to Microsoft's servers with a spoofed originating IP address (that of the OP). The TCP/IP specification then requires Microsoft's servers to send an 'ACK' in response, this is what the OP is seeing in that one, single, lonesome, firewall log entry that we're seeing.

The other entry, the one with the Chines IP address, is the one that I'd be worried about. A lot more worried than I would be about the Microsoft one. Even then though I think I'd be tempted to ignore it, if the firewall's blocking port 80 then that connection attempt will have failed. So, again, no need to worry.

My advice, find a friend that knows something about network security, give them your IP address, and ask them to run a couple of manual scans for you - they should be able to tell you in a few minutes whether you've got anything you need to worry about. I'd offer to do it for you, but you don't know me from Adam and I don't trust me so I don't see why you should :D

The main things to ensure are:

1. You have an external firewall (preferably on your router) that is set to block all incoming traffic, reject anonymous Internet requests (ping, etc), and to perform SPI.

2. The web interface for your router is NOT exposed to the Internet.

3. The management console on the router is protected by a STRONG password.

4. That you have properly secured any wireless technologies that you might have employed on the inside of your LAN.

Re: DOS ATTACK,should I be worried
 

Not MS noo, no chance. Could be a variety of things.

However, APNIC - will be able to provide "more" information on this IP - could be a simple issue - either way, as the issuer of the IP - like RIPE - so they may provide some information or point the OP in the right place.

Re: DOS ATTACK,should I be worried
 

But APNIC issued the remote access IP, not the one that the OP thinks is behind his DDOS attack.....

There's no point asking APNIC to look at a DDOS attack, and then giving them either an IP address they didn't issue or a firewall log for a remote access attempt.....

Re: DOS ATTACK,should I be worried
 

Yes but they issued the ip so will have contact details for the owner. Which seems to point to "GSTA.COM" and or "Shantou Hengxin Techonlogy Co.,Ltd"

Re: DOS ATTACK,should I be worried
 

This IP address:

Not listed as a suspected DDOS attack, but maintained by APNIC.

This IP address:

Listed as a suspected DOS attack, NOT maintained by APNIC.

If you want to complain to someone, or get more information from someone about the origins of the IP address that's involved with the 'attack' you need to either talk to Microsoft (who will not be interested as there's nothing they can do) or RIPE (who will tell you that it's an IP address issued to Microsoft, and that there's nothing they can do).

Personally, I think that the first IP address is more likely to be the 'suspect' one and that it's far more likely that any 'attack' will have come from there. The second one is more likely a backrground Internet request that's gottent picked up by an overly sensitive firewall.

You really can spend your entire life trying to chase these things down and get bloody nowhere.

---------- Post added at 15:08 ---------- Previous post was at 15:07 ----------

Yes, but the OP wants to talk to them about a DOS ATTACK, and the IP listed as being responsible for the DOS ATTACK isn't one of theirs, it's one of RIPE's and is assigned to Microsoft.

Re: DOS ATTACK,should I be worried
 

Hay guys, I didn't want to cause anyone any hassle, just an opinion whether it was a concern or not.

The first IP posted was listed lots of times in the logs if that makes any difference, I didnt really mean to post that one, just the one mentioning the dos attack.

I rightly or wrongly assumed that was the one to be concerned about.

Re: DOS ATTACK,should I be worried
 

Not causing any hassle, just don't like to see people left with any confusion.

In my professional opinion......there is little/nothing to be gained from chasing down the DOS attack (or the remote access line, although that's the one I'd be more concerned about of the two).

You will gain most value from your time by investing it in ensuring that your external network defences are as robustly configured as they can be, and then ensuring that the security providing/enhancing features of any software installed on the inside of your LAN are configured and maintained correctly.

If the 'DOS' attack persists, and your connection is severely degraded as a result, THEN it might be worth taking the matter further.

Re: DOS ATTACK,should I be worried
 

Ok Cheers Rob, I was never that interested in tracking down where it originated from but given the help from you guys on CF I thought maybe you were curious.

Current security comes via VM, as in the one that comes on the installation disc when you first enroll, and seems to be doing a good enough job so far.

On the router, SPI is enabled at present but has in the past been disabled, on my LAN side Ive assigned fixed IP's to the MAC address of each appliance I want to connect to, so I can turn off broadcast SSID.

It may sound like I have a clue what I,m doing but I dont really,

thanks for bottoming this one out

Re: DOS ATTACK,should I be worried
 

Indeed I would agree with Rob, making sure you are "safe" etc is paramount. However, sending an email that takes 2 / 3 minutes won't hurt either. I've seen this hundreds and thousands of times and it can help, others aswell.

Re: DOS ATTACK,should I be worried
 

What model of router do you have?

Re: DOS ATTACK,should I be worried
 

Hi Rob apologies for the very late reply, but the router is the one supplied by VM its a Netgear WNR2000 if memory serves, and I,m starting to think mine has a fault as last night just while having a dabble on the ps3 it twice completely rebooted on its own (twice within 10 mins), causing me to be kicked from a game and loose all points which miffed me a little.

Any ideas why it would just suddenly do this, its happened lots of times come to think of it, and I know there is newer firmware available, which ive downloaded to the laptop.

But as yet I,ve been reluctant at changing it due my inexperience and how long it took to set it all up on statics etc.

any advice