DOS ATTACK,should I be worried

[budwieser]

Quote:

Originally Posted by pabscars

Hi Ladies and Gents, Ive just nipped home at lunchtime to see if I'd had a reply from some of the guys on the vm newsgroups, and while I was mooching I had a quick look at the router logs.

It showed a dos attack on port 80 at the weekend, whilst I wasnt using the internet I might add.

Should I be concerned.

any advice for a relative novice.

Head over to www.grc.com and use the free software there.

[pabscars]

Quote:

Originally Posted by budwieser

Head over to www.grc.com and use the free software there.

Thanks again guys, I had a quick look last night, and I could only see the one mention of a dos attack, and it mentioned ACK attack whatever that is.

I think it did show the ip address of where the attack came from, so I will nip home at lunch and copy and paste on here for you to peruse.

[Wayfair]

On the grc.com site pabscars, use the Shields UP thing in the Hot Spots section, proceed / then common ports, what that will do is test your firewall / router settings for you.

[pabscars]

Quote:

Originally Posted by Wayfair

On the grc.com site pabscars, use the Shields UP thing in the Hot Spots section, proceed / then common ports, what that will do is test your firewall / router settings for you.

Cool, I wasnt sure what it was all about,

mucho gratsi

[webcrawler2050]

Quote:

Originally Posted by pabscars

Thanks again guys, I had a quick look last night, and I could only see the one mention of a dos attack, and it mentioned ACK attack whatever that is.

I think it did show the ip address of where the attack came from, so I will nip home at lunch and copy and paste on here for you to peruse.

Let us know, then we can trace the owner of the IP and report it.

[pabscars]

Quote:

Originally Posted by webcrawler2050

Let us know, then we can trace the owner of the IP and report it.

Does that mean I can then send the boys round

[webcrawler2050]

Quote:

Originally Posted by pabscars

Does that mean I can then send the boys round

Yeah

[pabscars]

Quote:

Originally Posted by webcrawler2050

Let us know, then we can trace the owner of the IP and report it.

As requested guys

[LAN access from remote] from 121.14.229.199:6000 to 192.168.1.5:80, Wednesday, October 21,2009 04:38:24
[DoS Attack: ACK Scan] from source: 213.199.149.148, port 80, Wednesday, October 21,2009 01:18:40

I dont know if you can glean any info from this, and I didnt want to post any more info from the logs as it contained mac address's.

[webcrawler2050]

213.199.144.0

Code:

netname: MSFT-IDC
org: ORG-MA42-RIPE
descr: Microsoft London Internet Data Center
descr: Distribution of Microsoft content
descr: London
country: GB
admin-c: CXN-RIPE
tech-c: CXN-RIPE
status: ASSIGNED PA
mnt-by: MICROSOFT-MAINT
mnt-domains: MICROSOFT-MAINT
source: RIPE # Filtered

organisation: ORG-MA42-RIPE
org-name: Microsoft Limited
org-type: LIR
address: Microsoft
Allie Settlemyre
One Microsoft Way
WA 98052 Redmond
UNITED STATES
phone: +1 (425) 705 0516
fax-no: +1 425 936 7329
e-mail: [Who Is Domain][trace][Reverse DNS Search]
admin-c: AS9763-RIPE
admin-c: BR329-ARIN
admin-c: EN603-RIPE
mnt-ref: MICROSOFT-MAINT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

person: Christian Nielsen
address: One Microsoft Way
address: Redmond, WA 98052
address: US
phone: +1 (425) 706 1083
nic-hdl: CXN-RIPE
source: RIPE # Filtered

% Information related to '213.199.144.0[Who Is IP][trace][Reverse IP Search]/20AS8068'

route: 213.199.144.0/20
descr: Microsoft European IDCs
origin: AS8068
mnt-by: MICROSOFT-MAINT
source: RIPE # Filtered

AS NUMBER: AS8068 = MICROSOFTEU Microsoft European Data Center

Ripe: http://www.db.ripe.net/whois?object_...rchtext=AS8068

http://www.microsoft.com/emea/pressc...PR_240909.mspx

More info:

IP address country: ip address flag United Kingdom
IP address state: London, City of
IP address city: London
IP address latitude: 51.5000
IP address longitude: -0.1167
ISP of this IP [?]: Microsoft
Organization: Microsoft London Internet Data Center
Local time in United Kingdom: 2009-10-22 12:51

Very likely to be MSN / Windows updates - I think - I do believe they have transit in Telehouse


121.14.229.199

Code:

netname: HENGXIN-COMPANY
descr: Shantou Hengxin Techonlogy Co.,Ltd
country: CN
admin-c: ST-AP
tech-c: IC83-AP
mnt-by: MAINT-CHINANET-GD
changed: [Who Is Domain][trace][Reverse DNS Search] 20090122
status: Allocated non-portable
source: APNIC

AS NUMBER: AS4134 role: Asia Pacific Network Information Centre
address: APNIC, see http://www.apnic.net


RIPE: http://www.db.ripe.net/whois?form_ty..._search=Search

CONTACT: helpdesk@apnic.net

Should help

[danielf]

I believe the 213.199 range belongs to Microsoft?

[webcrawler2050]

Quote:

Originally Posted by danielf

I believe the 213.199 range belongs to Microsoft?

Yup look above

[pabscars]

Quote:

Originally Posted by webcrawler2050

213.199.144.0

Code:

netname: MSFT-IDC
org: ORG-MA42-RIPE
descr: Microsoft London Internet Data Center
descr: Distribution of Microsoft content
descr: London
country: GB
admin-c: CXN-RIPE
tech-c: CXN-RIPE
status: ASSIGNED PA
mnt-by: MICROSOFT-MAINT
mnt-domains: MICROSOFT-MAINT
source: RIPE # Filtered

organisation: ORG-MA42-RIPE
org-name: Microsoft Limited
org-type: LIR
address: Microsoft
Allie Settlemyre
One Microsoft Way
WA 98052 Redmond
UNITED STATES
phone: +1 (425) 705 0516
fax-no: +1 425 936 7329
e-mail: [Who Is Domain][trace][Reverse DNS Search]
admin-c: AS9763-RIPE
admin-c: BR329-ARIN
admin-c: EN603-RIPE
mnt-ref: MICROSOFT-MAINT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

person: Christian Nielsen
address: One Microsoft Way
address: Redmond, WA 98052
address: US
phone: +1 (425) 706 1083
nic-hdl: CXN-RIPE
source: RIPE # Filtered

% Information related to '213.199.144.0[Who Is IP][trace][Reverse IP Search]/20AS8068'

route: 213.199.144.0/20
descr: Microsoft European IDCs
origin: AS8068
mnt-by: MICROSOFT-MAINT
source: RIPE # Filtered

AS NUMBER: AS8068 = MICROSOFTEU Microsoft European Data Center

Ripe: http://www.db.ripe.net/whois?object_...rchtext=AS8068

http://www.microsoft.com/emea/pressc...PR_240909.mspx

More info:

IP address country: ip address flag United Kingdom
IP address state: London, City of
IP address city: London
IP address latitude: 51.5000
IP address longitude: -0.1167
ISP of this IP [?]: Microsoft
Organization: Microsoft London Internet Data Center
Local time in United Kingdom: 2009-10-22 12:51

Very likely to be MSN / Windows updates - I think - I do believe they have transit in Telehouse


121.14.229.199

Code:

netname: HENGXIN-COMPANY
descr: Shantou Hengxin Techonlogy Co.,Ltd
country: CN
admin-c: ST-AP
tech-c: IC83-AP
mnt-by: MAINT-CHINANET-GD
changed: [Who Is Domain][trace][Reverse DNS Search] 20090122
status: Allocated non-portable
source: APNIC

AS NUMBER: AS4134 role: Asia Pacific Network Information Centre
address: APNIC, see http://www.apnic.net


RIPE: http://www.db.ripe.net/whois?form_ty..._search=Search

CONTACT: helpdesk@apnic.net

Should help

Sorry to be a numb nuts but this doesn't mean much to me, are you saying you don't think its anything malicious.

[webcrawler2050]

Im saying the first one could be MSN / Windows updates etc.

I think the second one, could be anything a very possible DDOS attack..

[danielf]

Quote:

Originally Posted by pabscars

Sorry to be a numb nuts but this doesn't mean much to me, are you saying you don't think its anything malicious.

It looks like the 'DOS attack' you experienced originated from Microsoft, which would suggest it was not a DOS attack, but you received a number of hits for some other reason.

What is the reason you suspected a DOS attack?

[pabscars]

Quote:

Originally Posted by danielf

It looks like the 'DOS attack' you experienced originated from Microsoft, which would suggest it was not a DOS attack, but you received a number of hits for some other reason.

What is the reason you suspected a DOS attack?

Purely because it says so in the router logs