Howdo.

Yesterday, I logged into our wireless router to setup port mapping, as I was setting up a Torrent client. Setup went well, super fast downloading aswell..

I went into the router again today, as I was experiencing really slow download speeds, and I found this in the router logs....

[Admin login] from source 192.168.1.136, Friday, Apr 18,2008 19:37:09
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:10:43
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:09:56
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:09:16
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:08:36
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:07:39
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:05:57
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:04:35
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:03:04
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:02:20
[DOS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.5], Friday, Apr 18,2008 19:01:40
[Service blocked: ICMP_echo_req] from source 82.39.221.206, Friday, Apr 18,2008 18:55:15
[Service blocked: ICMP_echo_req] from source 72.85.194.100, Friday, Apr 18,2008 18:54:38
[Service blocked: ICMP_echo_req] from source 79.178.11.193, Friday, Apr 18,2008 18:25:04
[DOS attack: Smurf] attack packets in last 20 sec from ip [68.145.106.255], Friday, Apr 18,2008 17:49:47
[DOS attack: Smurf] attack packets in last 20 sec from ip [68.145.106.255], Friday, Apr 18,2008 17:34:44
[Service blocked: ICMP_echo_req] from source 218.36.213.70, Friday, Apr 18,2008 16:58:05
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Friday, Apr 18,2008 16:13:25
[Service blocked: ICMP_echo_req] from source 82.39.221.206, Friday, Apr 18,2008 15:15:27
[Admin login] from source 192.168.1.136, Friday, Apr 18,2008 14:56:38
[DOS attack: Smurf] attack packets in last 20 sec from ip [86.162.198.255], Friday, Apr 18,2008 14:45:41
[Service blocked: ICMP_echo_req] from source 79.119.174.144, Friday, Apr 18,2008 14:41:35
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [84.53.177.65], Friday, Apr 18,2008 14:16:36
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [207.138.234.50], Friday, Apr 18,2008 14:16:28
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [200.165.54.11], Friday, Apr 18,2008 14:16:19
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [84.53.177.66], Friday, Apr 18,2008 14:15:59
[Service blocked: ICMP_echo_req] from source 82.40.132.174, Friday, Apr 18,2008 14:06:34
[UPnP set event: Public_UPNP_C3] from source 192.168.1.4, Friday, Apr 18,2008 13:36:23
[DHCP IP: (192.168.1.4)] to MAC address 00:19:D1:FD:50:26, Friday, Apr 18,2008 13:33:22
[Service blocked: ICMP_echo_req] from source 82.39.221.206, Friday, Apr 18,2008 13:24:15
[DOS attack: Smurf] attack packets in last 20 sec from ip [68.145.106.255], Friday, Apr 18,2008 13:06:05
[Service blocked: ICMP_echo_req] from source 82.157.208.47, Friday, Apr 18,2008 12:48:06
[Service blocked: ICMP_echo_req] from source 200.201.197.82, Friday, Apr 18,2008 12:20:38
[Service blocked: ICMP_echo_req] from source 82.40.132.174, Friday, Apr 18,2008 12:09:51
[Service blocked: ICMP_echo_req] from source 82.39.221.206, Friday, Apr 18,2008 11:40:30
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Friday, Apr 18,2008 10:55:21
[Service blocked: ICMP_echo_req] from source 82.36.131.145, Friday, Apr 18,2008 10:54:44
[Service blocked: ICMP_echo_req] from source 64.168.238.230, Friday, Apr 18,2008 10:48:53
[Service blocked: ICMP_echo_req] from source 82.40.132.174, Friday, Apr 18,2008 10:19:02
[DOS attack: Smurf] attack packets in last 20 sec from ip [92.233.237.255], Friday, Apr 18,2008 09:54:51
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Friday, Apr 18,2008 09:44:49
[Service blocked: ICMP_echo_req] from source 61.18.56.182, Friday, Apr 18,2008 09:43:05
[Service blocked: ICMP_echo_req] from source 84.113.17.23, Friday, Apr 18,2008 09:19:15
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [81.79.108.91], Friday, Apr 18,2008 09:05:11
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [147.102.102.211], Friday, Apr 18,2008 09:04:29
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [151.50.164.127], Friday, Apr 18,2008 09:03:46
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [190.46.113.114], Friday, Apr 18,2008 08:58:19
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [92.112.218.82], Friday, Apr 18,2008 08:56:52
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Friday, Apr 18,2008 08:20:55
[Service blocked: ICMP_echo_req] from source 222.87.233.111, Friday, Apr 18,2008 05:45:29
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Friday, Apr 18,2008 04:50:39
[Service blocked: ICMP_echo_req] from source 77.203.192.79, Friday, Apr 18,2008 04:32:46
[Service blocked: ICMP_echo_req] from source 61.20.144.238, Friday, Apr 18,2008 03:58:18
[Service blocked: ICMP_echo_req] from source 92.242.216.170, Friday, Apr 18,2008 03:57:49
[Service blocked: ICMP_echo_req] from source 62.5.192.27, Friday, Apr 18,2008 03:42:21
[Service blocked: ICMP_echo_req] from source 67.45.83.153, Friday, Apr 18,2008 01:36:15
[Service blocked: ICMP_echo_req] from source 221.141.171.126, Friday, Apr 18,2008 01:23:19
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Friday, Apr 18,2008 01:10:35
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is dro¡÷ Friday, Apr 18,2008 01:08:36
[Service blocked: ICMP_echo_req] from source 122.31.53.72, Friday, Apr 18,2008 00:26:17
[Service blocked: ICMP_echo_req] from source 61.109.172.199, Thursday, Apr 17,2008 23:52:55
[Service blocked: ICMP_echo_req] from source 199.203.54.49, Thursday, Apr 17,2008 23:52:23
[Service blocked: ICMP_echo_req] from source 82.41.210.201, Thursday, Apr 17,2008 23:23:40
[Service blocked: ICMP_echo_req] from source 75.145.141.170, Thursday, Apr 17,2008 22:46:29

Bad news eh?

The website I would steer to for knowledge on how to remedy this situation is currently offline, so, I'm asking some of you computer buffs to shed some light on this.

I'm running AVG Free, Comodo Pro Firewall, and Spybot S&D is that's any use.

I "think" it may be to do with me setting up Port Mapping, that's the only reason I can think of, as this sort of thing has never happened before.

Im sorry if this is off topic a bit, but it that what they used to call a nuke? You used to go into chatrooms and be nuked?
I remember quite a few people mentioning things like that.

Im sorry if this is off topic a bit, but it that what they used to call a nuke? You used to go into chatrooms and be nuked?
I remember quite a few people mentioning things like that.

I've not heard that term before, Jabs.
I don't even venture into any chatrooms either... I just don't understand, I was getting speeds of between 100kb/s and 200kb/s earlier I was getting 30 ish, then hardly any at all. I've blocked all ip addresses through the "Block Services" function in the router, so see what happens.

I think it was called a nuke, back in the day one would nuke someone's mailbox by sending huge quantities of emails on to that address (aka mail bomb?)

I deleted the Port Forwarding bit that I originally setup, but still getting "new" attacks every so often. :huh:

report it to your ISP. have you scanned your OS for viruses extensively? nothing that might be tempting hackers to have a go at you? no rootkits or trojans installed?

report it to your ISP. have you scanned your OS for viruses extensively? nothing that might be tempting hackers to have a go at you? no rootkits or trojans installed?

Double checked everything, and found nothing at all.
I'm gonna search for any way to resolve this, if I don't, then I shall report this to my ISP tomorrow.

infact after some further thinking possibly another thing to do is use www.samspade.org to find out which ISP they're using and contact /their/ ISP with your logs and report that they're DoSing you, with luck they'll be out of an internet connection. Probably just some script kiddies testing the latest release of "omg hack ppls computorz!" tbh

oh, and get some better anti virus. Go get a 30 day trial of NOD 32 or Kaspersky. AVG free is not reliable

infact after some further thinking possibly another thing to do is use www.samspade.org to find out which ISP they're using and contact /their/ ISP with your logs and report that they're DoSing you, with luck they'll be out of an internet connection. Probably just some script kiddies testing the latest release of "omg hack ppls computorz!" tbh

oh, and get some better anti virus. Go get a 30 day trial of NOD 32 or Kaspersky. AVG free is not reliable

I've been using AVG Free for the past 4 years and not had any problems.
I did get Kaspersky though a while ago, after experiencing a slight hiccup, although that shpwed nothing, so I reverted back to AVG Free.

The hiccup in question turned out to be a false alarm, just my computer overloaded with resource hogging software. I shall try the samspade thing, see if that works. :)

Unless you've only posted snippets of the log there is no cohesive pattern to suggest an attack, the majority of the log is made of ping requests and comes from numerous IP addresses.

The number of IP addresses is telling, if it was a bot attack they would have just flooded you with traffic and the log would have filled from multiple hits from multiple sources in minutes (rather than a day) and you'd have lost internet connectivity. Contrary to popular belief you can't use spoofed IP addresses to receive a return packet on a different subnet unless it's a man in the middle attack (ie: it's not useful for hacking someone, only for denial-of-service) - again, it it was a dos attack you'd be looking at hundreds of hits in a the space of seconds/minutes so you can rule that out too.

I'd suggest it's just the volume of bit torrent traffic that's confused/panicked your router's firewall.

No, that was all the log I got.
Maybe it could be the torrent program, although nothing is downloading at the moment, I just downloaded something via opera (an 18MB file) and average speed was roughly 32kb/s, compared to my usual 200+ KB/s. :(

No, that was all the log I got.
Maybe it could be the torrent program, although nothing is downloading at the moment, I just downloaded something via opera (an 18MB file) and average speed was roughly 32kb/s, compared to my usual 200+ KB/s. :(

Is anything uploading? Torrent clients have a nasty habit of consuming all your upload if you don't limit them (which in turn can affect your download speed).

the IP spoofing would suggest that its a genuine DoS attack. I've been getting really slow internet on Virgin today due to a really slow server on the route that they send my internet out. Possibly related? if you're running XP Service Pack 2 go to www.lvllord.de and download the TCP/IP patcher, that may help too.

Is anything uploading? Torrent clients have a nasty habit of consuming all your upload if you don't limit them (which in turn can affect your download speed).

Well, it was uploading, when I was downloading the stuff. Nothings uploading now, though.

Carl: I'm on virgin too, co-incidence?

go into command prompt (go start - run - cmd.exe) and type "tracert google.com" and see what sort of ping you get on the servers. anything more than 100ms is pretty bad.

The first few were well below 100ms, although, the rest were far more than 100ms :confused:

Trying to upload a screenshot, takin it's time as you'll guess......

http://i273.photobucket.com/albums/jj213/scarby1983/untitled.jpg

Here it is...............

well your slow download speeds are almost definately due to that. Damn Virgin. this isn't the first time!

well your slow download speeds are almost definately due to that. Damn Virgin. this isn't the first time!

So nothing to worry about on the DoS side then?

I think you are worrying over nothing. The spoof IP addresses will be due to nothing more sinister than people using peer guardian to hide their address.

Looks like hop 6 is overwhelmed, massive jumps in latency from then on. Probably due to Virgin being over subscribed, been a while since I was on there though so can't confirm.

Another thing to bear in mind when using torrent clients is your privacy.
This will block out the sources that can often slow your speeds.
Peerguardian2 (updated daily, and it's free)
http://phoenixlabs.org/pg2/

http://www.pentics.net/denial-of-service/white-papers/smurf.cgi