Help - DOS attack

**therox** · 28-10-2011, 10:50 AM

I've got a netgear DG834 router with a SmoothWall box behind it managing a VPN.

I keep getting attacked by what the Netgear router thinks is a DOS attack. The biggest attacks occur in the mornings which result in disconnection from the internet. I've got 8 static IP addresses and as you can see from the log, all 8 are being tested using different ports.

There's more than one attacker;

The IP address of one attacker is in spamhaus blacklist for spam and seems to originate from France. When I try the IP in a web browser using HTTPS, I get a Microsoft Exchange 2003 webmail login page. If I try the IP in Remote Desktop, I get a Windows Server 2003 login screen.

Another IP address originates from England and is listed in an offensive database for "Unserviced Port Request or part of a DDOS attack".

I replaced the router with another netgear DG834 but it also disconnects from the internet during the attack. I also tried replacing it with a Draytek 2820n but this router completely crashes during the attack.

Please can anyone suggest anything?

**therox** · 28-10-2011, 10:53 AM

I've edited out the first part of my IP address for security reasons. I can post more logs if requested

Sat, 2011-10-22 14:43:57 - TCP Packet - Source:68.171.16.17,1411 Destination:00.00.00.235,5903 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1443 Destination:00.00.00.235,5907 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1463 Destination:00.00.00.235,5910 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1457 Destination:00.00.00.235,5909 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1517 Destination:00.00.00.236,5906 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1525 Destination:00.00.00.236,5907 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1554 Destination:00.00.00.236,5910 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1563 Destination:00.00.00.237,5900 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1603 Destination:00.00.00.237,5905 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1636 Destination:00.00.00.237,5909 - [DOS]
Sat, 2011-10-22 14:43:58 - TCP Packet - Source:68.171.16.17,1655 Destination:00.00.00.238,5901 - [DOS]
Sat, 2011-10-22 14:43:59 - TCP Packet - Source:68.171.16.17,1700 Destination:00.00.00.238,5906 - [DOS]
Sat, 2011-10-22 14:43:59 - TCP Packet - Source:68.171.16.17,1737 Destination:00.00.00.239,5900 - [DOS]
Sat, 2011-10-22 14:43:59 - TCP Packet - Source:68.171.16.17,1745 Destination:00.00.00.239,5901 - [DOS]
Sat, 2011-10-22 14:43:59 - TCP Packet - Source:68.171.16.17,1759 Destination:00.00.00.239,5903 - [DOS]
Sat, 2011-10-22 14:43:59 - TCP Packet - Source:68.171.16.17,1784 Destination:00.00.00.239,5906 - [DOS]
Sat, 2011-10-22 14:49:31 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sat, 2011-10-22 14:49:31 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sat, 2011-10-22 14:49:31 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sat, 2011-10-22 14:49:31 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sat, 2011-10-22 14:49:31 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sat, 2011-10-22 15:45:50 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sat, 2011-10-22 15:45:50 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sat, 2011-10-22 15:45:50 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sat, 2011-10-22 15:45:50 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sat, 2011-10-22 15:45:50 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sat, 2011-10-22 21:49:41 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sat, 2011-10-22 21:49:41 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sat, 2011-10-22 21:49:41 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sat, 2011-10-22 21:49:41 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sat, 2011-10-22 21:49:41 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sun, 2011-10-23 01:40:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sun, 2011-10-23 01:40:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sun, 2011-10-23 01:40:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sun, 2011-10-23 01:40:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sun, 2011-10-23 01:40:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sun, 2011-10-23 02:48:49 - TCP Packet - Source:72.71.49.20,37694 Destination:00.00.00.238,22 - [DOS]
Sun, 2011-10-23 02:48:49 - TCP Packet - Source:72.71.49.20,37695 Destination:00.00.00.239,22 - [DOS]
Sun, 2011-10-23 04:10:13 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sun, 2011-10-23 04:10:13 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sun, 2011-10-23 04:10:13 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sun, 2011-10-23 04:10:13 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sun, 2011-10-23 04:10:13 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sun, 2011-10-23 08:00:45 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sun, 2011-10-23 08:00:45 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sun, 2011-10-23 08:00:45 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sun, 2011-10-23 08:00:45 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sun, 2011-10-23 08:00:45 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sun, 2011-10-23 11:56:00 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sun, 2011-10-23 11:56:00 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sun, 2011-10-23 11:56:00 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sun, 2011-10-23 11:56:00 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sun, 2011-10-23 11:56:00 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sun, 2011-10-23 13:52:38 - TCP Packet - Source:94.169.235.159 Destination:00.00.00.233 - [PORT SCAN]
Sun, 2011-10-23 15:33:49 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sun, 2011-10-23 15:33:49 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sun, 2011-10-23 15:33:49 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sun, 2011-10-23 15:33:49 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sun, 2011-10-23 15:33:49 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Sun, 2011-10-23 19:18:23 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Sun, 2011-10-23 19:18:23 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Sun, 2011-10-23 19:18:23 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Sun, 2011-10-23 19:18:23 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Sun, 2011-10-23 19:18:23 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Mon, 2011-10-24 02:25:54 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Mon, 2011-10-24 02:25:54 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Mon, 2011-10-24 02:25:54 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Mon, 2011-10-24 02:25:54 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Mon, 2011-10-24 02:25:54 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Mon, 2011-10-24 03:02:07 - TCP Packet - Source:221.215.106.147,17347 Destination:00.00.00.239,4899 - [DOS]
Mon, 2011-10-24 04:51:11 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Mon, 2011-10-24 04:51:11 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Mon, 2011-10-24 04:51:11 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Mon, 2011-10-24 04:51:11 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Mon, 2011-10-24 04:51:11 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59503 Destination:00.00.00.232,5910 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59507 Destination:00.00.00.233,5900 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59509 Destination:00.00.00.233,5901 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59515 Destination:00.00.00.233,5903 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59520 Destination:00.00.00.233,5904 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59525 Destination:00.00.00.233,5906 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59543 Destination:00.00.00.234,5901 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59561 Destination:00.00.00.234,5907 - [DOS]
Mon, 2011-10-24 05:51:08 - TCP Packet - Source:62.193.228.154,59581 Destination:00.00.00.235,5903 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59599 Destination:00.00.00.235,5909 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59621 Destination:00.00.00.236,5905 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59639 Destination:00.00.00.237,5900 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59659 Destination:00.00.00.237,5907 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59677 Destination:00.00.00.238,5902 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59695 Destination:00.00.00.238,5908 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59717 Destination:00.00.00.239,5904 - [DOS]
Mon, 2011-10-24 05:51:09 - TCP Packet - Source:62.193.228.154,59735 Destination:00.00.00.239,5910 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59501 Destination:00.00.00.232,5909 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59503 Destination:00.00.00.232,5910 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59507 Destination:00.00.00.233,5900 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59509 Destination:00.00.00.233,5901 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59515 Destination:00.00.00.233,5903 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59521 Destination:00.00.00.233,5905 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59539 Destination:00.00.00.234,5900 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59561 Destination:00.00.00.234,5907 - [DOS]
Mon, 2011-10-24 05:51:11 - TCP Packet - Source:62.193.228.154,59586 Destination:00.00.00.235,5904 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59599 Destination:00.00.00.235,5909 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59621 Destination:00.00.00.236,5905 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59639 Destination:00.00.00.237,5900 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59659 Destination:00.00.00.237,5907 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59677 Destination:00.00.00.238,5902 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59695 Destination:00.00.00.238,5908 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59717 Destination:00.00.00.239,5904 - [DOS]
Mon, 2011-10-24 05:51:12 - TCP Packet - Source:62.193.228.154,59731 Destination:00.00.00.239,5909 - [DOS]
Mon, 2011-10-24 06:10:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,445 - [DOS]
Mon, 2011-10-24 06:10:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.235,1433 - [DOS]
Mon, 2011-10-24 06:10:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,135 - [DOS]
Mon, 2011-10-24 06:10:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,445 - [DOS]
Mon, 2011-10-24 06:10:32 - TCP Packet - Source:213.246.181.180,6000 Destination:00.00.00.234,1433 - [DOS]
Mon, 2011-10-24 06:58:43 - LCP down.
Mon, 2011-10-24 06:58:50 - Initialize LCP.
Mon, 2011-10-24 06:58:51 - LCP is allowed to come up.
Mon, 2011-10-24 06:59:51 - Initialize LCP.
Mon, 2011-10-24 06:59:51 - LCP is allowed to come up.
Mon, 2011-10-24 07:00:52 - Initialize LCP.
Mon, 2011-10-24 07:00:52 - LCP is allowed to come up.
Mon, 2011-10-24 07:01:53 - Initialize LCP.
Mon, 2011-10-24 07:01:53 - LCP is allowed to come up.
Mon, 2011-10-24 07:02:53 - Initialize LCP.
Mon, 2011-10-24 07:02:53 - LCP is allowed to come up.
Mon, 2011-10-24 07:03:54 - Initialize LCP.
Mon, 2011-10-24 07:03:54 - LCP is allowed to come up.
Mon, 2011-10-24 07:04:55 - Initialize LCP.
Mon, 2011-10-24 07:04:55 - LCP is allowed to come up.
Mon, 2011-10-24 07:05:55 - Initialize LCP.
Mon, 2011-10-24 07:05:55 - LCP is allowed to come up.
Mon, 2011-10-24 07:06:56 - Initialize LCP.
Mon, 2011-10-24 07:06:56 - LCP is allowed to come up.
Mon, 2011-10-24 07:07:57 - Initialize LCP.
Mon, 2011-10-24 07:07:57 - LCP is allowed to come up.
Mon, 2011-10-24 07:34:41 - Administrator login successful - IP:00.00.00.233
Mon, 2011-10-24 07:34:59 - Initialize LCP.
Mon, 2011-10-24 07:34:59 - LCP is allowed to come up.

**kalniel** · 28-10-2011, 10:55 AM

What did your ISP say?

**shaithis** · 28-10-2011, 10:56 AM

Did you configure the "DoS defense Setup" section of the Draytek?

**Jay** · 28-10-2011, 11:17 AM

turn off your router for 24 hours. They will then stop. Also make sure you don't allow ping replys so they can't tell if you are up or down.

If you torrent i would stop doing that for a while as well as I think thye just look for IPs and hit them.

**peterb** · 28-10-2011, 12:05 PM

213.246.181.180 is a secure VOIP server in the UK

62.193.228.154 is based in France

I haven't decoded the rest. Port 6000 is generally used for X-windows.

These occurrences though are typical of opportunist ip probes, tresting for exploitable vulnerabilities. If you are behind a NAT firewall, and you haven't opened any ports for port forwarding, then, unless you are being particularly targeted, it is nothing to worry about.

If you are using a router (like the Drayteks) with DoS detection/protection enabled, then you will get these reports. If you have protection enabled, it can also affect services like Skype.

But tbh, it is probably just internet business as usual.

**smargh** · 28-10-2011, 05:04 PM

Disable DoS detection. It only serves to be annoying & sometimes scaremongering - this kind of thing is a normal part of background radiation on the internets.

**therox** · 28-10-2011, 07:27 PM

Originally Posted by kalniel

What did your ISP say?

I'm waiting for a response and will let you know

Originally Posted by shaithis

Did you configure the "DoS defense Setup" section of the Draytek?

I cant remember if I did or not. I've already reset its settings and set it up for another broadband line so I cant check.

Originally Posted by Jay

turn off your router for 24 hours. They will then stop. Also make sure you don't allow ping replys so they can't tell if you are up or down.

If you torrent i would stop doing that for a while as well as I think thye just look for IPs and hit them.

I cant switch it off for that long, it for a business and they'd go nuts.

Originally Posted by smargh

Disable DoS detection. It only serves to be annoying & sometimes scaremongering - this kind of thing is a normal part of background radiation on the internets.

I thought about disabling DoS detection earlier actually and I'll try that next. There's another firewall behind the router anyway which should be more stable against attacks.

I fully understand that attacks are normal, thats not the problem. The problem is that the attacks are so severe that the router disconnects itself from the internet. This happens at least 3 times a week and I've tried it with 3 different routers. If it was my router at home I'd be ok with it but its for a business and the staff are going nuts at me.

**kalniel** · 28-10-2011, 07:33 PM

It's for an internet critical business and they're using a netgear home router? If ISP gives you the all clear maybe get some more serious hardware.

**therox** · 28-10-2011, 07:43 PM

Yes I bought the Draytek router which is for small and medium enterprises and the reviews I read were very good but it performed worse than the Netgear during the attack.

**gss03** · 28-10-2011, 08:11 PM

In what way did the Draytek perform worse?

I've used drayteks for years now (Vigor 2600, 2800, 2700, 2820) and never and issues with any of them.

**therox** · 28-10-2011, 08:20 PM

As I said in my original post, the Draytek 2820n completely crashes during the attack. I have to unplug the power and plug in back in. I've tried it with the latest firmware as well.

The netgear doesn't crash, it just disconnects itself so I have to login and click 'connect'. Under normal circumstances it connects automatically but after the attack its affected in some way.

**mycarsavw** · 31-10-2011, 12:01 PM

Which version of Smoothwall are you running?

If it's Express, install this mod

[3.0] Active IP Block MOD V1.0

Block for 6mo after 3 'attacks'.

Check the autoblock IPs regularly.

Thread: Help - DOS attack

LinkBack

Thread Tools

Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Re: Help - DOS attack

Thread Information

Users Browsing this Thread

Similar Threads

My router is getting hammered with DOS attacks

Slow Internet, Logs say DOS attacks, or am I just getting throttled?

One man DoS/ bandwidth vampire attack?

Attack site safeguard from google???

Agility, Strength, Defense and Attack Power

Posting Permissions