The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Router reports repeated DoS attacks
AresProphet
Registered User regular
Registered User regular
The last few days our network has been running extremely erratically, and our internet connection likes to shut off and renew itself every couple of minutes sometimes. In the router logs I get a lot of these:
[DoS Attack: ACK Scan] from source: 142.167.111.23, port 10793, Thursday, October 08,2009 17:45:30
[DoS Attack: RST Scan] from source: 68.103.148.45, port 25521, Thursday, October 08,2009 17:44:57
[DoS Attack: ACK Scan] from source: 142.167.111.23, port 10793, Thursday, October 08,2009 17:44:27
[DoS Attack: RST Scan] from source: 98.234.120.105, port 28726, Thursday, October 08,2009 17:44:25
...and so on.
Sometimes, I get repeated attacks on port 6112, which coincidentally is the port WC3 runs on (I play a lot of DotA). Other times its random ports.
But a lot of times those random port scans are from the IPs of hosts in DotA games. Sometimes they're from all over the world. There are strange patterns, but often there's no pattern at all. When I forward that port, I get this during a DotA game:
[LAN access from remote] from 69.226.234.181:51007 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:27
[LAN access from remote] from 99.20.133.39:29145 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:24
[LAN access from remote] from 174.6.36.52:60535 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:18
[LAN access from remote] from 207.224.238.66:63818 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:14
[LAN access from remote] from 75.154.229.126:1676 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:06
...which also leads to my router freaking out and renewing my IP. So playing DotA is out of the question. I don't get behavior like this during other games, but modern DotA hosting involves some rather shady software which does weird things to connections so I'm willing to believe the game is at fault.
I'm left to assume that these are causing our router to slow down, because whenever these scans happen most frequently is when our IP address likes to renew itself (and kick everyone off the internet for about a minute). I might be wrong.
I can't figure out of they're routine internet activity or malicious attacks. I also don't know if they're being coordinated (in which case it's either zombie machines or IP spoofing) or if the patterns I see are coincidence.
The Internet tells me that these port scans aren't effective on modern routers, but they like to occur on a port I have forwarded to my PC (6112 and 6113) which is properly firewalled. But I do know that our internet connection is all but unuseable for the last few days, with websites taking lnoger to load now than they did eight years ago on a 56k modem. Sometimes it's just fine for a stretch of 15 to 20 minutes. Other times it's worse than a dialup connection.
When I plug my PC right into the modem these issues stop, but that doesn't do much good for my roommates, who are all on wireless.
What the hell is going on here? Is it a coordinated DoS attack against me, personally? Is it an incidental attack caused by the outbreak of some kind of worm? Or is routine internet traffic causing my router to, for some reason, flip its shit? Or is this kind of activity not the sort of thing that could possibly cause this, implying some other reason for my connection being so shitty this last week?
Edit: It's a Netgear WPN824v3, if that helps. I've used the WPN824v2 for the last two years so I'm very familiar with the router, although the admin page moves a lot slower than I'm used to and has since we installed it. It takes forever to update anything.
Edit2: the plot thickens. Every time it tries to reconnect to the internet it does this:
[Internet connected] IP address: xx.xxx.xxx.xx, Thursday, October 08,2009 18:25:44
[Internet connected] IP address: 192.168.100.2, Thursday, October 08,2009 18:25:12
192.168.100.2 is never a valid IP address, it tries this one every time before snagging a valid one from Comcast about 30 seconds later. Because of the timeframe I suspect that this invalid IP has something to do with losing internet connectivity for a short time.
[DoS Attack: ACK Scan] from source: 142.167.111.23, port 10793, Thursday, October 08,2009 17:45:30
[DoS Attack: RST Scan] from source: 68.103.148.45, port 25521, Thursday, October 08,2009 17:44:57
[DoS Attack: ACK Scan] from source: 142.167.111.23, port 10793, Thursday, October 08,2009 17:44:27
[DoS Attack: RST Scan] from source: 98.234.120.105, port 28726, Thursday, October 08,2009 17:44:25
...and so on.
Sometimes, I get repeated attacks on port 6112, which coincidentally is the port WC3 runs on (I play a lot of DotA). Other times its random ports.
But a lot of times those random port scans are from the IPs of hosts in DotA games. Sometimes they're from all over the world. There are strange patterns, but often there's no pattern at all. When I forward that port, I get this during a DotA game:
[LAN access from remote] from 69.226.234.181:51007 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:27
[LAN access from remote] from 99.20.133.39:29145 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:24
[LAN access from remote] from 174.6.36.52:60535 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:18
[LAN access from remote] from 207.224.238.66:63818 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:14
[LAN access from remote] from 75.154.229.126:1676 to 192.168.1.14:6113, Thursday, October 08,2009 17:31:06
...which also leads to my router freaking out and renewing my IP. So playing DotA is out of the question. I don't get behavior like this during other games, but modern DotA hosting involves some rather shady software which does weird things to connections so I'm willing to believe the game is at fault.
I'm left to assume that these are causing our router to slow down, because whenever these scans happen most frequently is when our IP address likes to renew itself (and kick everyone off the internet for about a minute). I might be wrong.
I can't figure out of they're routine internet activity or malicious attacks. I also don't know if they're being coordinated (in which case it's either zombie machines or IP spoofing) or if the patterns I see are coincidence.
The Internet tells me that these port scans aren't effective on modern routers, but they like to occur on a port I have forwarded to my PC (6112 and 6113) which is properly firewalled. But I do know that our internet connection is all but unuseable for the last few days, with websites taking lnoger to load now than they did eight years ago on a 56k modem. Sometimes it's just fine for a stretch of 15 to 20 minutes. Other times it's worse than a dialup connection.
When I plug my PC right into the modem these issues stop, but that doesn't do much good for my roommates, who are all on wireless.
What the hell is going on here? Is it a coordinated DoS attack against me, personally? Is it an incidental attack caused by the outbreak of some kind of worm? Or is routine internet traffic causing my router to, for some reason, flip its shit? Or is this kind of activity not the sort of thing that could possibly cause this, implying some other reason for my connection being so shitty this last week?
Edit: It's a Netgear WPN824v3, if that helps. I've used the WPN824v2 for the last two years so I'm very familiar with the router, although the admin page moves a lot slower than I'm used to and has since we installed it. It takes forever to update anything.
Edit2: the plot thickens. Every time it tries to reconnect to the internet it does this:
[Internet connected] IP address: xx.xxx.xxx.xx, Thursday, October 08,2009 18:25:44
[Internet connected] IP address: 192.168.100.2, Thursday, October 08,2009 18:25:12
192.168.100.2 is never a valid IP address, it tries this one every time before snagging a valid one from Comcast about 30 seconds later. Because of the timeframe I suspect that this invalid IP has something to do with losing internet connectivity for a short time.
AresProphet on
0