Solved

DoS attack from within a Home Network

Posted on 2004-04-21
10
826 Views
Last Modified: 2006-11-17
We have had a home network behind a NetGear router into a Cable Modem for about 2 years without incident.  Last week the network appearred to go down.  Reset router and "down" again in about 10 minutes.  Replaced router with 2 others - same problem.  Replaced Cable modem - same problem.  Noticed some machines generating a large number (>50,000) packets when "nothing" running (no IE, Outlook, etc).  When these machines are taken off network, other machines access the internet normally.  Do I have a DoS virus on these machines?  BTW, when I attach one offending machine directly to cable modem, all is well - no excessive packets, etc.
0
Comment
Question by:harlanh
10 Comments
 
LVL 1

Expert Comment

by:ma14dmin
ID: 10879828
If connecting the offending computers to the cable modem stops the packet storm then I wouldnt have thought you have a problem with a virus. It sounds like the problem is between the router and the computers on the network, and my guess is its a routing problem. Check there are no loop-backs in the network. Also are you using any VPN protocols and when the computer is connected directly to the cable modem can it access the internet. Failing this my guess is that two (or more) of your internal computers are communicating about something, if you disconnect all but one of the offending machines what happens?
0
 
LVL 3

Expert Comment

by:shaggyb
ID: 10882559
could be a bunch of broadcast packets....somthing like netbios.............



my recomendation is to get a packet sniffer and see whats going on..... recomend iris


http://www.firewall.cx/downloads/packet-sniff/iris%20v3.7.zip


check that...should have a 30 day trial on it.....

you will be able to see if those packets are port 137 (netbios)
0
 
LVL 12

Expert Comment

by:aindelicato
ID: 10882797
Harlahn,

At a command prompt, run ARP -A ... this displays the ARP table of exsiting connections, are there any MAC addresses that are duplicated ?  If so, your Network card may be bad, if you have a spare network card, try that in the offending PC.

Reset your IP addresses and startup the offending machine in SafeMode w/ Network Support (assuming it's XP)

See if it causes the collisions and kills the LAN.


Also, is there a switch or hub between the machines and the router? or do the machines plug into the router?

If there is a switch or hub, it could be a faulty port.

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10883498
To doubly make sure the virus has gone:

Run another Virus scan (this one's online)

http://housecall.trendmicro.com/

Plus try STINGER from NAI -

http://vil.nai.com/vil/stinger/

..then install and run HiJackThis -

http://www.spychecker.com/program/hijackthis.html

Also post up netstat -an to see if your PCs generating a lot of connections it shouldn't.

Otherwise, probably normal behaviour and your connection's just 'slow'... ?
0
 

Author Comment

by:harlanh
ID: 10887440
Thank you all for your hints and guidance.  A virus scan of the worst and most critical machine revealed 7 infections which have been quarantined.  For other offending machines, we have cleared each HD and restored the OS.  I suppose this is one advantage to having documents centrally located and running client machines with a standard set of software (office, IE, etc).

Unfortunately, I am not on the home site and am doing most of this second hand.  I will attempt to discover what 7 viruses were found and seek your opinion as to which might have caused this behavior.
0
 
LVL 1

Expert Comment

by:bluedragon99
ID: 10894300
Probably ICMP traffic (virus looking for another host).
0
 

Expert Comment

by:SUKHOI_Flanker
ID: 10900836
if your have SQL server installed on a machine and it is visible from the external network (internet), it would have caught the virus slammer, so search for a removal of this worm and then install a patch for it

if it is not the case, install a sniffer on a machine wich is sending the large amount of data, and copy/paste here some sample lignes of the capture.
0
 
LVL 4

Accepted Solution

by:
kruptos earned 500 total points
ID: 10902801
I have had a similer experiance in my company network a few months back.

What we discovered is that a virus got into our network and infected a PC that did not seem to have virus protection.. This virus then started pinging random ip addresses, even ones that were not even inside our subnet and dident exist. What happend is that the DSL router we had would drop every 15 minutes or so because it was trying to keep up with the processing of the packets...basicly it overflowed the buffer in the router memory...


I would recommend getting ethereal and sniffing to see if there is similar activity going on....you may also be able to console into your router and view the NAT tables translations and current activity..this may give you your answer.

Hope this helps!!!
0
 

Expert Comment

by:SUKHOI_Flanker
ID: 10903340
generally the random IP requests are caused by slammer virus, wich infect SQL server and sends paquets to random IP adresses on port 1433 (ms-sql) (about 200 paquets per second), it's the behavior of that worm to propagate, so if u have sql server , install the service pack 3a and also apply the latest patch for it,

your network will be safe
0
 
LVL 4

Expert Comment

by:kruptos
ID: 10903611
now im starting to remember more... it wasent slammer but ot was trying to scan for hosts with ports 135-139 netbiod ports.... cant remember whick virus it was..but i do remember that..
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Event 4625 - Account Name: _ 3 47
Review of a VPN cert policy 4 43
exchange, activesync 2 46
Schannel error 70 on Exchange CAS and Mailbox servers 4 30
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question