Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

I think my network is under attack, help!

Posted on 2006-06-17
5
Medium Priority
?
955 Views
Last Modified: 2012-05-05
Here is my primary question: What is most likely behind my loss of internet service?

Secondary question: the router log obviously shows some shady activity going on. BUT -- is this a result of using the torrent p2p (Azureus) software? It connects to many different people to upload/download files... does my router mistake those p2p connections as port sniffers / "TCP SYN" ???

===================================
My network and internet have been working fine now for some time. However... I recently became interested in "torrents" and made one change to my router's settings to allow my torrent p2p software to correctly work. That change was to my port forwarding rules... I set the router to forward all port-49201 requests to my desktop computer (named BluePC for reference) to ensure everything works fine. I reset the router to its factory default settings before making this change due to some issues that arose... but I have made sure everything is set the way it should be.

Since making those changes, my network loses internet connectivity roughly about once or twice a day... usually at night. My cable modem's lights are always showing just fine, everything is OK... however, when I try to access my router settings from my desktop BluePC during this loss of internet, I am unable to connect. It will not load the router admin page at all. I have not detemined whether or not other computers on the network can connect to the router admin page during these downtime periods... however, I do know that they CANNOT access the internet.

To fix the problem, I simply unplug the router for a moment and plug it back in. Once it loads up, everything is back to normal. I hope this is enough background info. If not, please let me know.

Also, a few of my router settings --  
--the firewall that "blocks ICMP commands" is *disabled*
--virtual DMZ is *disabled*
--no ports are forwarded aside from 49201
--BluePC's local network IP is 192.168.2.187

=======================================================================

***DEVICE LOG***
---note that all of those MANY "login failed" msgs are not caused by me... I am not that stupid lol :)
---also note that it is hard for me to use my router admin web page because it logs me out every so often, almost like the session gets killed... it never used to do that.

2006/06/16 20:00:40 192.168.2.187 login failed
2006/06/16 20:00:40 192.168.2.187 login failed
2006/06/16 20:02:08 ** TCP SYN Flooding ** <IP/TCP> 58.99.96.23:4720 ->> 192.168.2.187:49201
2006/06/16 20:04:12 ** TCP SYN Flooding ** <IP/TCP> 61.173.123.47:3417 ->> 192.168.2.187:49201
2006/06/16 20:05:21 192.168.2.187 login failed
2006/06/16 20:05:21 192.168.2.187 login failed
2006/06/16 20:05:21 192.168.2.187 login failed
2006/06/16 20:06:02 ** TCP SYN Flooding ** <IP/TCP> 222.67.207.249:2493 ->> 192.168.2.187:49201
2006/06/16 20:10:21 192.168.2.187 login failed
2006/06/16 20:10:21 192.168.2.187 login failed
2006/06/16 20:10:21 192.168.2.187 login failed
2006/06/16 20:10:30 ** TCP SYN Flooding ** <IP/TCP> 222.90.215.243:4093 ->> 192.168.2.187:49201
2006/06/16 20:12:15 ** TCP SYN Flooding ** <IP/TCP> 221.202.105.30:4943 ->> 192.168.2.187:49201
2006/06/16 20:13:42 192.168.2.187 login failed
2006/06/16 20:13:42 192.168.2.187 login failed
2006/06/16 20:13:43 192.168.2.187 login failed
2006/06/16 20:13:43 ** TCP SYN Flooding ** <IP/TCP> 221.202.105.30:3212 ->> 192.168.2.187:49201
2006/06/16 20:18:42 192.168.2.187 login failed
2006/06/16 20:18:42 192.168.2.187 login failed
2006/06/16 20:18:42 192.168.2.187 login failed
2006/06/16 20:23:42 192.168.2.187 login failed
2006/06/16 20:23:42 192.168.2.187 login failed
2006/06/16 20:23:42 192.168.2.187 login failed
2006/06/16 20:28:42 192.168.2.187 login failed
2006/06/16 20:28:42 192.168.2.187 login failed
2006/06/16 20:28:42 192.168.2.187 login failed
2006/06/16 20:33:42 192.168.2.187 login failed
2006/06/16 20:33:42 192.168.2.187 login failed
2006/06/16 20:33:42 192.168.2.187 login failed
2006/06/16 20:38:42 192.168.2.187 login failed
2006/06/16 20:38:42 192.168.2.187 login failed
2006/06/16 20:38:42 192.168.2.187 login failed
2006/06/16 20:43:42 192.168.2.187 login failed
2006/06/16 20:43:42 192.168.2.187 login failed
2006/06/16 20:43:42 192.168.2.187 login failed
2006/06/16 20:48:42 192.168.2.187 login failed
2006/06/16 20:48:42 192.168.2.187 login failed
2006/06/16 20:48:43 192.168.2.187 login failed
2006/06/16 20:50:53 System time synchronized with 207.46.232.189
2006/06/16 20:50:56 System time synchronized with 207.46.232.189
2006/06/16 20:51:00 192.168.2.187 login failed
2006/06/16 20:51:00 192.168.2.187 login failed
2006/06/16 20:51:00 192.168.2.187 login failed
2006/06/16 20:52:01 192.168.2.187 login failed
2006/06/16 20:52:40 192.168.2.187 login failed
2006/06/16 20:52:40 192.168.2.187 login failed
2006/06/16 20:52:40 192.168.2.187 login failed
2006/06/16 20:54:03 192.168.2.187 login failed
2006/06/16 20:54:03 192.168.2.187 login failed
2006/06/16 20:54:03 192.168.2.187 login failed
2006/06/16 20:56:54 192.168.2.187 login failed
2006/06/16 20:56:55 192.168.2.187 login failed
2006/06/16 20:56:55 192.168.2.187 login failed
2006/06/16 20:57:57 192.168.2.187 login failed
2006/06/16 20:58:00 192.168.2.187 login failed
2006/06/16 20:58:00 192.168.2.187 login failed
2006/06/16 20:58:00 192.168.2.187 login failed
2006/06/16 20:58:01 192.168.2.187 login failed
2006/06/16 20:58:01 192.168.2.187 login failed
2006/06/16 20:58:01 192.168.2.187 login failed
2006/06/16 21:02:04 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:02:06 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:02:21 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:02:46 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:03:00 192.168.2.187 login failed
2006/06/16 21:03:00 192.168.2.187 login failed
2006/06/16 21:03:00 192.168.2.187 login failed
2006/06/16 21:03:29 ** Port Scan ** Port scanning from 58.33.185.3 detected
2006/06/16 21:03:51 ** Port Scan ** Port scanning from 83.149.104.33 detected
2006/06/16 21:04:13 ** Port Scan ** Port scanning from 64.92.165.133 detected
2006/06/16 21:04:24 ** Port Scan ** Port scanning from 218.40.140.19 detected
2006/06/16 21:04:36 ** Port Scan ** Port scanning from 219.207.114.160 detected
2006/06/16 21:05:25 ** Port Scan ** Port scanning from 219.144.110.130 detected
2006/06/16 21:06:23 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:06:44 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:06:50 ** Port Scan ** Port scanning from 70.174.110.251 detected
2006/06/16 21:07:00 ** Port Scan ** Port scanning from 83.23.99.71 detected
2006/06/16 21:07:34 ** Port Scan ** Port scanning from 60.20.50.241 detected
2006/06/16 21:08:00 192.168.2.187 login failed
2006/06/16 21:08:00 192.168.2.187 login failed
2006/06/16 21:08:00 192.168.2.187 login failed
2006/06/16 21:08:05 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:09:08 ** Port Scan ** Port scanning from 70.178.54.231 detected
2006/06/16 21:09:47 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:10:26 ** Port Scan ** Port scanning from 219.75.6.199 detected
2006/06/16 21:10:50 ** TCP SYN Flooding ** <IP/TCP> 219.144.216.245:4940 ->> 192.168.2.187:49201
2006/06/16 21:11:55 ** Port Scan ** Port scanning from 82.32.46.141 detected
2006/06/16 21:13:00 192.168.2.187 login failed
2006/06/16 21:13:00 192.168.2.187 login failed
2006/06/16 21:13:00 192.168.2.187 login failed
2006/06/16 21:15:48 ** Port Scan ** Port scanning from 218.44.249.116 detected
2006/06/16 21:16:08 ** TCP SYN Flooding ** <IP/TCP> 61.48.9.4:1298 ->> 192.168.2.187:49201
2006/06/16 21:16:21 ** Port Scan ** Port scanning from 218.19.155.39 detected
2006/06/16 21:17:07 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:14 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:18 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:29 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:42 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:17:59 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:18:00 192.168.2.187 login failed
2006/06/16 21:18:00 192.168.2.187 login failed
2006/06/16 21:18:00 192.168.2.187 login failed
2006/06/16 21:19:21 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:19:32 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:20:02 ** Port Scan ** Port scanning from 206.54.148.19 detected
2006/06/16 21:20:34 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:20:41 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:20:47 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:20:51 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:20:53 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:21:06 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:21:14 ** Port Scan ** Port scanning from 58.99.96.23 detected
2006/06/16 21:21:21 ** Port Scan ** Port scanning from 216.135.39.227 detected
2006/06/16 21:21:56 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:22:07 ** TCP SYN Flooding ** <IP/TCP> 218.18.74.238:3177 ->> 192.168.2.187:49201
2006/06/16 21:22:21 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:22:25 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:22:41 ** Port Scan ** Port scanning from 87.116.138.202 detected
2006/06/16 21:23:00 192.168.2.187 login failed
2006/06/16 21:23:00 192.168.2.187 login failed
2006/06/16 21:23:00 192.168.2.187 login failed
2006/06/16 21:24:11 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:28:00 192.168.2.187 login failed
2006/06/16 21:28:00 192.168.2.187 login failed
2006/06/16 21:28:00 192.168.2.187 login failed
2006/06/16 21:28:07 192.168.2.187 login failed
2006/06/16 21:28:07 192.168.2.187 login failed
2006/06/16 21:28:07 192.168.2.187 login failed
2006/06/16 21:30:22 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:31:38 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:32:14 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:32:24 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:32:47 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:33:07 192.168.2.187 login failed
2006/06/16 21:33:07 192.168.2.187 login failed
2006/06/16 21:33:07 192.168.2.187 login failed
2006/06/16 21:33:12 ** Port Scan ** Port scanning from 209.62.180.80 detected
2006/06/16 21:33:16 ** Port Scan ** Port scanning from 88.154.158.41 detected
2006/06/16 21:33:36 ** Port Scan ** Port scanning from 66.150.208.55 detected
2006/06/16 21:33:46 ** Port Scan ** Port scanning from 204.176.49.2 detected
2006/06/16 21:34:19 ** TCP SYN Flooding ** <IP/TCP> 221.198.184.86:1556 ->> 192.168.2.187:49201
2006/06/16 21:34:24 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:34:37 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:34:38 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:34:39 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:34:50 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:36:38 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:38:06 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:38:07 192.168.2.187 login failed
2006/06/16 21:38:07 192.168.2.187 login failed
2006/06/16 21:38:07 192.168.2.187 login failed
2006/06/16 21:43:07 192.168.2.187 login failed
2006/06/16 21:43:07 192.168.2.187 login failed
2006/06/16 21:43:07 192.168.2.187 login failed
2006/06/16 21:43:55 ** Port Scan ** Port scanning from 168.159.186.100 detected
2006/06/16 21:45:20 ** Port Scan ** Port scanning from 66.94.233.46 detected
2006/06/16 21:45:37 ** Port Scan ** Port scanning from 66.94.233.46 detected
2006/06/16 21:45:53 ** Port Scan ** Port scanning from 172.212.188.162 detected
2006/06/16 21:46:35 192.168.2.187 login failed
2006/06/16 21:46:35 192.168.2.187 login failed
2006/06/16 21:46:35 192.168.2.187 login failed
2006/06/16 21:47:28 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:48:14 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:51:35 192.168.2.187 login failed
2006/06/16 21:51:35 192.168.2.187 login failed
2006/06/16 21:51:35 192.168.2.187 login failed
2006/06/16 21:51:51 ** Port Scan ** Port scanning from 216.35.123.100 detected
2006/06/16 21:53:47 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:54:19 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:54:52 ** Port Scan ** Port scanning from 75.13.50.233 detected
2006/06/16 21:55:41 192.168.2.187 login failed
2006/06/16 21:55:41 192.168.2.187 login failed
2006/06/16 21:55:41 192.168.2.187 login failed
2006/06/16 21:56:18 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:56:27 ** Port Scan ** Port scanning from 82.39.86.101 detected
2006/06/16 21:56:41 ** Port Scan ** Port scanning from 58.33.185.3 detected
2006/06/16 21:57:46 ** Port Scan ** Port scanning from 12.129.217.201 detected
2006/06/16 21:58:03 ** Port Scan ** Port scanning from 60.210.198.177 detected
2006/06/16 21:58:12 ** Port Scan ** Port scanning from 60.240.135.183 detected
2006/06/16 21:58:48 ** Port Scan ** Port scanning from 60.20.50.241 detected
2006/06/16 21:59:56 ** Port Scan ** Port scanning from 193.92.70.103 detected
2006/06/16 22:00:41 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 22:00:41 192.168.2.187 login failed
2006/06/16 22:00:41 192.168.2.187 login failed
2006/06/16 22:00:41 192.168.2.187 login failed
2006/06/16 22:00:50 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:00:52 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:01:25 ** Port Scan ** Port scanning from 84.167.17.63 detected
2006/06/16 22:05:41 192.168.2.187 login failed
2006/06/16 22:05:41 192.168.2.187 login failed
2006/06/16 22:05:41 192.168.2.187 login failed
2006/06/16 22:10:41 192.168.2.187 login failed
2006/06/16 22:10:41 192.168.2.187 login failed
2006/06/16 22:10:41 192.168.2.187 login failed
2006/06/16 22:10:48 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:11:57 ** Port Scan ** Port scanning from 68.112.27.140 detected
2006/06/16 22:13:34 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:14:30 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:14:50 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:15:41 192.168.2.187 login failed
2006/06/16 22:15:41 192.168.2.187 login failed
2006/06/16 22:15:41 192.168.2.187 login failed
2006/06/16 22:16:45 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 22:17:17 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:17:26 ** Port Scan ** Port scanning from 71.107.7.140 detected
2006/06/16 22:17:37 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:17:53 ** Port Scan ** Port scanning from 137.224.223.97 detected
2006/06/16 22:18:02 ** Port Scan ** Port scanning from 219.91.13.249 detected
2006/06/16 22:18:04 ** Port Scan ** Port scanning from 87.110.22.191 detected
2006/06/16 22:18:09 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 22:18:51 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:19:13 ** Port Scan ** Port scanning from 65.34.242.205 detected
2006/06/16 22:20:04 ** Port Scan ** Port scanning from 68.212.242.120 detected
0
Comment
Question by:runelynx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 400 total points
ID: 16926430
Well, from a security standpoint,  torrent p2p is inherently dangerous, and I would not allow it on my LAN...  exactly for the reasons outlined in your log..

Try turning off the port forwarding, and see if your connection is normalized..  If not, then you might find yourself already compromised by a hack from opening up these ports to the bit torrent population..  :(
0
 
LVL 14

Assisted Solution

by:ECNSSMT
ECNSSMT earned 800 total points
ID: 16926773
something is definitely trying to authenticate to the router from your PC.  While I haven't hear of attacks directed at SOHO routers; it is in the realm of possibilities.  I can only speculate on whether the attack is an automated attack originating from the PC or internet; there is something definite, your PC has been compromised.  The degree and tenacity is dependent on the author of this malware.  You may want to see if there are any not-so familiar executables running on your task manager (make sure you show all users).  Run an antivirus program in the hopes that the malware could be detected there.

http://housecall.trendmicro.com/ as a free online; there are others out there, but this is the only one I remember the URL to.

 Or if it gets desperate enough; you may want to download a free copy of Zonealarm just so that you can identify what is going out of your PC and attacking your router.  Windows XP has a built-in firewall that will do the same; there was no menition what OS you were using.

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload2.jsp;jsessionid=EURNXzQlkorL1p7sTKI4JEYrnZiYXlBMnXVa4A2Q0FVZ7ckd3mK6!-324110231!-1062696904!7551!7552!NONE

Hope it helps....

Regards,
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 800 total points
ID: 16926859
>>"the firewall that "blocks ICMP commands" is *disabled*"
Make sure you enable blocking of ICMP requests, from the Internet/WAN
Most port scanners won't detect that you even exist if you do not respond to Ping's (ICMP requests). This is likely why you are being hit so much and your router may be locking up due to DOS (Denial of Service) attacks.
At least worth a shot.
You should not need this for you P2P application.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16933519
Thanks runelynx.
--Rob

ps- Though blocking ICMP requests should reduce the chance of DOS attacks, as Fatal Exception stated earlier, be aware p2p applications are a huge risk, and should never be allowed on a business network, or any critical system.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 16948071
Ditto!  

FE
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question