Solved

I think my network is under attack, help!

Posted on 2006-06-17
5
905 Views
Last Modified: 2012-05-05
Here is my primary question: What is most likely behind my loss of internet service?

Secondary question: the router log obviously shows some shady activity going on. BUT -- is this a result of using the torrent p2p (Azureus) software? It connects to many different people to upload/download files... does my router mistake those p2p connections as port sniffers / "TCP SYN" ???

===================================
My network and internet have been working fine now for some time. However... I recently became interested in "torrents" and made one change to my router's settings to allow my torrent p2p software to correctly work. That change was to my port forwarding rules... I set the router to forward all port-49201 requests to my desktop computer (named BluePC for reference) to ensure everything works fine. I reset the router to its factory default settings before making this change due to some issues that arose... but I have made sure everything is set the way it should be.

Since making those changes, my network loses internet connectivity roughly about once or twice a day... usually at night. My cable modem's lights are always showing just fine, everything is OK... however, when I try to access my router settings from my desktop BluePC during this loss of internet, I am unable to connect. It will not load the router admin page at all. I have not detemined whether or not other computers on the network can connect to the router admin page during these downtime periods... however, I do know that they CANNOT access the internet.

To fix the problem, I simply unplug the router for a moment and plug it back in. Once it loads up, everything is back to normal. I hope this is enough background info. If not, please let me know.

Also, a few of my router settings --  
--the firewall that "blocks ICMP commands" is *disabled*
--virtual DMZ is *disabled*
--no ports are forwarded aside from 49201
--BluePC's local network IP is 192.168.2.187

=======================================================================

***DEVICE LOG***
---note that all of those MANY "login failed" msgs are not caused by me... I am not that stupid lol :)
---also note that it is hard for me to use my router admin web page because it logs me out every so often, almost like the session gets killed... it never used to do that.

2006/06/16 20:00:40 192.168.2.187 login failed
2006/06/16 20:00:40 192.168.2.187 login failed
2006/06/16 20:02:08 ** TCP SYN Flooding ** <IP/TCP> 58.99.96.23:4720 ->> 192.168.2.187:49201
2006/06/16 20:04:12 ** TCP SYN Flooding ** <IP/TCP> 61.173.123.47:3417 ->> 192.168.2.187:49201
2006/06/16 20:05:21 192.168.2.187 login failed
2006/06/16 20:05:21 192.168.2.187 login failed
2006/06/16 20:05:21 192.168.2.187 login failed
2006/06/16 20:06:02 ** TCP SYN Flooding ** <IP/TCP> 222.67.207.249:2493 ->> 192.168.2.187:49201
2006/06/16 20:10:21 192.168.2.187 login failed
2006/06/16 20:10:21 192.168.2.187 login failed
2006/06/16 20:10:21 192.168.2.187 login failed
2006/06/16 20:10:30 ** TCP SYN Flooding ** <IP/TCP> 222.90.215.243:4093 ->> 192.168.2.187:49201
2006/06/16 20:12:15 ** TCP SYN Flooding ** <IP/TCP> 221.202.105.30:4943 ->> 192.168.2.187:49201
2006/06/16 20:13:42 192.168.2.187 login failed
2006/06/16 20:13:42 192.168.2.187 login failed
2006/06/16 20:13:43 192.168.2.187 login failed
2006/06/16 20:13:43 ** TCP SYN Flooding ** <IP/TCP> 221.202.105.30:3212 ->> 192.168.2.187:49201
2006/06/16 20:18:42 192.168.2.187 login failed
2006/06/16 20:18:42 192.168.2.187 login failed
2006/06/16 20:18:42 192.168.2.187 login failed
2006/06/16 20:23:42 192.168.2.187 login failed
2006/06/16 20:23:42 192.168.2.187 login failed
2006/06/16 20:23:42 192.168.2.187 login failed
2006/06/16 20:28:42 192.168.2.187 login failed
2006/06/16 20:28:42 192.168.2.187 login failed
2006/06/16 20:28:42 192.168.2.187 login failed
2006/06/16 20:33:42 192.168.2.187 login failed
2006/06/16 20:33:42 192.168.2.187 login failed
2006/06/16 20:33:42 192.168.2.187 login failed
2006/06/16 20:38:42 192.168.2.187 login failed
2006/06/16 20:38:42 192.168.2.187 login failed
2006/06/16 20:38:42 192.168.2.187 login failed
2006/06/16 20:43:42 192.168.2.187 login failed
2006/06/16 20:43:42 192.168.2.187 login failed
2006/06/16 20:43:42 192.168.2.187 login failed
2006/06/16 20:48:42 192.168.2.187 login failed
2006/06/16 20:48:42 192.168.2.187 login failed
2006/06/16 20:48:43 192.168.2.187 login failed
2006/06/16 20:50:53 System time synchronized with 207.46.232.189
2006/06/16 20:50:56 System time synchronized with 207.46.232.189
2006/06/16 20:51:00 192.168.2.187 login failed
2006/06/16 20:51:00 192.168.2.187 login failed
2006/06/16 20:51:00 192.168.2.187 login failed
2006/06/16 20:52:01 192.168.2.187 login failed
2006/06/16 20:52:40 192.168.2.187 login failed
2006/06/16 20:52:40 192.168.2.187 login failed
2006/06/16 20:52:40 192.168.2.187 login failed
2006/06/16 20:54:03 192.168.2.187 login failed
2006/06/16 20:54:03 192.168.2.187 login failed
2006/06/16 20:54:03 192.168.2.187 login failed
2006/06/16 20:56:54 192.168.2.187 login failed
2006/06/16 20:56:55 192.168.2.187 login failed
2006/06/16 20:56:55 192.168.2.187 login failed
2006/06/16 20:57:57 192.168.2.187 login failed
2006/06/16 20:58:00 192.168.2.187 login failed
2006/06/16 20:58:00 192.168.2.187 login failed
2006/06/16 20:58:00 192.168.2.187 login failed
2006/06/16 20:58:01 192.168.2.187 login failed
2006/06/16 20:58:01 192.168.2.187 login failed
2006/06/16 20:58:01 192.168.2.187 login failed
2006/06/16 21:02:04 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:02:06 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:02:21 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:02:46 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:03:00 192.168.2.187 login failed
2006/06/16 21:03:00 192.168.2.187 login failed
2006/06/16 21:03:00 192.168.2.187 login failed
2006/06/16 21:03:29 ** Port Scan ** Port scanning from 58.33.185.3 detected
2006/06/16 21:03:51 ** Port Scan ** Port scanning from 83.149.104.33 detected
2006/06/16 21:04:13 ** Port Scan ** Port scanning from 64.92.165.133 detected
2006/06/16 21:04:24 ** Port Scan ** Port scanning from 218.40.140.19 detected
2006/06/16 21:04:36 ** Port Scan ** Port scanning from 219.207.114.160 detected
2006/06/16 21:05:25 ** Port Scan ** Port scanning from 219.144.110.130 detected
2006/06/16 21:06:23 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:06:44 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:06:50 ** Port Scan ** Port scanning from 70.174.110.251 detected
2006/06/16 21:07:00 ** Port Scan ** Port scanning from 83.23.99.71 detected
2006/06/16 21:07:34 ** Port Scan ** Port scanning from 60.20.50.241 detected
2006/06/16 21:08:00 192.168.2.187 login failed
2006/06/16 21:08:00 192.168.2.187 login failed
2006/06/16 21:08:00 192.168.2.187 login failed
2006/06/16 21:08:05 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:09:08 ** Port Scan ** Port scanning from 70.178.54.231 detected
2006/06/16 21:09:47 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:10:26 ** Port Scan ** Port scanning from 219.75.6.199 detected
2006/06/16 21:10:50 ** TCP SYN Flooding ** <IP/TCP> 219.144.216.245:4940 ->> 192.168.2.187:49201
2006/06/16 21:11:55 ** Port Scan ** Port scanning from 82.32.46.141 detected
2006/06/16 21:13:00 192.168.2.187 login failed
2006/06/16 21:13:00 192.168.2.187 login failed
2006/06/16 21:13:00 192.168.2.187 login failed
2006/06/16 21:15:48 ** Port Scan ** Port scanning from 218.44.249.116 detected
2006/06/16 21:16:08 ** TCP SYN Flooding ** <IP/TCP> 61.48.9.4:1298 ->> 192.168.2.187:49201
2006/06/16 21:16:21 ** Port Scan ** Port scanning from 218.19.155.39 detected
2006/06/16 21:17:07 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:14 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:18 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:29 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:17:42 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:17:59 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:18:00 192.168.2.187 login failed
2006/06/16 21:18:00 192.168.2.187 login failed
2006/06/16 21:18:00 192.168.2.187 login failed
2006/06/16 21:19:21 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:19:32 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:20:02 ** Port Scan ** Port scanning from 206.54.148.19 detected
2006/06/16 21:20:34 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:20:41 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:20:47 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:20:51 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:20:53 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:21:06 ** Port Scan ** Port scanning from 64.34.176.85 detected
2006/06/16 21:21:14 ** Port Scan ** Port scanning from 58.99.96.23 detected
2006/06/16 21:21:21 ** Port Scan ** Port scanning from 216.135.39.227 detected
2006/06/16 21:21:56 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:22:07 ** TCP SYN Flooding ** <IP/TCP> 218.18.74.238:3177 ->> 192.168.2.187:49201
2006/06/16 21:22:21 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:22:25 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:22:41 ** Port Scan ** Port scanning from 87.116.138.202 detected
2006/06/16 21:23:00 192.168.2.187 login failed
2006/06/16 21:23:00 192.168.2.187 login failed
2006/06/16 21:23:00 192.168.2.187 login failed
2006/06/16 21:24:11 ** Port Scan ** Port scanning from 58.9.38.32 detected
2006/06/16 21:28:00 192.168.2.187 login failed
2006/06/16 21:28:00 192.168.2.187 login failed
2006/06/16 21:28:00 192.168.2.187 login failed
2006/06/16 21:28:07 192.168.2.187 login failed
2006/06/16 21:28:07 192.168.2.187 login failed
2006/06/16 21:28:07 192.168.2.187 login failed
2006/06/16 21:30:22 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 21:31:38 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:32:14 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:32:24 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:32:47 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:33:07 192.168.2.187 login failed
2006/06/16 21:33:07 192.168.2.187 login failed
2006/06/16 21:33:07 192.168.2.187 login failed
2006/06/16 21:33:12 ** Port Scan ** Port scanning from 209.62.180.80 detected
2006/06/16 21:33:16 ** Port Scan ** Port scanning from 88.154.158.41 detected
2006/06/16 21:33:36 ** Port Scan ** Port scanning from 66.150.208.55 detected
2006/06/16 21:33:46 ** Port Scan ** Port scanning from 204.176.49.2 detected
2006/06/16 21:34:19 ** TCP SYN Flooding ** <IP/TCP> 221.198.184.86:1556 ->> 192.168.2.187:49201
2006/06/16 21:34:24 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:34:37 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:34:38 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:34:39 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:34:50 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:36:38 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:38:06 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:38:07 192.168.2.187 login failed
2006/06/16 21:38:07 192.168.2.187 login failed
2006/06/16 21:38:07 192.168.2.187 login failed
2006/06/16 21:43:07 192.168.2.187 login failed
2006/06/16 21:43:07 192.168.2.187 login failed
2006/06/16 21:43:07 192.168.2.187 login failed
2006/06/16 21:43:55 ** Port Scan ** Port scanning from 168.159.186.100 detected
2006/06/16 21:45:20 ** Port Scan ** Port scanning from 66.94.233.46 detected
2006/06/16 21:45:37 ** Port Scan ** Port scanning from 66.94.233.46 detected
2006/06/16 21:45:53 ** Port Scan ** Port scanning from 172.212.188.162 detected
2006/06/16 21:46:35 192.168.2.187 login failed
2006/06/16 21:46:35 192.168.2.187 login failed
2006/06/16 21:46:35 192.168.2.187 login failed
2006/06/16 21:47:28 ** Port Scan ** Port scanning from 221.186.251.85 detected
2006/06/16 21:48:14 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:51:35 192.168.2.187 login failed
2006/06/16 21:51:35 192.168.2.187 login failed
2006/06/16 21:51:35 192.168.2.187 login failed
2006/06/16 21:51:51 ** Port Scan ** Port scanning from 216.35.123.100 detected
2006/06/16 21:53:47 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:54:19 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:54:52 ** Port Scan ** Port scanning from 75.13.50.233 detected
2006/06/16 21:55:41 192.168.2.187 login failed
2006/06/16 21:55:41 192.168.2.187 login failed
2006/06/16 21:55:41 192.168.2.187 login failed
2006/06/16 21:56:18 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 21:56:27 ** Port Scan ** Port scanning from 82.39.86.101 detected
2006/06/16 21:56:41 ** Port Scan ** Port scanning from 58.33.185.3 detected
2006/06/16 21:57:46 ** Port Scan ** Port scanning from 12.129.217.201 detected
2006/06/16 21:58:03 ** Port Scan ** Port scanning from 60.210.198.177 detected
2006/06/16 21:58:12 ** Port Scan ** Port scanning from 60.240.135.183 detected
2006/06/16 21:58:48 ** Port Scan ** Port scanning from 60.20.50.241 detected
2006/06/16 21:59:56 ** Port Scan ** Port scanning from 193.92.70.103 detected
2006/06/16 22:00:41 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 22:00:41 192.168.2.187 login failed
2006/06/16 22:00:41 192.168.2.187 login failed
2006/06/16 22:00:41 192.168.2.187 login failed
2006/06/16 22:00:50 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:00:52 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:01:25 ** Port Scan ** Port scanning from 84.167.17.63 detected
2006/06/16 22:05:41 192.168.2.187 login failed
2006/06/16 22:05:41 192.168.2.187 login failed
2006/06/16 22:05:41 192.168.2.187 login failed
2006/06/16 22:10:41 192.168.2.187 login failed
2006/06/16 22:10:41 192.168.2.187 login failed
2006/06/16 22:10:41 192.168.2.187 login failed
2006/06/16 22:10:48 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:11:57 ** Port Scan ** Port scanning from 68.112.27.140 detected
2006/06/16 22:13:34 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:14:30 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:14:50 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:15:41 192.168.2.187 login failed
2006/06/16 22:15:41 192.168.2.187 login failed
2006/06/16 22:15:41 192.168.2.187 login failed
2006/06/16 22:16:45 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 22:17:17 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:17:26 ** Port Scan ** Port scanning from 71.107.7.140 detected
2006/06/16 22:17:37 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:17:53 ** Port Scan ** Port scanning from 137.224.223.97 detected
2006/06/16 22:18:02 ** Port Scan ** Port scanning from 219.91.13.249 detected
2006/06/16 22:18:04 ** Port Scan ** Port scanning from 87.110.22.191 detected
2006/06/16 22:18:09 ** Port Scan ** Port scanning from 82.227.168.65 detected
2006/06/16 22:18:51 ** Port Scan ** Port scanning from 83.149.104.37 detected
2006/06/16 22:19:13 ** Port Scan ** Port scanning from 65.34.242.205 detected
2006/06/16 22:20:04 ** Port Scan ** Port scanning from 68.212.242.120 detected
0
Comment
Question by:runelynx
  • 2
  • 2
5 Comments
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 100 total points
Comment Utility
Well, from a security standpoint,  torrent p2p is inherently dangerous, and I would not allow it on my LAN...  exactly for the reasons outlined in your log..

Try turning off the port forwarding, and see if your connection is normalized..  If not, then you might find yourself already compromised by a hack from opening up these ports to the bit torrent population..  :(
0
 
LVL 14

Assisted Solution

by:ECNSSMT
ECNSSMT earned 200 total points
Comment Utility
something is definitely trying to authenticate to the router from your PC.  While I haven't hear of attacks directed at SOHO routers; it is in the realm of possibilities.  I can only speculate on whether the attack is an automated attack originating from the PC or internet; there is something definite, your PC has been compromised.  The degree and tenacity is dependent on the author of this malware.  You may want to see if there are any not-so familiar executables running on your task manager (make sure you show all users).  Run an antivirus program in the hopes that the malware could be detected there.

http://housecall.trendmicro.com/ as a free online; there are others out there, but this is the only one I remember the URL to.

 Or if it gets desperate enough; you may want to download a free copy of Zonealarm just so that you can identify what is going out of your PC and attacking your router.  Windows XP has a built-in firewall that will do the same; there was no menition what OS you were using.

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload2.jsp;jsessionid=EURNXzQlkorL1p7sTKI4JEYrnZiYXlBMnXVa4A2Q0FVZ7ckd3mK6!-324110231!-1062696904!7551!7552!NONE

Hope it helps....

Regards,
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 200 total points
Comment Utility
>>"the firewall that "blocks ICMP commands" is *disabled*"
Make sure you enable blocking of ICMP requests, from the Internet/WAN
Most port scanners won't detect that you even exist if you do not respond to Ping's (ICMP requests). This is likely why you are being hit so much and your router may be locking up due to DOS (Denial of Service) attacks.
At least worth a shot.
You should not need this for you P2P application.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks runelynx.
--Rob

ps- Though blocking ICMP requests should reduce the chance of DOS attacks, as Fatal Exception stated earlier, be aware p2p applications are a huge risk, and should never be allowed on a business network, or any critical system.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Ditto!  

FE
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now