Attack? Scans from unknown IP on router

We have several 'attack events' coming in from IP addresses we are not familiar with and wanted to know what the protocol is. It doesn't look like these attacks are happening more than one occasion.

#/IP address/Events

4/ webdefence-pool-02.cluster-h.webs
Larry KiterlingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John Gates, CISSPSecurity ProfessionalCommented:
You are seeing the typical bots the second one is from RIPE (Amsterdam)]

Use to do WHOIS on any IP to find the block owner..

The first IP is APICNIC (Asia)

So it looks like it could be a test for a future DDOS attack.  Is this a home or company?

You can check the ports here: 

This will give you an idea.  Ports that low to me are what's making me think it was testing.  Low ports are not used for much these days but the system still has to take time to process (and log) them.  That is the nature of the DDOS attack to waste processor time on your routing devices to slow your network down or stop it completely.  If you are a business I have some additional suggestions for you regarding your upstream provider (ISP) they can help you mitigate a DDOS attack by implementing ingress filtering.  Their infrastructure can handle much more than yours and will lessen or eliminate the disruption.  If you are a home user I would not stress much about it..  

Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Larry KiterlingAuthor Commented:
damn john killin it! thanks and have a great weekend my friend
Larry KiterlingAuthor Commented:
btanExec ConsultantCommented:
likely these IP is compromised or taken over by some sort of bot master to direct and launch "attack" on their target. taking the snapshot of a single ip from each range, you can see that at least three of them fall into SPAM or Block blacklist (look out for the "cross" in each). Better to check the specific log in your FW and IPS to see if there is any signature or exploit attempts.

For the protocol, it should be based on the port though the source may not adhere it. The common DDoS protocol using HTTP, SSDp, NTP to amplify the effects to bring target down faster are gaining traction see the US CERT advisory ( - check out the mitigation too though you may not trace back to origin source (can be proxy fronted by ISP)

For (Bangalore Broadband Network Pvt Ltd)
For (in France)
For (BHARTI Airtel Ltd.)
For (Websense Hosted R&D Ltd.)
For (Facebook, Inc.)
John Gates, CISSPSecurity ProfessionalCommented:
You're welcome!  Enjoy your weekend as well!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.