We help IT Professionals succeed at work.

Can someone explain why is this happening? Am I getting hacked

A C
A C asked
on
418 Views
Last Modified: 2017-11-26
So this is my residential router is a netgear gateway C3700-100NAS with Spectrum Internet. Usually I have no problems. But every so often, intermittently and not very predictable, I would notice my Internet slow down to a crawl, and even pinging 8.8.8.8 or www.yahoo.com will time out or have insane times.

I checked my netgear gateway C3700-100NAS logs and saw this.... Apparently in the span of less than a minute or so there were hundreds of entries for Source of "140.3.230.0" and Target/Destination of "149.104.249.105". Neither of these IPs have anything to do with my residential IP address nor would/should any device on my network be sending nor receiving anything to or from any of these IP addresses.

Based on a simple lookup it appears that 149.104.249.105 is Location is Washington D.C. (Northwest Washington), District of Columbia US - ISP is Cogent Communications and that 140.3.230.0 is Location is Columbus, Ohio US - ISP is DoD Network Information Center.

Can anyone have any idea what is going on?

https://i.imgur.com/cf2t7BQ.jpg
wtf.jpg
Comment
Watch Question

Jason CarsonComputer Technician
Top Expert 2015

Commented:
According to those logs that is a 'denial of service' attack. The good news is you probably haven't been hacked, but whoever is doing it is flooding your router with so many packets that it denies you, or severely limits, your Internet access.

To give you an analogy, your Internet access could be thought of as a highway. And each packet is a car. The attacker is flooding the highway with packets and it brings traffic to a stall.

One way to get around it may be to simply reboot your modem so it receives a new IP.
A C

Author

Commented:
Okay thanks. But one of the problem is I'm with TWC /Spectrum and they statically assign public IP addresses so I'm stuck with the one I have gotten. The only time that I ever gotten a new IP was when my previous router died and when I got a replacement router I had to call them in with the MAC/ CM MAC info and that is after they registered the new Router on their end (also the same C3700 netgear model) I noticed when going to whatismyipaddress that I gotten a new public IP address. It doesn't happen all the time but when it does happen it slows me down to a crawl and usually a reboot stops it, but not because it changed to a different IP address (its static)

The other thing I thought was strange is that assuming the IP address are legit and not spoofed or anything, apparently based on whatever public records available it appears to be coming from a government network going to another government network

All of them are Source of "140.3.230.0" and Target/Destination of "149.104.249.105"


https://imgur.com/a/dAyuA
14032300.png
149104249105.png
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
A C

Author

Commented:
@MASQ, if the source and destination are both public IP addresses that related to mine and not  under my control (as indicated in the logs) how would I know which, if any, computer or device on my home ISP might have been inadvertently compromised? There doesn't seem to be a way for me to find out from these netgear logs.
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
The "Old-School" solution would be to shutdown your network connected devices, temporarily disable the WiFi in the router or wired connection to access points and then restart the router followed by a wired connection to the least likely machine to have an infection.  Check the Router logs through that machine and see if you've any change in behaviour.
Jason CarsonComputer Technician
Top Expert 2015

Commented:
You can download and install the free version of Malwarebytes. Then use it to scan your computers.
CERTIFIED EXPERT

Commented:
It might be time consuming but MASQ's advice is right on. Disconnect everything and see if the DDoS attacks (or whatever exactly the traffic is doing) stops. Then add each device back one at a time watching the logs. Also, scan all your devices using Malwarebytes, et. al. as mentioned already. Remember, malware can hide in even the most innocuous network connected devices! Good luck and let us know what you find, if anything.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Take your logs, email them to the abuse@cogent as reflected in the arin.net registration record for the 149.104.249.105
They will address the issue while suggestion provided is helpful, in the example it seems the originating system us broadcasting/multicasting to your providers class C segment 104.3.230.0/24

Your Netgear identifies the type of attack it sees, ..........
https://whois.arin.net/rest/net/NET-149-104-0-0-1/pft?s=149.104.249.105
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You could cite your issue to Spectrum. Unless you have a static IP address from them, they can get rid of your DHCP lease, which would at least help you get a new IP address. This requires your calling them.

Do you have anything on your network that you intended to be accessible from the outside? If so, you may want to take a look into that. Also check your router for anything strange, like maybe leaving remote administration on by mistake. At least review the things you have control over.

Note: This is not getting you out of following the advice MASQ provided, or looking into what arnold provided.
A C

Author

Commented:
I'm still getting hit and it appears that its getting stranger. See screenshot

The IP addresses don't even make sense now...

apparently SOURCE is 140.3.230.0 which says it is a DoD IP address that I can't ping when I try... and DESTINATION is going to 141.98.211.14, which isn't a valid IP address at all and has no information when I try to look up online. My actual ISP public IP is 76.x.x.x, with TWC, Spectrum etc. I don't have ANY devices on my network that would need or be communicating with either 140.3.230.0 or 141.98.211.14 and yet somehow in the span of less than a minute I could get hundreds of logged attempts of something from 140.3.230.0 trying to get to 141.98.211.14. It definitely slows my internet to a crawl when it happens, and I have no idea why it is even happening at all.

https://i.imgur.com/qMe6NHV.png
WTF9.png
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As your rourer log indicate it is an attack.
The only way to prevent a nock at the for, is to report the potential intruder to those who provide access, their ISP.

Reach out to your ISP and see whether they can intervene or assist potentially it might be affecting other customers, if not potentially compromising some to ...  That they will be seeing complaints about attacks originating from their network.
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION