Can someone explain why is this happening? Am I getting hacked

So this is my residential router is a netgear gateway C3700-100NAS with Spectrum Internet. Usually I have no problems. But every so often, intermittently and not very predictable, I would notice my Internet slow down to a crawl, and even pinging 8.8.8.8 or www.yahoo.com will time out or have insane times.

I checked my netgear gateway C3700-100NAS logs and saw this.... Apparently in the span of less than a minute or so there were hundreds of entries for Source of "140.3.230.0" and Target/Destination of "149.104.249.105". Neither of these IPs have anything to do with my residential IP address nor would/should any device on my network be sending nor receiving anything to or from any of these IP addresses.

Based on a simple lookup it appears that 149.104.249.105 is Location is Washington D.C. (Northwest Washington), District of Columbia US - ISP is Cogent Communications and that 140.3.230.0 is Location is Columbus, Ohio US - ISP is DoD Network Information Center.

Can anyone have any idea what is going on?

https://i.imgur.com/cf2t7BQ.jpg
wtf.jpg
A CAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CarsonComputer TechnicianCommented:
According to those logs that is a 'denial of service' attack. The good news is you probably haven't been hacked, but whoever is doing it is flooding your router with so many packets that it denies you, or severely limits, your Internet access.

To give you an analogy, your Internet access could be thought of as a highway. And each packet is a car. The attacker is flooding the highway with packets and it brings traffic to a stall.

One way to get around it may be to simply reboot your modem so it receives a new IP.
1
A CAuthor Commented:
Okay thanks. But one of the problem is I'm with TWC /Spectrum and they statically assign public IP addresses so I'm stuck with the one I have gotten. The only time that I ever gotten a new IP was when my previous router died and when I got a replacement router I had to call them in with the MAC/ CM MAC info and that is after they registered the new Router on their end (also the same C3700 netgear model) I noticed when going to whatismyipaddress that I gotten a new public IP address. It doesn't happen all the time but when it does happen it slows me down to a crawl and usually a reboot stops it, but not because it changed to a different IP address (its static)

The other thing I thought was strange is that assuming the IP address are legit and not spoofed or anything, apparently based on whatever public records available it appears to be coming from a government network going to another government network

All of them are Source of "140.3.230.0" and Target/Destination of "149.104.249.105"


https://imgur.com/a/dAyuA
14032300.png
149104249105.png
0
☠ MASQ ☠Commented:
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

A CAuthor Commented:
@MASQ, if the source and destination are both public IP addresses that related to mine and not  under my control (as indicated in the logs) how would I know which, if any, computer or device on my home ISP might have been inadvertently compromised? There doesn't seem to be a way for me to find out from these netgear logs.
0
☠ MASQ ☠Commented:
The "Old-School" solution would be to shutdown your network connected devices, temporarily disable the WiFi in the router or wired connection to access points and then restart the router followed by a wired connection to the least likely machine to have an infection.  Check the Router logs through that machine and see if you've any change in behaviour.
0
Jason CarsonComputer TechnicianCommented:
You can download and install the free version of Malwarebytes. Then use it to scan your computers.
0
Matty-CTCommented:
It might be time consuming but MASQ's advice is right on. Disconnect everything and see if the DDoS attacks (or whatever exactly the traffic is doing) stops. Then add each device back one at a time watching the logs. Also, scan all your devices using Malwarebytes, et. al. as mentioned already. Remember, malware can hide in even the most innocuous network connected devices! Good luck and let us know what you find, if anything.
0
arnoldCommented:
Take your logs, email them to the abuse@cogent as reflected in the arin.net registration record for the 149.104.249.105
They will address the issue while suggestion provided is helpful, in the example it seems the originating system us broadcasting/multicasting to your providers class C segment 104.3.230.0/24

Your Netgear identifies the type of attack it sees, ..........
https://whois.arin.net/rest/net/NET-149-104-0-0-1/pft?s=149.104.249.105
0
masnrockCommented:
You could cite your issue to Spectrum. Unless you have a static IP address from them, they can get rid of your DHCP lease, which would at least help you get a new IP address. This requires your calling them.

Do you have anything on your network that you intended to be accessible from the outside? If so, you may want to take a look into that. Also check your router for anything strange, like maybe leaving remote administration on by mistake. At least review the things you have control over.

Note: This is not getting you out of following the advice MASQ provided, or looking into what arnold provided.
0
A CAuthor Commented:
I'm still getting hit and it appears that its getting stranger. See screenshot

The IP addresses don't even make sense now...

apparently SOURCE is 140.3.230.0 which says it is a DoD IP address that I can't ping when I try... and DESTINATION is going to 141.98.211.14, which isn't a valid IP address at all and has no information when I try to look up online. My actual ISP public IP is 76.x.x.x, with TWC, Spectrum etc. I don't have ANY devices on my network that would need or be communicating with either 140.3.230.0 or 141.98.211.14 and yet somehow in the span of less than a minute I could get hundreds of logged attempts of something from 140.3.230.0 trying to get to 141.98.211.14. It definitely slows my internet to a crawl when it happens, and I have no idea why it is even happening at all.

https://i.imgur.com/qMe6NHV.png
WTF9.png
0
arnoldCommented:
As your rourer log indicate it is an attack.
The only way to prevent a nock at the for, is to report the potential intruder to those who provide access, their ISP.

Reach out to your ISP and see whether they can intervene or assist potentially it might be affecting other customers, if not potentially compromising some to ...  That they will be seeing complaints about attacks originating from their network.
0
serialbandCommented:
Netgear's logs seem inaccurate or oversensitive, especially on the lower end stuff.  They also seem to be easily flooded by packets and label almost everything DoS.  I see stuff in the Netgear logs that claim to be DoS, when they're normal traffic.  Get a better device.

If you're not even clear on what they are, then don't report it.  You'll only look like fool to them if you don't tell them enough detail or tell them the wrong thing.  Those are packets/attacks are happening on the internet all the time.  They could be legitimate, but you can't tell with those innaccurate Netgear logs.  They could just be probes from an infected system, and there's not a thing you can do about them.  Those probes will rotate to other IP addresses after a span.  I used to see these type of logs on linux systems all the time and just installed fail2ban to mitigate the attacks to reduce the log sizes for the users so they won't have to do much.  Unfortunately, these devices run on some sort of crippled linux and you can't do as much on them.

In my relatively short experience into the Cable Modem Realm, it seems that the Cable company hubs pass too much junk traffic through the shared connections and you get hit as a side effect too.  Cable modem equipment seems to also be subpar in handling traffic on a shared network.  Ping times are much higher and packet loss is more prevalent.  They do have faster speeds than DSL as their main saving grace.  DSL is slower, but the ping times are lower and the connections are more solid, most of the time.

I wish they'd just go to fiber and we'd have symmetric Gigabit connections.  I've been on the Internet 2 for at its inception and have seen the things we could accomplish with those speeds.  Cable and DSL are throttling innovation with their monopolistic practices.  It's a detriment to the overall economy.  It's really very short term thinking.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.