A C
asked on
Can someone explain why is this happening? Am I getting hacked
So this is my residential router is a netgear gateway C3700-100NAS with Spectrum Internet. Usually I have no problems. But every so often, intermittently and not very predictable, I would notice my Internet slow down to a crawl, and even pinging 8.8.8.8 or www.yahoo.com will time out or have insane times.
I checked my netgear gateway C3700-100NAS logs and saw this.... Apparently in the span of less than a minute or so there were hundreds of entries for Source of "140.3.230.0" and Target/Destination of "149.104.249.105". Neither of these IPs have anything to do with my residential IP address nor would/should any device on my network be sending nor receiving anything to or from any of these IP addresses.
Based on a simple lookup it appears that 149.104.249.105 is Location is Washington D.C. (Northwest Washington), District of Columbia US - ISP is Cogent Communications and that 140.3.230.0 is Location is Columbus, Ohio US - ISP is DoD Network Information Center.
Can anyone have any idea what is going on?
https://i.imgur.com/cf2t7BQ.jpg
wtf.jpg
I checked my netgear gateway C3700-100NAS logs and saw this.... Apparently in the span of less than a minute or so there were hundreds of entries for Source of "140.3.230.0" and Target/Destination of "149.104.249.105". Neither of these IPs have anything to do with my residential IP address nor would/should any device on my network be sending nor receiving anything to or from any of these IP addresses.
Based on a simple lookup it appears that 149.104.249.105 is Location is Washington D.C. (Northwest Washington), District of Columbia US - ISP is Cogent Communications and that 140.3.230.0 is Location is Columbus, Ohio US - ISP is DoD Network Information Center.
Can anyone have any idea what is going on?
https://i.imgur.com/cf2t7BQ.jpg
wtf.jpg
Last Comment
ASKER
Okay thanks. But one of the problem is I'm with TWC /Spectrum and they statically assign public IP addresses so I'm stuck with the one I have gotten. The only time that I ever gotten a new IP was when my previous router died and when I got a replacement router I had to call them in with the MAC/ CM MAC info and that is after they registered the new Router on their end (also the same C3700 netgear model) I noticed when going to whatismyipaddress that I gotten a new public IP address. It doesn't happen all the time but when it does happen it slows me down to a crawl and usually a reboot stops it, but not because it changed to a different IP address (its static)
The other thing I thought was strange is that assuming the IP address are legit and not spoofed or anything, apparently based on whatever public records available it appears to be coming from a government network going to another government network
All of them are Source of "140.3.230.0" and Target/Destination of "149.104.249.105"
https://imgur.com/a/dAyuA
14032300.png
149104249105.png
The other thing I thought was strange is that assuming the IP address are legit and not spoofed or anything, apparently based on whatever public records available it appears to be coming from a government network going to another government network
All of them are Source of "140.3.230.0" and Target/Destination of "149.104.249.105"
https://imgur.com/a/dAyuA
14032300.png
149104249105.png
Then you could be part of the problem :(
https://www.groovypost.com/howto/detect-prevent-botnet-malware-infections/
https://www.groovypost.com/howto/detect-prevent-botnet-malware-infections/
ASKER
@MASQ, if the source and destination are both public IP addresses that related to mine and not under my control (as indicated in the logs) how would I know which, if any, computer or device on my home ISP might have been inadvertently compromised? There doesn't seem to be a way for me to find out from these netgear logs.
The "Old-School" solution would be to shutdown your network connected devices, temporarily disable the WiFi in the router or wired connection to access points and then restart the router followed by a wired connection to the least likely machine to have an infection. Check the Router logs through that machine and see if you've any change in behaviour.
You can download and install the free version of Malwarebytes. Then use it to scan your computers.
It might be time consuming but MASQ's advice is right on. Disconnect everything and see if the DDoS attacks (or whatever exactly the traffic is doing) stops. Then add each device back one at a time watching the logs. Also, scan all your devices using Malwarebytes, et. al. as mentioned already. Remember, malware can hide in even the most innocuous network connected devices! Good luck and let us know what you find, if anything.
Take your logs, email them to the abuse@cogent as reflected in the arin.net registration record for the 149.104.249.105
They will address the issue while suggestion provided is helpful, in the example it seems the originating system us broadcasting/multicasting to your providers class C segment 104.3.230.0/24
Your Netgear identifies the type of attack it sees, ..........
https://whois.arin.net/rest/net/NET-149-104-0-0-1/pft?s=149.104.249.105
They will address the issue while suggestion provided is helpful, in the example it seems the originating system us broadcasting/multicasting to your providers class C segment 104.3.230.0/24
Your Netgear identifies the type of attack it sees, ..........
https://whois.arin.net/rest/net/NET-149-104-0-0-1/pft?s=149.104.249.105
You could cite your issue to Spectrum. Unless you have a static IP address from them, they can get rid of your DHCP lease, which would at least help you get a new IP address. This requires your calling them.
Do you have anything on your network that you intended to be accessible from the outside? If so, you may want to take a look into that. Also check your router for anything strange, like maybe leaving remote administration on by mistake. At least review the things you have control over.
Note: This is not getting you out of following the advice MASQ provided, or looking into what arnold provided.
Do you have anything on your network that you intended to be accessible from the outside? If so, you may want to take a look into that. Also check your router for anything strange, like maybe leaving remote administration on by mistake. At least review the things you have control over.
Note: This is not getting you out of following the advice MASQ provided, or looking into what arnold provided.
ASKER
I'm still getting hit and it appears that its getting stranger. See screenshot
The IP addresses don't even make sense now...
apparently SOURCE is 140.3.230.0 which says it is a DoD IP address that I can't ping when I try... and DESTINATION is going to 141.98.211.14, which isn't a valid IP address at all and has no information when I try to look up online. My actual ISP public IP is 76.x.x.x, with TWC, Spectrum etc. I don't have ANY devices on my network that would need or be communicating with either 140.3.230.0 or 141.98.211.14 and yet somehow in the span of less than a minute I could get hundreds of logged attempts of something from 140.3.230.0 trying to get to 141.98.211.14. It definitely slows my internet to a crawl when it happens, and I have no idea why it is even happening at all.
https://i.imgur.com/qMe6NHV.png
WTF9.png
The IP addresses don't even make sense now...
apparently SOURCE is 140.3.230.0 which says it is a DoD IP address that I can't ping when I try... and DESTINATION is going to 141.98.211.14, which isn't a valid IP address at all and has no information when I try to look up online. My actual ISP public IP is 76.x.x.x, with TWC, Spectrum etc. I don't have ANY devices on my network that would need or be communicating with either 140.3.230.0 or 141.98.211.14 and yet somehow in the span of less than a minute I could get hundreds of logged attempts of something from 140.3.230.0 trying to get to 141.98.211.14. It definitely slows my internet to a crawl when it happens, and I have no idea why it is even happening at all.
https://i.imgur.com/qMe6NHV.png
WTF9.png
As your rourer log indicate it is an attack.
The only way to prevent a nock at the for, is to report the potential intruder to those who provide access, their ISP.
Reach out to your ISP and see whether they can intervene or assist potentially it might be affecting other customers, if not potentially compromising some to ... That they will be seeing complaints about attacks originating from their network.
The only way to prevent a nock at the for, is to report the potential intruder to those who provide access, their ISP.
Reach out to your ISP and see whether they can intervene or assist potentially it might be affecting other customers, if not potentially compromising some to ... That they will be seeing complaints about attacks originating from their network.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
To give you an analogy, your Internet access could be thought of as a highway. And each packet is a car. The attacker is flooding the highway with packets and it brings traffic to a stall.
One way to get around it may be to simply reboot your modem so it receives a new IP.