DOS ATTACK,should I be worried
22-10-2009, 13:13
|
#31
|
Inactive
Join Date: Feb 2008
Location: Swindon
Services: TiVo
110MB BB
Phone Line
Posts: 3,087
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by pabscars
Purely because it says so in the router logs
|
Hmmm - first one might not be a DDOS - 2nd one might be - send their helpdesk an email.
|
|
|
22-10-2009, 13:33
|
#32
|
Inactive
Join Date: Oct 2008
Location: warrington
Age: 52
Services: TiVo, 75 Smeg Broadband
Posts: 2,199
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by webcrawler2050
Hmmm - first one might not be a DDOS - 2nd one might be - send their helpdesk an email.
|
Do you mean this one, helpdesk@apnic.net
sorry if i,m asking a silly question but what should I say to them.
"Oi you, you been dossing me you swines, quit it or I'll send the boys round, iiiiiiiiiiiiiiiiiiiite"
|
|
|
22-10-2009, 13:34
|
#33
|
Inactive
Join Date: Feb 2008
Location: Swindon
Services: TiVo
110MB BB
Phone Line
Posts: 3,087
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by pabscars
Do you mean this one, helpdesk@apnic.net
sorry if i,m asking a silly question but what should I say to them.
"Oi you, you been dossing me you swines, quit it or I'll send the boys round, iiiiiiiiiiiiiiiiiiiite"
|
Yes this one. Something on the lines of
"This IP has DDOS'ing me - can you advsie etc"
|
|
|
22-10-2009, 14:07
|
#34
|
Inactive
Join Date: Oct 2008
Location: warrington
Age: 52
Services: TiVo, 75 Smeg Broadband
Posts: 2,199
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by webcrawler2050
Yes this one. Something on the lines of
"This IP has DDOS'ing me - can you advsie etc"
|
Done, I will let you know if they respond.
thanks again much appreciated
|
|
|
22-10-2009, 14:09
|
#35
|
Inactive
Join Date: Feb 2008
Location: Swindon
Services: TiVo
110MB BB
Phone Line
Posts: 3,087
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by pabscars
Done, I will let you know if they respond.
thanks again much appreciated
|
Let me know how you get on
|
|
|
22-10-2009, 14:40
|
#36
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: DOS ATTACK,should I be worried
Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?
|
|
|
22-10-2009, 14:48
|
#37
|
Inactive
Join Date: Oct 2008
Location: warrington
Age: 52
Services: TiVo, 75 Smeg Broadband
Posts: 2,199
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by Rob M
Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?
|
Yes
|
|
|
22-10-2009, 14:51
|
#38
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: DOS ATTACK,should I be worried
I'll go on to explain shall I?
The 'Dos Attack' is originating from a MS IP address, so there's no point in complaining to APNIC about it. The one that's listed as LAN access is the only one that APNIC might be interested in, but I doubt it.
Microsoft won't be able to do anything about the ACK attack, nor sould they even try I suspect. This particular attack is caused by a malicious host (somewhere) on the Internet sending a SYN packet to Microsoft's servers with a spoofed originating IP address (that of the OP). The TCP/IP specification then requires Microsoft's servers to send an 'ACK' in response, this is what the OP is seeing in that one, single, lonesome, firewall log entry that we're seeing.
The other entry, the one with the Chines IP address, is the one that I'd be worried about. A lot more worried than I would be about the Microsoft one. Even then though I think I'd be tempted to ignore it, if the firewall's blocking port 80 then that connection attempt will have failed. So, again, no need to worry.
My advice, find a friend that knows something about network security, give them your IP address, and ask them to run a couple of manual scans for you - they should be able to tell you in a few minutes whether you've got anything you need to worry about. I'd offer to do it for you, but you don't know me from Adam and I don't trust me so I don't see why you should
The main things to ensure are:
1. You have an external firewall (preferably on your router) that is set to block all incoming traffic, reject anonymous Internet requests (ping, etc), and to perform SPI.
2. The web interface for your router is NOT exposed to the Internet.
3. The management console on the router is protected by a STRONG password.
4. That you have properly secured any wireless technologies that you might have employed on the inside of your LAN.
|
|
|
22-10-2009, 14:51
|
#39
|
Inactive
Join Date: Feb 2008
Location: Swindon
Services: TiVo
110MB BB
Phone Line
Posts: 3,087
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by Rob M
Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?
|
Not MS noo, no chance. Could be a variety of things.
However, APNIC - will be able to provide "more" information on this IP - could be a simple issue - either way, as the issuer of the IP - like RIPE - so they may provide some information or point the OP in the right place.
|
|
|
22-10-2009, 14:59
|
#40
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: DOS ATTACK,should I be worried
But APNIC issued the remote access IP, not the one that the OP thinks is behind his DDOS attack.....
There's no point asking APNIC to look at a DDOS attack, and then giving them either an IP address they didn't issue or a firewall log for a remote access attempt.....
|
|
|
22-10-2009, 15:02
|
#41
|
Inactive
Join Date: Feb 2008
Location: Swindon
Services: TiVo
110MB BB
Phone Line
Posts: 3,087
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by Rob M
But APNIC issued the remote access IP, not the one that the OP thinks is behind his DDOS attack.....
There's no point asking APNIC to look at a DDOS attack, and then giving them either an IP address they didn't issue or a firewall log for a remote access attempt.....
|
Yes but they issued the ip so will have contact details for the owner. Which seems to point to "GSTA.COM" and or "Shantou Hengxin Techonlogy Co.,Ltd"
|
|
|
22-10-2009, 15:08
|
#42
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: DOS ATTACK,should I be worried
This IP address:
Code:
[LAN access from remote] from 121.14.229.199:6000 to 192.168.1.5:80, Wednesday, October 21,2009 04:38:24
Not listed as a suspected DDOS attack, but maintained by APNIC.
This IP address:
Code:
[DoS Attack: ACK Scan] from source: 213.199.149.148, port 80, Wednesday, October 21,2009 01:18:40
Listed as a suspected DOS attack, NOT maintained by APNIC.
If you want to complain to someone, or get more information from someone about the origins of the IP address that's involved with the 'attack' you need to either talk to Microsoft (who will not be interested as there's nothing they can do) or RIPE (who will tell you that it's an IP address issued to Microsoft, and that there's nothing they can do).
Personally, I think that the first IP address is more likely to be the 'suspect' one and that it's far more likely that any 'attack' will have come from there. The second one is more likely a backrground Internet request that's gottent picked up by an overly sensitive firewall.
You really can spend your entire life trying to chase these things down and get bloody nowhere.
---------- Post added at 15:08 ---------- Previous post was at 15:07 ----------
Quote:
Originally Posted by webcrawler2050
Yes but they issued the ip so will have contact details for the owner. Which seems to point to "GSTA.COM" and or "Shantou Hengxin Techonlogy Co.,Ltd"
|
Yes, but the OP wants to talk to them about a DOS ATTACK, and the IP listed as being responsible for the DOS ATTACK isn't one of theirs, it's one of RIPE's and is assigned to Microsoft.
|
|
|
22-10-2009, 15:22
|
#43
|
Inactive
Join Date: Oct 2008
Location: warrington
Age: 52
Services: TiVo, 75 Smeg Broadband
Posts: 2,199
|
Re: DOS ATTACK,should I be worried
Hay guys, I didn't want to cause anyone any hassle, just an opinion whether it was a concern or not.
The first IP posted was listed lots of times in the logs if that makes any difference, I didnt really mean to post that one, just the one mentioning the dos attack.
I rightly or wrongly assumed that was the one to be concerned about.
|
|
|
22-10-2009, 15:28
|
#44
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: DOS ATTACK,should I be worried
Not causing any hassle, just don't like to see people left with any confusion.
In my professional opinion......there is little/nothing to be gained from chasing down the DOS attack (or the remote access line, although that's the one I'd be more concerned about of the two).
You will gain most value from your time by investing it in ensuring that your external network defences are as robustly configured as they can be, and then ensuring that the security providing/enhancing features of any software installed on the inside of your LAN are configured and maintained correctly.
If the 'DOS' attack persists, and your connection is severely degraded as a result, THEN it might be worth taking the matter further.
|
|
|
22-10-2009, 15:51
|
#45
|
Inactive
Join Date: Oct 2008
Location: warrington
Age: 52
Services: TiVo, 75 Smeg Broadband
Posts: 2,199
|
Re: DOS ATTACK,should I be worried
Quote:
Originally Posted by Rob M
Not causing any hassle, just don't like to see people left with any confusion.
In my professional opinion......there is little/nothing to be gained from chasing down the DOS attack (or the remote access line, although that's the one I'd be more concerned about of the two).
You will gain most value from your time by investing it in ensuring that your external network defences are as robustly configured as they can be, and then ensuring that the security providing/enhancing features of any software installed on the inside of your LAN are configured and maintained correctly.
If the 'DOS' attack persists, and your connection is severely degraded as a result, THEN it might be worth taking the matter further.
|
Ok Cheers Rob, I was never that interested in tracking down where it originated from but given the help from you guys on CF I thought maybe you were curious.
Current security comes via VM, as in the one that comes on the installation disc when you first enroll, and seems to be doing a good enough job so far.
On the router, SPI is enabled at present but has in the past been disabled, on my LAN side Ive assigned fixed IP's to the MAC address of each appliance I want to connect to, so I can turn off broadcast SSID.
It may sound like I have a clue what I,m doing but I dont really,
thanks for bottoming this one out
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 08:09.
|