DOS ATTACK,should I be worried

[webcrawler2050]

Quote:

Originally Posted by pabscars

Purely because it says so in the router logs

Hmmm - first one might not be a DDOS - 2nd one might be - send their helpdesk an email.

[pabscars]

Quote:

Originally Posted by webcrawler2050

Hmmm - first one might not be a DDOS - 2nd one might be - send their helpdesk an email.

Do you mean this one, helpdesk@apnic.net

sorry if i,m asking a silly question but what should I say to them.

"Oi you, you been dossing me you swines, quit it or I'll send the boys round, iiiiiiiiiiiiiiiiiiiite"

[webcrawler2050]

Quote:

Originally Posted by pabscars

Do you mean this one, helpdesk@apnic.net

sorry if i,m asking a silly question but what should I say to them.

"Oi you, you been dossing me you swines, quit it or I'll send the boys round, iiiiiiiiiiiiiiiiiiiite"

Yes this one. Something on the lines of

"This IP has DDOS'ing me - can you advsie etc"

[pabscars]

Quote:

Originally Posted by webcrawler2050

Yes this one. Something on the lines of

"This IP has DDOS'ing me - can you advsie etc"

Done, I will let you know if they respond.

thanks again much appreciated

[webcrawler2050]

Quote:

Originally Posted by pabscars

Done, I will let you know if they respond.

thanks again much appreciated

Let me know how you get on

[Raistlin]

Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?

[pabscars]

Quote:

Originally Posted by Rob M

Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?

Yes

[Raistlin]

I'll go on to explain shall I?

The 'Dos Attack' is originating from a MS IP address, so there's no point in complaining to APNIC about it. The one that's listed as LAN access is the only one that APNIC might be interested in, but I doubt it.

Microsoft won't be able to do anything about the ACK attack, nor sould they even try I suspect. This particular attack is caused by a malicious host (somewhere) on the Internet sending a SYN packet to Microsoft's servers with a spoofed originating IP address (that of the OP). The TCP/IP specification then requires Microsoft's servers to send an 'ACK' in response, this is what the OP is seeing in that one, single, lonesome, firewall log entry that we're seeing.

The other entry, the one with the Chines IP address, is the one that I'd be worried about. A lot more worried than I would be about the Microsoft one. Even then though I think I'd be tempted to ignore it, if the firewall's blocking port 80 then that connection attempt will have failed. So, again, no need to worry.

My advice, find a friend that knows something about network security, give them your IP address, and ask them to run a couple of manual scans for you - they should be able to tell you in a few minutes whether you've got anything you need to worry about. I'd offer to do it for you, but you don't know me from Adam and I don't trust me so I don't see why you should

The main things to ensure are:

1. You have an external firewall (preferably on your router) that is set to block all incoming traffic, reject anonymous Internet requests (ping, etc), and to perform SPI.

2. The web interface for your router is NOT exposed to the Internet.

3. The management console on the router is protected by a STRONG password.

4. That you have properly secured any wireless technologies that you might have employed on the inside of your LAN.

[webcrawler2050]

Quote:

Originally Posted by Rob M

Please tell me that we didn't just inform the OP that they should be emailing APNIC or even Microsoft to complain about an ACK based DDOS attack?

Not MS noo, no chance. Could be a variety of things.

However, APNIC - will be able to provide "more" information on this IP - could be a simple issue - either way, as the issuer of the IP - like RIPE - so they may provide some information or point the OP in the right place.

[Raistlin]

But APNIC issued the remote access IP, not the one that the OP thinks is behind his DDOS attack.....

There's no point asking APNIC to look at a DDOS attack, and then giving them either an IP address they didn't issue or a firewall log for a remote access attempt.....

[webcrawler2050]

Quote:

Originally Posted by Rob M

But APNIC issued the remote access IP, not the one that the OP thinks is behind his DDOS attack.....

There's no point asking APNIC to look at a DDOS attack, and then giving them either an IP address they didn't issue or a firewall log for a remote access attempt.....

Yes but they issued the ip so will have contact details for the owner. Which seems to point to "GSTA.COM" and or "Shantou Hengxin Techonlogy Co.,Ltd"

[Raistlin]

This IP address:

Code:

[LAN access from remote] from 121.14.229.199:6000 to 192.168.1.5:80, Wednesday, October 21,2009 04:38:24

Not listed as a suspected DDOS attack, but maintained by APNIC.

This IP address:

Code:

 [DoS Attack: ACK Scan] from source: 213.199.149.148, port 80, Wednesday, October 21,2009 01:18:40

Listed as a suspected DOS attack, NOT maintained by APNIC.

If you want to complain to someone, or get more information from someone about the origins of the IP address that's involved with the 'attack' you need to either talk to Microsoft (who will not be interested as there's nothing they can do) or RIPE (who will tell you that it's an IP address issued to Microsoft, and that there's nothing they can do).

Personally, I think that the first IP address is more likely to be the 'suspect' one and that it's far more likely that any 'attack' will have come from there. The second one is more likely a backrground Internet request that's gottent picked up by an overly sensitive firewall.

You really can spend your entire life trying to chase these things down and get bloody nowhere.

---------- Post added at 15:08 ---------- Previous post was at 15:07 ----------

Quote:

Originally Posted by webcrawler2050

Yes but they issued the ip so will have contact details for the owner. Which seems to point to "GSTA.COM" and or "Shantou Hengxin Techonlogy Co.,Ltd"

Yes, but the OP wants to talk to them about a DOS ATTACK, and the IP listed as being responsible for the DOS ATTACK isn't one of theirs, it's one of RIPE's and is assigned to Microsoft.

[pabscars]

Hay guys, I didn't want to cause anyone any hassle, just an opinion whether it was a concern or not.

The first IP posted was listed lots of times in the logs if that makes any difference, I didnt really mean to post that one, just the one mentioning the dos attack.

I rightly or wrongly assumed that was the one to be concerned about.

[Raistlin]

Not causing any hassle, just don't like to see people left with any confusion.

In my professional opinion......there is little/nothing to be gained from chasing down the DOS attack (or the remote access line, although that's the one I'd be more concerned about of the two).

You will gain most value from your time by investing it in ensuring that your external network defences are as robustly configured as they can be, and then ensuring that the security providing/enhancing features of any software installed on the inside of your LAN are configured and maintained correctly.

If the 'DOS' attack persists, and your connection is severely degraded as a result, THEN it might be worth taking the matter further.

[pabscars]

Quote:

Originally Posted by Rob M

Not causing any hassle, just don't like to see people left with any confusion.

In my professional opinion......there is little/nothing to be gained from chasing down the DOS attack (or the remote access line, although that's the one I'd be more concerned about of the two).

You will gain most value from your time by investing it in ensuring that your external network defences are as robustly configured as they can be, and then ensuring that the security providing/enhancing features of any software installed on the inside of your LAN are configured and maintained correctly.

If the 'DOS' attack persists, and your connection is severely degraded as a result, THEN it might be worth taking the matter further.

Ok Cheers Rob, I was never that interested in tracking down where it originated from but given the help from you guys on CF I thought maybe you were curious.

Current security comes via VM, as in the one that comes on the installation disc when you first enroll, and seems to be doing a good enough job so far.

On the router, SPI is enabled at present but has in the past been disabled, on my LAN side Ive assigned fixed IP's to the MAC address of each appliance I want to connect to, so I can turn off broadcast SSID.

It may sound like I have a clue what I,m doing but I dont really,

thanks for bottoming this one out