DOS ATTACK,should I be worried

[pabscars]

Hi Ladies and Gents, Ive just nipped home at lunchtime to see if I'd had a reply from some of the guys on the vm newsgroups, and while I was mooching I had a quick look at the router logs.

It showed a dos attack on port 80 at the weekend, whilst I wasnt using the internet I might add.

Should I be concerned.

any advice for a relative novice.

[Raistlin]

If the port's closed on your router (ie. rejecting inbound traffic on that port, or better still dropping inbound traffic on that port), and if your router is sufficiently robust to handle that amount of traffic directed at a single port, then I wouldn't worry about it at all.

[pabscars]

Quote:

Originally Posted by Rob M

If the port's closed on your router (ie. rejecting inbound traffic on that port, or better still dropping inbound traffic on that port), and if your router is sufficiently robust to handle that amount of traffic directed at a single port, then I wouldn't worry about it at all.

Chances are it may be open due to the port forwarding/triggering ive done for the xbox and ps3, the router is the one supplied by vm "netgear WNR2000" I think.

I also have spi turned on

[Dai]

I agree with Rob M. This stuff happens and this at least proves that your router is doing it's job properly.

I'd check your router settings and see if there is any facility for 'remote management' or words to that effect. If it has that function make sure it's switched off.

[Raistlin]

They shouldn't open port 80 inbound unless you're running a web server of some sort on them.

[pabscars]

Quote:

Originally Posted by DaiNasty

I agree with Rob M. This stuff happens and this at least proves that your router is doing it's job properly.

I'd check your router settings and see if there is any facility for 'remote management' or words to that effect. If it has that function make sure it's switched off.

Thanks for that, I will check when I get home later on, I do recall seeing something for remote management but Im not sure what its set too.

---------- Post added at 14:06 ---------- Previous post was at 14:03 ----------

Quote:

Originally Posted by Rob M

They shouldn't open port 80 inbound unless you're running a web server of some sort on them.

No, No web server ( whatever they are ), are dos attack like one off attacks, or can they happen over prolonged periods.

[webcrawler2050]

Quote:

Originally Posted by pabscars

Thanks for that, I will check when I get home later on, I do recall seeing something for remote management but Im not sure what its set too.

---------- Post added at 14:06 ---------- Previous post was at 14:03 ----------



No, No web server ( whatever they are ), are dos attack like one off attacks, or can they happen over prolonged periods.

it's very likely a port scanner of some description. Port 80 should be closed and your routers firewall should of kicked in anywho.

DDOS attacks can last for days an be every 10 seconds, if the "hacker / software" knows what they are doing. Seems like the attack wen't ment for a webserver as is was taketing port 80 httpd. Nothing to worry about.

[Dai]

Port scan seems a likely option. A serious DDOS attack involves packet volumes in excess of 100/second and can get up to the thousands if a botnet attack is occurring.

Probably just someone casually probing.

[webcrawler2050]

Port scan is very very likely.

[Raistlin]

You'll normally find that port scanners scan a range of ports, not the same port multiple times. A DOS is normally caused my sending massive amounts of traffic to a single socket, which is what the OP seems to be describing. If they were seeing a port scanner I'd expect to see them complaining of lots of ports being scanned not just port 80.

[webcrawler2050]

Quote:

Originally Posted by Rob M

You'll normally find that port scanners scan a range of ports, not the same port multiple times. A DOS is normally caused my sending massive amounts of traffic to a single socket, which is what the OP seems to be describing. If they were seeing a port scanner I'd expect to see them complaining of lots of ports being scanned not just port 80.

It could be both to be fair.

[pabscars]

Thank you all for your responses, its all a bit alien to me I,m afraid, I will have another mooch tonight and see if there is any more evidence.

Just one more question if I may,

Would these attacked influence my connectivity in anyway, because up until Thursday of last week, my connection had been very stable all week, yet since then its been all over the place.

Ive been having issues with slow speeds for some time, but like I say it had been rock steady for a week and now its back (worse than before) to being pants, so just wondered if there may be a connection?

[Raistlin]

If the connection to your router is being flooded with packets, and if your router is attempting to process them all (instead of just dropping them without trying to do anything with them), then yes it could affect your connection speed.

[Dai]

Going back to your router logs for a moment, you say they show attacks to port 80. Do they also indicate the attacking IP address?

It would be useful to know if all the hits originate from one IP or if they are coming from a range. If they are from different addresses a couple of examples would be interesting.

[webcrawler2050]

Quote:

Originally Posted by DaiNasty

Going back to your router logs for a moment, you say they show attacks to port 80. Do they also indicate the attacking IP address?

It would be useful to know if all the hits originate from one IP or if they are coming from a range. If they are from different addresses a couple of examples would be interesting.

It's likely it's coming from a "budget" rented server or some script.

if you can paste a bulk of your logs. The able here, will be able to see instantly.

And yes, if your router is under heavy DDOS then yes, speed will be effected