A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

DOS attack logged by Netgear router DG836G



 
 
Thread Tools Display Modes
  #1  
Old November 22nd 11, 06:29 PM posted to uk.telecom.broadband
brightside S9
external usenet poster
 
Posts: 144
Default DOS attack logged by Netgear router DG836G

From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]

The destination address is my dynamic IP address, which I have munged.

The logs stopped after the router logged the following:-
Sun, 2011-11-20 02:58:28 - LCP down.
Sun, 2011-11-20 02:58:31 - Initialize LCP.
Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
Sun, 2011-11-20 02:58:32 - CHAP authentication success
Sun, 2011-11-20 09:45:39 - Administrator login successful -
IP:192.168.0.2

The Sunday morning logon reveals that my dynamic IP address is no
longer that shown in the DOS logs.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.

The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
5191= name = aol-1, purpose = AmericaOnline1.

So it does look like an attempt to connect for voice ( port 5060 =
sip) from an AOL user in Korea.

There are a few of questions:

1. How does the Netgear DG836G decide to log a DOS?

2. How could someone using 'voice' manage to get connected to my
dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
DG836 router?

3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?

5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?

--
brightside S9
  #2  
Old November 22nd 11, 06:56 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default DOS attack logged by Netgear router DG836G

brightside S9 wrote:
From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]

The destination address is my dynamic IP address, which I have munged.

The logs stopped after the router logged the following:-
Sun, 2011-11-20 02:58:28 - LCP down.
Sun, 2011-11-20 02:58:31 - Initialize LCP.
Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
Sun, 2011-11-20 02:58:32 - CHAP authentication success
Sun, 2011-11-20 09:45:39 - Administrator login successful -
IP:192.168.0.2

The Sunday morning logon reveals that my dynamic IP address is no
longer that shown in the DOS logs.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.

The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
5191= name = aol-1, purpose = AmericaOnline1.


The source port is almost irrelevant, but its a weird port to be getting
a DOSattak on.

So it does look like an attempt to connect for voice ( port 5060 =
sip) from an AOL user in Korea.

No, its from a user in korea. Sorce ports are usually randowm

IPv4 Address : 121.160.0.0 - 121.191.255.255 (/11)
Service Name : KORNET
Organization Name : Korea Telecom
Organization ID : ORG1600
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Registration Date : 20061106


There are a few of questions:

1. How does the Netgear DG836G decide to log a DOS?

I would GUESS when more than X packets in Y time hit a port that's not
in use or known to it.


2. How could someone using 'voice' manage to get connected to my
dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
DG836 router?

They didn't get connected. They merely threw a load of UDP packets at you.

Why, lord alone knows. One suspects they were trying to phone someone
and had the wrong ip address.

Or it was just plain malice, or they were hoping for some kind of stress
based attack.

Or you have some malware on your PCs you don't know about..but in that
case you should have seen bursts of outbound traffic.


3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?


Nothing at all.

Although if you are on a dynamic address, resynching to a different one
is a good idea.

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?


Nope. They transferred the packets to you. You threw them away. It costs
them to do it. Who should pay? You? all their other customers?


5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?


Pretty damned hard frankly. You MIGHT set up our won NAT router online
somewhere on a virtual host and run your own firewall.. but its getting
VERY complicated.

The beauty of using VOIP packets is that most ISPs will give them top
priority. After all, they guy MIGHT have been phoning you.

What is more worthwhile and may yet happen is that ISPs will offer user
level firewalling at their site so you can at least block this crap at
'ISP central' rather than in our own home so to speak. As they do with spam.


Tell you what though, look at this


#telnet 121.165.117.62
Trying 121.165.117.62...
Connected to 121.165.117.62.
Escape character is '^]'.
Fedora release 12 (Constantine)
Kernel 2.6.32.14-127.fc12.i686.PAE on an i686 (3)
login:

so guys this site has an open TELNET login on a box running redhat...

I leave the rest to you


  #3  
Old November 22nd 11, 07:19 PM posted to uk.telecom.broadband
Gordon Henderson
external usenet poster
 
Posts: 797
Default DOS attack logged by Netgear router DG836G

In article ,
brightside S9 wrote:
From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]


It's probably a sipvicious attack. Google it.

However SV usually attacks faster than that - I've seen it max out at
about 300/sec.

But basically you're screwed over for the duration of the attack.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.


Yup. Most ISPs just don't give a ****. They don't care. I've had customer
sites had to apply top-up payments to their ISPs just to keep their
services open until the attack subsides. 3 days is the longest I've seen.

However are you sure you don't run any SIP services?

Sipvicious checks beforehand and will only launch a full-on attack if it
thinks there is a SIP PBX of some sort behind the IP address.

3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?


If it is sipvicious then you can sometimes crash it - you need to get
the sv source code (it's hosted on google) and run teh crash program.
(you'll need a PC with python) however it doesn't always work

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?


No - and they don't care either. My exprience is that knowing a techie
inside the ISP helped to get it blocked, or going with an ISP that
actually cares might help, but most don't and you'll find it almost
impossible to get past the customer support firewall.

5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?


AAISP is probably the best there is, but they're reassuringly expensive.

Gordon
  #4  
Old November 22nd 11, 07:39 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default DOS attack logged by Netgear router DG836G

Gordon Henderson wrote:
In article ,
brightside S9 wrote:
From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]


It's probably a sipvicious attack. Google it.

However SV usually attacks faster than that - I've seen it max out at
about 300/sec.

But basically you're screwed over for the duration of the attack.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.


Yup. Most ISPs just don't give a ****. They don't care. I've had customer
sites had to apply top-up payments to their ISPs just to keep their
services open until the attack subsides. 3 days is the longest I've seen.

However are you sure you don't run any SIP services?

Sipvicious checks beforehand and will only launch a full-on attack if it
thinks there is a SIP PBX of some sort behind the IP address.

3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?


If it is sipvicious then you can sometimes crash it - you need to get
the sv source code (it's hosted on google) and run teh crash program.
(you'll need a PC with python) however it doesn't always work

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?


No - and they don't care either. My exprience is that knowing a techie
inside the ISP helped to get it blocked, or going with an ISP that
actually cares might help, but most don't and you'll find it almost
impossible to get past the customer support firewall.

5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?


AAISP is probably the best there is, but they're reassuringly expensive.

Gordon


I've scouted around the machine at the far end, and it appears to be a
brand new unfirewalled Linux installation.

Its got a bare web server, and telnet and ftp access.

Now if its the same machine that was launching the DOS attacks its wide
open itself, and may well have been rootkitted already.

Now your knowledge has added to the picture..sipvicious is indeed
something that may be on that box.. its available as a linux tool.

So maybe its some pimply korean hacker who left a scanner running..on
his vulnerable Linix box :-)

Over to you to run a zillion name/password combos on the telnet port :-)





  #5  
Old November 22nd 11, 08:01 PM posted to uk.telecom.broadband
Andy Champ
external usenet poster
 
Posts: 187
Default DOS attack logged by Netgear router DG836G

On 22/11/2011 18:56, The Natural Philosopher wrote:

so guys this site has an open TELNET login on a box running redhat...

I leave the rest to you


That may well be how the malware got into his machine.

Andy
  #6  
Old November 22nd 11, 09:25 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default DOS attack logged by Netgear router DG836G

Andy Champ wrote:
On 22/11/2011 18:56, The Natural Philosopher wrote:

so guys this site has an open TELNET login on a box running redhat...

I leave the rest to you


That may well be how the malware got into his machine.

Andy

well port 25 was open, so 'root' now has a warning email.
  #7  
Old November 23rd 11, 01:29 AM posted to uk.telecom.broadband
Gordon Freeman
external usenet poster
 
Posts: 39
Default DOS attack logged by Netgear router DG836G

brightside S9 wrote:

From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***


If you have limited bandwidth allowance then it's best to turn off the
router when you're not using your computer, then no data can be sent since
there will be no internet connection and no IP address assigned to your
account at those times. Turning off the router also saves electricity!

  #8  
Old November 23rd 11, 02:31 AM posted to uk.telecom.broadband
R. Mark Clayton
external usenet poster
 
Posts: 699
Default DOS attack logged by Netgear router DG836G

Oh dear a conspiracy theorist.

Firstly some that comes in every 0.1S is probably a DOS attack, but every 10
minutes - hardly. NOR could this possibly account for 2.8Gb in 10 hours -
probably not even 2.8Mb.

What has probably happened.

A Voip user in South Korea has registered his Voip phone and it would appear
likely from the same short IP address as you. The connection has been
broken, so every ten minutes or so his SIP server is trying to re-establish
the connect and [by chance] the 'poll' is coming to you rather than where he
was.

Try ringing it!

OTOH your PC probably has an unrelated 'bot

"brightside S9" wrote in message
...
From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]

The destination address is my dynamic IP address, which I have munged.

The logs stopped after the router logged the following:-
Sun, 2011-11-20 02:58:28 - LCP down.
Sun, 2011-11-20 02:58:31 - Initialize LCP.
Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
Sun, 2011-11-20 02:58:32 - CHAP authentication success
Sun, 2011-11-20 09:45:39 - Administrator login successful -
IP:192.168.0.2

The Sunday morning logon reveals that my dynamic IP address is no
longer that shown in the DOS logs.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.

The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
5191= name = aol-1, purpose = AmericaOnline1.

So it does look like an attempt to connect for voice ( port 5060 =
sip) from an AOL user in Korea.

There are a few of questions:

1. How does the Netgear DG836G decide to log a DOS?

2. How could someone using 'voice' manage to get connected to my
dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
DG836 router?

3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?

5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?

--
brightside S9



  #9  
Old November 23rd 11, 09:14 AM posted to uk.telecom.broadband
Soruk
external usenet poster
 
Posts: 223
Default DOS attack logged by Netgear router DG836G

On 2011-11-22, Gordon Henderson wrote:
In article ,
brightside S9 wrote:
From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]


It's probably a sipvicious attack. Google it.

However SV usually attacks faster than that - I've seen it max out at
about 300/sec.

But basically you're screwed over for the duration of the attack.


When someone tries this against my little Geode VoIP server at home
(which needs to be net-visible to support remote extensions) I have
a script that watches the log so when any failed login attempt comes
in it's promptly firewalled (yes, this doesn't stop the attack but it
eases the CPU load so my tiny box can continue to work as it should),
and the automated attacks usually stop after that. If someone is being
persistent sending a single UDP packet of junk at that IP and port
tends to make SipVicious stop in its tracks. Any UDP flood tool will
have the desired effect, and it could be possible to modify it to
send a single packet instead of a short flood of them.

I would have my Asterisk box do that automagically but unfortunately
it doesn't write the source port in its logs

--
-- Michael "Soruk" McConnell Eridani Star System
MailStripper - http://www.MailStripper.eu/ - SMTP spam filter
Second Number - http://secondnumber.matrixnetwork.co.uk/
Matrix Dial: International Calls - http://www.matrixdial.co.uk/
  #10  
Old November 23rd 11, 10:04 AM posted to uk.telecom.broadband
brightside S9
external usenet poster
 
Posts: 144
Default DOS attack logged by Netgear router DG836G

On Wed, 23 Nov 2011 02:31:56 -0000, "R. Mark Clayton"
wrote:

Oh dear a conspiracy theorist.


What conspiracy am I theorising?

Firstly some that comes in every 0.1S is probably a DOS attack, but every 10
minutes - hardly. NOR could this possibly account for 2.8Gb in 10 hours -
probably not even 2.8Mb.


I don't know how the router decides to log a 'DOS' attack, I did ask.
The only information I have is the router log, the IP addresses and
the data amount from my ISP. So I have the numbers you don't.



What has probably happened.

A Voip user in South Korea has registered his Voip phone and it would appear
likely from the same short IP address as you. The connection has been
broken, so every ten minutes or so his SIP server is trying to re-establish
the connect and [by chance] the 'poll' is coming to you rather than where he
was.

Try ringing it!


With what. I did say I have no voip stuff on my PC and wouldn't know
how to set it up or use it, so what am I suypposed to ring?


OTOH your PC probably has an unrelated 'bot


Well I did say my PCs were turned off during the time the router was
logging. You obviously haven't read (or understood, more likely, the
original post).

Not a helpful top posted reply.




"brightside S9" wrote in message
.. .
From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]

The destination address is my dynamic IP address, which I have munged.

The logs stopped after the router logged the following:-
Sun, 2011-11-20 02:58:28 - LCP down.
Sun, 2011-11-20 02:58:31 - Initialize LCP.
Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
Sun, 2011-11-20 02:58:32 - CHAP authentication success
Sun, 2011-11-20 09:45:39 - Administrator login successful -
IP:192.168.0.2

The Sunday morning logon reveals that my dynamic IP address is no
longer that shown in the DOS logs.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.

The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
5191= name = aol-1, purpose = AmericaOnline1.

So it does look like an attempt to connect for voice ( port 5060 =
sip) from an AOL user in Korea.

There are a few of questions:

1. How does the Netgear DG836G decide to log a DOS?

2. How could someone using 'voice' manage to get connected to my
dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
DG836 router?

3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?

5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?

--
brightside S9



--
brightside S9
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing from DOS Dr Compynei uk.comp.home-networking (UK home networking) 1 September 26th 04 10:18 PM
Not logged on Jackiemum uk.comp.home-networking (UK home networking) 2 June 22nd 04 10:23 PM
Is my router under attack? Ian Burley uk.telecom.broadband (UK broadband) 8 May 29th 04 09:58 AM
Email attack Ritch uk.comp.home-networking (UK home networking) 15 September 22nd 03 02:48 PM
UK-Bug : Cisco DoS risk halts BT's ADSL service Andy Jenkins uk.telecom.broadband (UK broadband) 0 July 19th 03 01:21 AM


All times are GMT +1. The time now is 04:27 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.