Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Dos attack - help

Reply
Thread Tools

Dos attack - help

 
 
SiD
Guest
Posts: n/a
 
      10-03-2005
I look after a few Win XP pro computers on a small office network,
These are connected to a 4 port Adsl Netgear router, which is the
gateway for internet services. My concern is that all this weekend
I've been receiving Security alert emails from the router -

UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 - [DOS]

(Occasionally the source ip changes but not that often)

The destination IP address is the routers and the source,well
i don't know. I've been getting this email every 5 mins all weekend and
its still coming through.

I know i could just stop email alerts in the routers config - but this
is not going to stop the port scan on the router

ANY clue what to do here and should i be worried.

Thanks
 
Reply With Quote
 
 
 
 
why?
Guest
Posts: n/a
 
      10-03-2005

On Mon, 03 Oct 2005 08:48:07 +0100, SiD wrote:

>I look after a few Win XP pro computers on a small office network,
>These are connected to a 4 port Adsl Netgear router, which is the
>gateway for internet services. My concern is that all this weekend
>I've been receiving Security alert emails from the router -


You want to get these alerts all the time? There is usually a setting
you can change to avoid that.

>UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 - [DOS]
>
>(Occasionally the source ip changes but not that often)
>
>The destination IP address is the routers and the source,well


No lots of people know the address of your router

>i don't know. I've been getting this email every 5 mins all weekend and


A DoS attack is usually faster then that, checking the timing of the
alert / email if the connection is really getting hit hard and causing a
loss of service then start reporting the problem to your ISP, they could
maybe help direct you where to report to the originating ISP.

Try www.dnsstuff.com you can enter the source IP and lookup information
on it.

>its still coming through.


Along as your have the alerts configured to send email , that seems
fairly normal and shows you the system as working as it's meant to be.
That's always a good thing.

>I know i could just stop email alerts in the routers config - but this
>is not going to stop the port scan on the router


Correct.

>ANY clue what to do here and should i be worried.


Unless the router firewall isn't doing it's job, no.

You do have a software firewall on the LAN, if the router is detecting
and stopping the problem , good. If the software firewall is detecting
anything then perhaps you need to work on your security.

>Thanks


Me
 
Reply With Quote
 
 
 
 
SiD
Guest
Posts: n/a
 
      10-03-2005
why? wrote:
> On Mon, 03 Oct 2005 08:48:07 +0100, SiD wrote:
>
>> I look after a few Win XP pro computers on a small office network,
>> These are connected to a 4 port Adsl Netgear router, which is the
>> gateway for internet services. My concern is that all this weekend
>> I've been receiving Security alert emails from the router -

>
> You want to get these alerts all the time? There is usually a setting
> you can change to avoid that.
>
>> UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 - [DOS]
>>
>> (Occasionally the source ip changes but not that often)
>>
>> The destination IP address is the routers and the source,well

>
> No lots of people know the address of your router
>
>> i don't know. I've been getting this email every 5 mins all weekend and

>
> A DoS attack is usually faster then that, checking the timing of the
> alert / email if the connection is really getting hit hard and causing a
> loss of service then start reporting the problem to your ISP, they could
> maybe help direct you where to report to the originating ISP.
>
> Try www.dnsstuff.com you can enter the source IP and lookup information
> on it.
>
>> its still coming through.

>
> Along as your have the alerts configured to send email , that seems
> fairly normal and shows you the system as working as it's meant to be.
> That's always a good thing.
>
>> I know i could just stop email alerts in the routers config - but this
>> is not going to stop the port scan on the router

>
> Correct.
>
>> ANY clue what to do here and should i be worried.

>
> Unless the router firewall isn't doing it's job, no.
>
> You do have a software firewall on the LAN, if the router is detecting
> and stopping the problem , good. If the software firewall is detecting
> anything then perhaps you need to work on your security.
>
>> Thanks

>
> Me



Thanks for the info will have a close look later
Ps thats not my real routers Address

 
Reply With Quote
 
Captain America
Guest
Posts: n/a
 
      10-03-2005

"SiD" <(E-Mail Removed)> wrote in message
news:dhqnn7$5v4$(E-Mail Removed)...
>I look after a few Win XP pro computers on a small office network,
> These are connected to a 4 port Adsl Netgear router, which is the gateway
> for internet services. My concern is that all this weekend
> I've been receiving Security alert emails from the router -
>
> UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 -
> [DOS]
>
> (Occasionally the source ip changes but not that often)
>
> The destination IP address is the routers and the source,well
> i don't know. I've been getting this email every 5 mins all weekend and
> its still coming through.
>
> I know i could just stop email alerts in the routers config - but this
> is not going to stop the port scan on the router
>
> ANY clue what to do here and should i be worried.
>
> Thanks





WHOIS Record For
218.98.124.239
Record Type: IP Address


OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 218.0.0.0 - 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 2000-12-07
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: http://www.velocityreviews.com/forums/(E-Mail Removed)

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.98.96.0 - 218.98.127.255
netname: BEELINK
descr: Shandong Beelink Information Technology Co., Ltd.
country: CN
admin-c: KC224-AP
tech-c: KC224-AP
mnt-by: MAINT-CNNIC-AP
changed: (E-Mail Removed) 20020418
status: ALLOCATED PORTABLE
source: APNIC
person: Kele Cao
address: No.12 North Baotuquan Street. Jinan Shandong,China
country: CN
phone: +86-0531-83192780
fax-no: +86-0531-86097472
e-mail: (E-Mail Removed)
nic-hdl: KC224-AP
mnt-by: MAINT-NEW
changed: (E-Mail Removed) 20010726
source: APNIC




 
Reply With Quote
 
Whiskers
Guest
Posts: n/a
 
      10-03-2005
On 2005-10-03, SiD <(E-Mail Removed)> wrote:

snip

> ANY clue what to do here and should i be worried.
>
> Thanks


I don't think this is a 'denial of service attack'. The source IP you
mention resolves to a Chinese ISP; I have noticed that frequent illicit
attempts to establish connection seem to come from Chinese IP numbers.
They are a nuisance but I haven't found them to be a real problem. They
seem to be looking for machines running Windows with 'open ports' or
unprotected 'server' programs, presumably so that the machine can be
exploited in some way. The 'probes' may come from machines that have
already been compromised.

The destination IP you mention resolves to a UK ISP as part of a block used
to allocate 'dynamic IPs' to dial-up customers. Port 1026 is apparently one
of the likely weak spots in a Windows system
<https://www.grc.com/port_1026.htm>.

If this was really a DoS atack you probably wouldn't be getting frequent
e-mails from your system - or anything else.

--
-- ^^^^^^^^^^
-- Whiskers
-- ~~~~~~~~~~
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
protecting ports from DoS attack on cisco 2950 Switch hari Cisco 0 12-01-2004 12:50 PM
DoS attack and IP Accounting OverHead. Gary Cisco 4 02-28-2004 08:05 PM
DOS Attack SingSong Cisco 3 12-13-2003 01:47 AM
cisco commands for checking for DOS attack Tim J. Dunn Cisco 2 11-05-2003 03:15 AM
Any one do a mini-few-sec digital handheld videocam for re-attack after violent road rage attack? dorothy.bradbury Digital Photography 15 07-20-2003 11:58 PM



Advertisments