Dos attack - help

Discussion in 'Computer Support' started by SiD, Oct 3, 2005.

  1. SiD

    SiD Guest

    I look after a few Win XP pro computers on a small office network,
    These are connected to a 4 port Adsl Netgear router, which is the
    gateway for internet services. My concern is that all this weekend
    I've been receiving Security alert emails from the router -

    UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 - [DOS]

    (Occasionally the source ip changes but not that often)

    The destination IP address is the routers and the source,well
    i don't know. I've been getting this email every 5 mins all weekend and
    its still coming through.

    I know i could just stop email alerts in the routers config - but this
    is not going to stop the port scan on the router

    ANY clue what to do here and should i be worried.

    Thanks
    SiD, Oct 3, 2005
    #1
    1. Advertising

  2. SiD

    why? Guest

    On Mon, 03 Oct 2005 08:48:07 +0100, SiD wrote:

    >I look after a few Win XP pro computers on a small office network,
    >These are connected to a 4 port Adsl Netgear router, which is the
    >gateway for internet services. My concern is that all this weekend
    >I've been receiving Security alert emails from the router -


    You want to get these alerts all the time? There is usually a setting
    you can change to avoid that.

    >UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 - [DOS]
    >
    >(Occasionally the source ip changes but not that often)
    >
    >The destination IP address is the routers and the source,well


    No lots of people know the address of your router :)

    >i don't know. I've been getting this email every 5 mins all weekend and


    A DoS attack is usually faster then that, checking the timing of the
    alert / email if the connection is really getting hit hard and causing a
    loss of service then start reporting the problem to your ISP, they could
    maybe help direct you where to report to the originating ISP.

    Try www.dnsstuff.com you can enter the source IP and lookup information
    on it.

    >its still coming through.


    Along as your have the alerts configured to send email , that seems
    fairly normal and shows you the system as working as it's meant to be.
    That's always a good thing.

    >I know i could just stop email alerts in the routers config - but this
    >is not going to stop the port scan on the router


    Correct.

    >ANY clue what to do here and should i be worried.


    Unless the router firewall isn't doing it's job, no.

    You do have a software firewall on the LAN, if the router is detecting
    and stopping the problem , good. If the software firewall is detecting
    anything then perhaps you need to work on your security.

    >Thanks


    Me
    why?, Oct 3, 2005
    #2
    1. Advertising

  3. SiD

    SiD Guest

    why? wrote:
    > On Mon, 03 Oct 2005 08:48:07 +0100, SiD wrote:
    >
    >> I look after a few Win XP pro computers on a small office network,
    >> These are connected to a 4 port Adsl Netgear router, which is the
    >> gateway for internet services. My concern is that all this weekend
    >> I've been receiving Security alert emails from the router -

    >
    > You want to get these alerts all the time? There is usually a setting
    > you can change to avoid that.
    >
    >> UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 - [DOS]
    >>
    >> (Occasionally the source ip changes but not that often)
    >>
    >> The destination IP address is the routers and the source,well

    >
    > No lots of people know the address of your router :)
    >
    >> i don't know. I've been getting this email every 5 mins all weekend and

    >
    > A DoS attack is usually faster then that, checking the timing of the
    > alert / email if the connection is really getting hit hard and causing a
    > loss of service then start reporting the problem to your ISP, they could
    > maybe help direct you where to report to the originating ISP.
    >
    > Try www.dnsstuff.com you can enter the source IP and lookup information
    > on it.
    >
    >> its still coming through.

    >
    > Along as your have the alerts configured to send email , that seems
    > fairly normal and shows you the system as working as it's meant to be.
    > That's always a good thing.
    >
    >> I know i could just stop email alerts in the routers config - but this
    >> is not going to stop the port scan on the router

    >
    > Correct.
    >
    >> ANY clue what to do here and should i be worried.

    >
    > Unless the router firewall isn't doing it's job, no.
    >
    > You do have a software firewall on the LAN, if the router is detecting
    > and stopping the problem , good. If the software firewall is detecting
    > anything then perhaps you need to work on your security.
    >
    >> Thanks

    >
    > Me



    Thanks for the info will have a close look later
    Ps thats not my real routers Address
    SiD, Oct 3, 2005
    #3
  4. "SiD" <> wrote in message
    news:dhqnn7$5v4$...
    >I look after a few Win XP pro computers on a small office network,
    > These are connected to a 4 port Adsl Netgear router, which is the gateway
    > for internet services. My concern is that all this weekend
    > I've been receiving Security alert emails from the router -
    >
    > UDP Packet - Source:218.98.124.239,0 Destination:81.76.247.220,1026 -
    > [DOS]
    >
    > (Occasionally the source ip changes but not that often)
    >
    > The destination IP address is the routers and the source,well
    > i don't know. I've been getting this email every 5 mins all weekend and
    > its still coming through.
    >
    > I know i could just stop email alerts in the routers config - but this
    > is not going to stop the port scan on the router
    >
    > ANY clue what to do here and should i be worried.
    >
    > Thanks





    WHOIS Record For
    218.98.124.239
    Record Type: IP Address


    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: 218.0.0.0 - 218.255.255.255
    CIDR: 218.0.0.0/8
    NetName: APNIC4
    NetHandle: NET-218-0-0-0-1
    Parent:
    NetType: Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: NS-SEC.RIPE.NET
    NameServer: TINNIE.ARIN.NET
    Comment: This IP address range is not registered in the ARIN database.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse
    Comment:
    RegDate: 2000-12-07
    Updated: 2005-05-20

    OrgTechHandle: AWC12-ARIN
    OrgTechName: APNIC Whois Contact
    OrgTechPhone: +61 7 3858 3100
    OrgTechEmail:

    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
    inetnum: 218.98.96.0 - 218.98.127.255
    netname: BEELINK
    descr: Shandong Beelink Information Technology Co., Ltd.
    country: CN
    admin-c: KC224-AP
    tech-c: KC224-AP
    mnt-by: MAINT-CNNIC-AP
    changed: 20020418
    status: ALLOCATED PORTABLE
    source: APNIC
    person: Kele Cao
    address: No.12 North Baotuquan Street. Jinan Shandong,China
    country: CN
    phone: +86-0531-83192780
    fax-no: +86-0531-86097472
    e-mail:
    nic-hdl: KC224-AP
    mnt-by: MAINT-NEW
    changed: 20010726
    source: APNIC
    Captain America, Oct 3, 2005
    #4
  5. SiD

    Whiskers Guest

    On 2005-10-03, SiD <> wrote:

    snip

    > ANY clue what to do here and should i be worried.
    >
    > Thanks


    I don't think this is a 'denial of service attack'. The source IP you
    mention resolves to a Chinese ISP; I have noticed that frequent illicit
    attempts to establish connection seem to come from Chinese IP numbers.
    They are a nuisance but I haven't found them to be a real problem. They
    seem to be looking for machines running Windows with 'open ports' or
    unprotected 'server' programs, presumably so that the machine can be
    exploited in some way. The 'probes' may come from machines that have
    already been compromised.

    The destination IP you mention resolves to a UK ISP as part of a block used
    to allocate 'dynamic IPs' to dial-up customers. Port 1026 is apparently one
    of the likely weak spots in a Windows system
    <https://www.grc.com/port_1026.htm>.

    If this was really a DoS atack you probably wouldn't be getting frequent
    e-mails from your system - or anything else.

    --
    -- ^^^^^^^^^^
    -- Whiskers
    -- ~~~~~~~~~~
    Whiskers, Oct 3, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim J. Dunn
    Replies:
    2
    Views:
    874
    reshman
    Nov 5, 2003
  2. SingSong

    DOS Attack

    SingSong, Dec 12, 2003, in forum: Cisco
    Replies:
    3
    Views:
    666
    Bob by The Bay
    Dec 13, 2003
  3. Gary
    Replies:
    4
    Views:
    3,321
  4. hari
    Replies:
    0
    Views:
    576
  5. dorothy.bradbury
    Replies:
    15
    Views:
    989
    dorothy.bradbury
    Jul 21, 2003
Loading...

Share This Page