Thread: DOS on my Firewalled Router.
View Single Post
  #14 (permalink)  
Old 18-05-06, 01:51 AM
gibbon's Avatar
gibbon gibbon is offline
Member
  

Join Date: May 2005
Location: East Devon
Posts: 411
Thanks: 0
Thanked 0 Times in 0 Posts
gibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the seagibbon paddles in the sea
Quote:
Originally Posted by Keith L
That's not a DOS! When you get 100 per second then that's a DOS and that will give you problems. One every few minutes is a standard probe, I get them all of the time, four or five a minute is normal and I just ignore them.

No, you have not published the external address of your router. 192.168.x.x is a standard internal NAT address, it's a protected class C address that the world and his uncle use as their router address. Mine is 192.168.0.1, be my guest and try to penetrate that

Keith L

SecurityFocus Without seeing the actuall packets you are getting it is not possible to say that this is relevant but it could well be.

There are also a couple of viruses that create backdoors on port 1029, it is interesting that not one of the packets destined for port 50244 you have logged comes from the same IP address, so it is not likely a serious DOS rather many machines that are infected with the same worm/virus perhaps advertising as in the link above.

The machine 221.203.145.74 has sent you 3 packets in the trace all on different ports so that machine potentially is trying to probe your IP address.

However as Keith points out the numbers involved are low and your FW is doing its job so you should not be overly concerned.

Just to cause a bit more grief, 192.168.x.y is actually a Class B address not Class C, it may be subnetted as a Class C, however Classes of IP address are no longer relevant on the Internet

The 192.168.0.0/16 address space is designated as not being routed on the Internet, which raises another interesting point from your FW log, the packet with the source address 10.197.198.7 as 10.0.0.0 is also a non routed address space, your ISP is not ideally configured if it has let this packet be delivered to you - I would certainly have a go at them about that as they are not acting in a responsible manner! The machine that created the 10.197.198.7 packet is almost certainly on the same ISP as you or indeed it is someone working for the ISP who is abusing their network.

I would strongly recommend checking you AV is uptodate and functional.
__________________
Sliding down the razor blade of life.
Reply With Quote