RE: Networking and DOS attacks

From: "David Gillett" <gillettdavid@xxxxxxxx>
Date: Tue, 2 May 2006 09:19:56 -0700

You haven't given us any clue as to whether these packets are
inbound (blocked and logged) or outbound (allowed and logged).
But since 81.79.70.215 is a UK DSL address, I'll assume that that
is you.
Since the traffic is UDP packets, there's no guarantee that the
source address is valid. But the consistent source port number of
the packets from 61.156.42.117 suggests that these packets come from
the same source, whereas those with different source addresses also
have different source ports -- stuff that spoofs the source address
usually doesn't randomize the source port.
So this looks very much like a distributed Denial of Service (DoS)
attack against one IP address. If this is a static address, then
you appear to have pissed somebody off; if this is a dynamic address,
then perhaps some user who it was previously allocated to made some
enemies who have no way of knowing that you are not he.

Most DoS attacks work by consuming some resource, making it unavailable
for legitimate use. A frequent target resource is bandwidth. By the
time these packets have made it down the wire to your firewall, they've
used all the bandwidth on your DSL connection that they can, and so the
damage is done. The only possibility of blocking the attack is from
within your ISP's network, before your DSL line is reached.

So you need to report this to your ISP and ask for their help. They
may or may not be willing to take any action.

David Gillett

-----Original Message-----
From: john@xxxxxxxxxxxxxxxxxxxxxxxxx
[mailto:john@xxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, May 02, 2006 4:48 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Networking and DOS attacks

I am very new to networking. I have a Netgear ADSL
modem/router with a firewall that is set to allow all
outgoing traffic and block all incoming and to send me a
security log each day. Please could someone to tell me what
the log means (see below) and whether I should be concerned
or not as, since the DOS and UDP messages started appearing I
seem to get lots of disconnections from my ISP. Cheers, John

Thu, 1970-01-01 01:00:16 - Initialize LCP.
Thu, 1970-01-01 01:00:16 - LCP is allowed to come up.
Thu, 1970-01-01 01:00:20 - CHAP authentication success Thu,
1970-01-01 01:00:35 - Send out NTP request to
time-g.netgear.com Tue, 2006-05-02 08:57:03 - Receive NTP
Reply from time-g.netgear.com Tue, 2006-05-02 08:56:28 -
Router start up Tue, 2006-05-02 09:22:01 - UDP Packet -
Source:199.2.51.139,50244 Destination:81.79.70.215,1029 -
[DOS] Tue, 2006-05-02 09:28:58 - UDP Packet -
Source:222.208.168.130,49057 Destination:81.79.70.215,1033 -
[DOS] Tue, 2006-05-02 09:28:59 - UDP Packet -
Source:150.64.232.13,30794 Destination:81.79.70.215,1026 -
[DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
Source:61.156.42.117,38734 Destination:81.79.70.215,1032 -
[DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
Source:61.156.42.117,38734 Destination:81.79.70.215,1033 -
[DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
Source:61.156.42.117,38734 Destination:81.79.70.215,4081 -
[DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
Source:61.156.42.117,38734 Destination:81.79.70.215,2 - [DOS]

--------------------------------------------------------------
-----------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records
un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE
with no obligation. See why so many companies trust Spy
Sweeper Enterprise to eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------
------------

Follow-Ups:
- RE: Networking and DOS attacks
  - From: Jim Serino

References:
- Networking and DOS attacks
  - From: john

Prev by Date: Re: Networking and DOS attacks
Next by Date: SF new column announcement: Innovative ways to fool people
Previous by thread: Re: Networking and DOS attacks
Next by thread: RE: Networking and DOS attacks
Index(es):
- Date
- Thread

Relevant Pages

Re: Office 2004
... packets transmitted, 3 packets received, 0% packet loss ... The first thing you do is ring up and explain what is wrong. ... never will, because they know almost nothing about networking, or anything ... McGhie Information Engineering Pty Ltdhttp://jgmcghie.fastmail.com.au/ ...
(microsoft.public.mac.office)
Re: Office 2004
... packets transmitted, 3 packets received, 0% packet loss ... Chances are that it affects ONLY the people who connect to your specific ... never will, because they know almost nothing about networking, or anything ... McGhie Information Engineering Pty Ltdhttp://jgmcghie.fastmail.com.au/ ...
(microsoft.public.mac.office)
Re: How to prevent system from replying to Ping (ICMP Echo) requests?
... "Ping of Death" - a ping with an effective size over 64k, ... Microsoft finally managed ... 1500 packets per minute is only 25 per second. ... each 64K long (I'm not aware of any networking protocol using packets larger ...
(comp.security.firewalls)
Re: 2.6.12 Performance problems
... Linux 2.4.24: Starts dropping packets at 350K pps ... priority thats needed for a networking device. ...
(Linux-Kernel)
Re: newB logging martians
... > Packets that have source addresses with no known route are referred to ... > as "martians". ... Linux in the first place*). ... could learn Linux, networking, and "dad" could have a machine to use (as the ...
(comp.os.linux.security)