|
| ||
| DDoS attack Earlier this week a DDoS attack hit my internet connection right after an argument with some people on which OS is better for servers. The attack lasted about 3 days before I could finally get the IP changed as when our router was connected to the cable modem it would not respond at all and had 100% packet loss when pinged. After the IP change I noticed in the log files of some of the computers that the firewalls were logging strange activity. Such as the computer constantly hitting the router on port 80, such as below: 2006-07-07 20:31:08;;192.168.234.201:3102;192.168.234.1:80;TCP;AllowedThe first IP is the source follwed by the port then the destination and then the port, protocol and if it was allowed or blocked. These kinds of logs are constant and thats a small snippet of what they look like. 192.168.234.1 is the router, 192.168.234.201 was me at that time. Notice how the outgoing port on my machine increased by one on every attempt? ( More logs at bottom of post, scroll down to look at them ) Now we've tried just about everything except reformatting which I will not be able to do without alot of caffeine and alot of take out pizza as all the computers storage combined tops over 2TB's of storage. Norton AntiVirus was installed on all the machines and has updated def's, picked up nothing...not one trace of a virus. Here's the information for all the computers: My main computer has the following: Windows XP SP1 ( Updating to SP2 only causes issues, its not a fix ) Norton Antivirus 2004 with updated defs Peer Guardian 2 ( Logs pretty much anything that touches my computer ) Zone Labs Security ( recent version, cannot check at the curret moment ) Parents computer is running Windows XP SP2 Norton Anti Virus corporate edition Peer Guardian 2 Zone Labs Security And finally my brother has: Windows XP SP1 Norton Anti Virus corporate edition No firewall Now for the logs: First will be the snippet of my computer constantly hammering the router: 2006-07-07 20:31:08;;192.168.234.201:3102;192.168.234.1:80;TCP;AllowedNext is the strange .255 address which does not exist on our network yet seems to be extremely popular because all the computers connect to it: 2006-07-07 16:23:08;;192.168.234.202:138;192.168.234.255:138;UDP;AllowedI have no clue what the following address means but I find it odd that 'localhost' was on the source column: 2006-07-07 20:20:27;;127.0.0.1;192.168.234.201;ICMP;AllowedDont forget the fact my computer constantly connecting to itself... 2006-07-07 20:21:25;;192.168.234.201:24565;192.168.234.201:1900;UDP;AllowedPicking up my brothers computer connecting to that .255 address: 2006-07-07 20:25:37;;192.168.234.202:137;192.168.234.255:137;UDP;AllowedI also get alot of this in the logs: 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;AllowedBoth IP's are external from the looks of it but whats strange is why the hell am I picking this up? That is what is filling my logs up extremely fast and it always changed ports after awhile, were talking over 500 lines of that in less than an hour. Same thing again, different destination address: 2006-07-04 00:03:38;;169.254.220.220:137;169.254.255.255:137;UDP;AllowedAnd again: 006-07-04 00:36:10;;169.254.220.220:138;169.254.255.255:138;UDP;AllowedHeres another snippet of one of them machines hammering that .255: 2006-07-04 04:28:27;;192.168.15.1:3535;192.168.15.255:162;UDP;Allowed^ That continues till port 60k....... I also see this sometimes: 2006-07-04 04:47:24;;127.0.0.1:4103;239.255.255.250:1900;UDP;AllowedAnyway, the log file is 8MB's in size and thats from about an hour of the computer being plugged into the connection. The other log files are smaller since its actually calmed down to the point where the log file isnt scrolling so fast you cannot read the numbers. My other issue is these machines are doing the same thing to IP's outside of our network such as: 2006-07-05 18:55:46;;192.168.234.201:3107;70.58.142.60:80;TCP;AllowedThats just one example. Now I need some smart people to reply as I am sick of people bashing me saying I know jack about networking on other forums yet not providing answers to the problem. If you know what it is please tell me what it is, what causes it and how to fix it as some of the machines have important data on it that we cannot afford to lose. I left out my other two computers as they run linux and were not connected at the time of the attack. Hopefully there are network engineers that browse these forums as even our ISP's technician was clueless ( when he called it in to tell his supervisor about how big these log files were and the speed at which connections were flying in and out the supervisor blamed it on a touchy firewall.) My ISP is hopeless so I cannot count on them, its always the customers fault when something happens or its the equipment. Classic responses include: "Your LAN cables are corroded" "Your computer does not have enough memory for your connection to work" "Your router is not supported by our service" "Linux is not a supported operating system and will not work with our internet ( cause I run Debian and Fedora time to time )' Anyway, thats to show you how stupid my ISP is. If you need to know any more informatiion feel free to ask as I am lost at the moment, usually theres an article on the internet discussing problems and how to fix those problems but nobody seems to have had the problems I am having. Thanks ** Router model ** Broadband Router with 2 Phone Ports RT31P2 We use vonage as well |
| ||
| Re: DDoS attack Some general info, which may give you an idea or two: * Addresses in the range 169.254.0.1 through 169.254.255.254 aren't "outside" addresses, they are private IPs reserved for DHCP autoconfiguration. More on that here. The 169.254.220.220 address in your logs could very well be the autoconfig IP of the router. * IP addresses with .255 as the final octet are "broadcast" addresses, meaning that packets with such an address are sent to, and received by, all machines on the local subnet. * Port 137 and 138 are NetBIOS ports, the traffic you see on those ports is NetBIOS broadcast traffic. * Your logs are showing two different 192.168. subnets (192.168.234. and 192.168.15.). Any idea what that's all about? * The 70.58.142.60 IP is assigned to Quest Communicaitons. Are you using any of their services? * The 239.255.255.250 IP and Port 1900 are used by UPnP devices such as some network printers. This traffic can be normal on Windows networks, but UPnP is also an avenue for external exploits. UPnP should be disabled on your network devices unless you know that you need it. *The "127.0.0.1;192.168.234.201;ICMP;Allowed" entries: ICMP doesn't, AFAIK, use ports and sockets, hence the above message means that the local machine is sending an ICMP control message to its 192.168.234.201network interface. Most of the trafffic you're seeing isn't neccessarily indicative of anything malicious; do you know that you were not experiencong such traffic before the DOSing and change of IP? Norton is obviously not the definitive word in terms of whether or not you've truly been compromised. Have you run any other utilities to check for "unwanted guests"? |
| ||
| Re: DDoS attack Your questions/comments are in italic below with mine in standard, thank you for taking the time to post since I've been going insane the past day or two because of this problem. Quote:
|
| ||
| Re: DDoS attack Quote:
1. A few general things to do security-wise: * Obviously, get all of your machines patched with the most current critical fixes from the Winodws Update site. If your machines are compromised, getting them to current patch levels may close some of the loopholes through which the infection is operating. * Disable non-critical (and known-to-be-exploited) services such as UPnP, SSPD Discovery, NetBIOS over TCP/IP, etc. A list of Windows services and their recommended settings is here. (Disabling services essentially closes their associated ports). * Restrict ports on a per-protocol or per-port basis on your router. 2. Free online virus/malware scanners: see this post 3. Free downloadable trojan/rootkit scanners: BlackLight - https://europe.f-secure.com/blacklight/ RootKitRevealer - http://www.sysinternals.com/Utilitie...tRevealer.html 4. Antivirus/anti-malware utility linkage: http://www.daniweb.com/techtalkforums/thread27570.html 5. This is usually reserved for our malware forum, but since that may be what we're dealing with, please do the following on one of the possibly-infected computers: * Download the free HijackThis utility. Once downloaded, follow these instructions to install and run the program: * Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do. * Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there. |
| ||
| Re: DDoS attack Well it wasnt a virus because I completely reformatted the partition on which windows was installed and it is still occuring. Rootkit revealer, blacklight and hijack this revealed nothing. Gah this is pissing me off so much I just want to mow that idiot down that caused all this -_- |
| ||
| Re: DDoS attack I'm a year late to chime in, however if you are still monitoring this thread, what was your solution? I'm experiencing the same problem. So far, it appears that PeerGuardian is blocking the traffic. What's strange, is that the traffic appears even when I do not have a live connection to the Internet (i.e. I bootup with the Lan cable unplugged). This indicates to me it's some kind of spyware/malware/virus q'd up trying to transmit. I've run AVG Anti-Rookit Free (it's found nothing). I've run AVG Anti-Spyware (it's found nothing). and AVG Anti-Virus (it's found nothing). I did notice something curious in my Sygate firewall packet logs. 10.255.255.1 (remote), and the remote port of 67 255.255.255.255 (local host) and the local port of 68. (the firewall blocked the traffic). I Google'd for information on 67-68 and it's listed as Bootstrap Protocol Server and bootpc.'bootp/dhcp client, bootstrap protocol client' As you can probably tell from the 10.X.X.X address, I'm on a network that my condo community provides. Any suggestions, much appreciated. |
| All times are GMT -4. The time now is 3:38 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC