Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Do these recent Netgear DoS attack messages concern you
99 views
Skip to first unread message
Elechi Amadi
Aug 12, 2014, 5:58:42 AM8/12/14
to
Do these recent Netgear DoS attack messages concern you
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [96.17.148.8], Monday, Aug 11,2014 05:28:45
[DoS attack: Smurf] attack packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014 11:22:14
I am not in the habit of looking at my Netgear router log files
but I just happened to look and saw those two activities.
Does that mean the router protected me and they didn't get in?
How did they get past the firewall?
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [96.17.148.8], Monday, Aug 11,2014 05:28:45
[DoS attack: Smurf] attack packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014 11:22:14
I am not in the habit of looking at my Netgear router log files
but I just happened to look and saw those two activities.
Does that mean the router protected me and they didn't get in?
How did they get past the firewall?
Elechi Amadi
Aug 12, 2014, 6:15:59 AM8/12/14
to
On Tue, 12 Aug 2014 04:58:42 -0500, Elechi Amadi wrote:
> [DoS attack: FIN Scan] attack packets in last 20 sec from ip [96.17.148.8], Monday, Aug 11,2014 05:28:45
> [DoS attack: Smurf] attack packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014 11:22:14
I also see very many of these types:
> [DoS attack: FIN Scan] attack packets in last 20 sec from ip [96.17.148.8], Monday, Aug 11,2014 05:28:45
> [DoS attack: Smurf] attack packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014 11:22:14
[LAN access from remote] from 209.170.124.118:3075 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:43:44
[LAN access from remote] from 108.45.144.8:3074 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:40:50
[LAN access from remote] from 99.36.167.174:3074 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:40:50
Is a LAN access an actual remote log in?
Or is it just an "attempt" that failed?
(There are dozens of these, from many IP addresses.)
209.170.124.118:3075
108.45.144.8:3074
99.36.167.174:3074
121.106.129.32:3074
178.84.70.34:3074
173.56.240.84:3074
97.117.184.95:3074
70.67.255.19:3074
76.114.14.244:3074
76.14.219.149:3074
68.224.145.151:3074
64.92.6.136:3074
69.62.177.107:3074
68.227.12.157:55042
108.0.102.210:3074
67.174.243.80:3074
24.5.215.179:3074
67.61.57.78:3074
76.164.101.12:3074
98.112.100.125:3074
209.170.124.118:3075
209.170.124.118:3075
Are these actual breaches of security?
Aleksandar Kuktin
Aug 12, 2014, 10:43:36 AM8/12/14
to
On Tue, 12 Aug 2014 05:15:59 -0500, Elechi Amadi wrote:
> On Tue, 12 Aug 2014 04:58:42 -0500, Elechi Amadi wrote:
>
>> [DoS attack: FIN Scan] attack packets in last 20 sec from ip
>> [96.17.148.8], Monday, Aug 11,2014 05:28:45 [DoS attack: Smurf] attack
>> packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014
>> 11:22:14
>
> I also see very many of these types:
> [LAN access from remote] from 209.170.124.118:3075 to 192.168.1.3:3074,
> Tuesday, Aug 12,2014 01:43:44 [LAN access from remote] from
> 108.45.144.8:3074 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:40:50
> [LAN access from remote] from 99.36.167.174:3074 to 192.168.1.3:3074,
> Tuesday, Aug 12,2014 01:40:50
>
> Is a LAN access an actual remote log in?
> Or is it just an "attempt" that failed?
You are confusing too many things.
> On Tue, 12 Aug 2014 04:58:42 -0500, Elechi Amadi wrote:
>
>> [DoS attack: FIN Scan] attack packets in last 20 sec from ip
>> [96.17.148.8], Monday, Aug 11,2014 05:28:45 [DoS attack: Smurf] attack
>> packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014
>> 11:22:14
>
> I also see very many of these types:
> [LAN access from remote] from 209.170.124.118:3075 to 192.168.1.3:3074,
> Tuesday, Aug 12,2014 01:43:44 [LAN access from remote] from
> 108.45.144.8:3074 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:40:50
> [LAN access from remote] from 99.36.167.174:3074 to 192.168.1.3:3074,
> Tuesday, Aug 12,2014 01:40:50
>
> Is a LAN access an actual remote log in?
> Or is it just an "attempt" that failed?
To "log in", you must "log in" into something. While one could
conceivably log into a LAN, mass IT equipment does not normally have that
capability (as in, they would have nowhere to "log in" into a LAN).
"LAN access" means that someone is able to send packets into the LAN
(read: send them to hosts on the LAN) and receive packets from the LAN.
According to the logs you posted, on several/numerous occasions, your
router "patched" an outside host to a host on the inside. Whether this is
a problem or not depends on whether that particular host (192.168.1.3) is
supposed to be taking inbound connections. Is it?
> (There are dozens of these, from many IP addresses.)
>
>
> Are these actual breaches of security?
A breach means that an attacker managed to get past the perimeter. The
> Are these actual breaches of security?
above logs show that a connection (presumably initiated from the outside)
was established on several/many occasions. Again, whether this is a
problem or not depends on whether this is supposed to happen. What is
192.168.1.3? Is it an XBox? Playstation? A PC running a torrent program?
A smartphone running the Skype app? One of those "plug servers", like a
Raspberry Pi or a Sheeva? Is it a media server? A file server? A web
server designed to take in traffic from the outside? There are many
options.
As for a little more color on what is happening, look at the ports they
are trying to connect to:
$grep '[[:space:]]3074/' /etc/services
xbox 3074/tcp # Xbox game port
xbox 3074/udp # Xbox game port
Someone is (presumably) looking for XBoxen. Maybe they just want to play?
Elechi Amadi
Aug 12, 2014, 3:08:16 PM8/12/14
to
On Tue, 12 Aug 2014 14:43:36 +0000, Aleksandar Kuktin wrote:
> According to the logs you posted, on several/numerous occasions, your
> router "patched" an outside host to a host on the inside. Whether this is
> a problem or not depends on whether that particular host (192.168.1.3) is
> supposed to be taking inbound connections. Is it?
It's a Windows XP laptop. It's not "supposed" to be doing anything.
> According to the logs you posted, on several/numerous occasions, your
> router "patched" an outside host to a host on the inside. Whether this is
> a problem or not depends on whether that particular host (192.168.1.3) is
> supposed to be taking inbound connections. Is it?
So, I'm not sure what the router "patched", but, whatever it did,
it shouldn't have done.
Is this a problem with Netgear? Should I have gotten a different
router that doesn't patch?
Elechi Amadi
Aug 12, 2014, 3:41:36 PM8/12/14
to
On Tue, 12 Aug 2014 14:08:16 -0500, Elechi Amadi wrote:
> It's a Windows XP laptop.
Actually, I just looked and that IP address is no longer
> It's a Windows XP laptop.
on my system. So, I don't really know "what" it was.
Helmer Bengtsson
Aug 13, 2014, 2:00:11 PM8/13/14
to
Elechi Amadi wrote, on Tue, 12 Aug 2014 14:41:36 -0500:
> Actually, I just looked and that IP address is no longer
> on my system. So, I don't really know "what" it was.
Seems to me your computer is unwittingly part of a botnet.
> Actually, I just looked and that IP address is no longer
> on my system. So, I don't really know "what" it was.
At this point, the only thing you *can* do is wipe out
the operating system.
And flash the router to make sure they're not infecting
your router firmware.
0 new messages