ADSL Tech Question

Guys,

I am getting the following in the logs of my Belkin 7630 ADSL modem /
router.

I help working out what could be causing it would be welcomed.

06.06.2005 17:37:43 **SYN Flood to Host** 192.168.1.241, 3708->>
195.8.181.180, 80 (from ATM1 Outbound)
06.06.2005 17:35:20 **SYN Flood to Host** 192.168.1.241, 3659->>
143.166.224.238, 80 (from ATM1 Outbound)
06.06.2005 16:37:12 **UDP Flood to Host** 192.168.1.40, 1811->>
86.126.28.229, 5736 (from ATM1 Outbound)
06.06.2005 16:25:43 **UDP Flood to Host** 192.168.1.40, 1811->>
81.231.90.64, 30556 (from ATM1 Outbound)
06.06.2005 15:57:11 **UDP Flood to Host** 192.168.1.40, 1811->> 81.99.55.26,
1961 (from ATM1 Outbound)
06.06.2005 15:54:05 **UDP Flood to Host** 192.168.1.40, 1811->>
84.13.210.56, 1412 (from ATM1 Outbound)
06.06.2005 15:38:48 **UDP Flood to Host** 192.168.1.40, 1811->>
84.13.210.56, 1412 (from ATM1 Outbound)


Many thanks,

SB

On Wed, 08 Jun 2005 17:54:07 GMT, "Sean Browne \(Cardiff IT Support
Ltd\)" <(E-Mail Removed)> wrote:

>06.06.2005 17:35:20 **SYN Flood to Host** 192.168.1.241, 3659->>
>143.166.224.238, 80 (from ATM1 Outbound)
>06.06.2005 16:37:12 **UDP Flood to Host** 192.168.1.40, 1811->>
>86.126.28.229, 5736 (from ATM1 Outbound)

you appear to have two PCs with viruses trying to flood outside web
servers with packets in some sort of DOS attack

AIUI the format of the above is

date, time, type of event, source ip, source port,->> destination IP,
destination port, physical connection attack was detected on
(broadband ATM link in this case)

Phil


--
Tiscali - dialup speeds at Broadband prices, see
http://bbs.adslguide.org.uk/postlist...&Board=tiscali

AOL - the unlimited ISP of choice for heavy downloaders.

Phil Thompson <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> you appear to have two PCs with viruses trying to flood outside web
> servers with packets in some sort of DOS attack

The 1.40 is Kazaa not a virus, the giveaway is port 1412, the others will
be people who have reconfigured the port that Kazaa runs on. Kazza is bad
anyway - incase you missed it there was an article on how the servers
keep logs of every search and download request.
If you check the install of Kazaa on the computer at 1.40, you will find
it configured to use port 1811.

The 1.241 doesn't appear to be a virus either - it appears to be an over
sensitive firewall. I bet someone was browsing the Aria website on a page
with a Dell advert (or followed a link to a Dell page) as those are the
two companies that the IPs resolve to.

So basically your firewall's IDS rules look a bit pants because they are
over-reacting. Kazaa and other peer2peer apps are knowing for opening
lots of connections at once, chances are the other two are due to pages
with a large number of images. Your computer sends out loads of requests
for images and it flags that.

--
Colin
*Drop DEAD from the email address to reply*

>> you appear to have two PCs with viruses trying to flood outside web
>> servers with packets in some sort of DOS attack
>
> The 1.40 is Kazaa not a virus, the giveaway is port 1412, the others will
> be people who have reconfigured the port that Kazaa runs on. Kazza is bad


Thanks Guys,

One of the PC's is running DC++ and the other .241 IP is - I think an
additional wireless access point. I will check later when i get to the
office.

An up to date AVG tells me there are no known viruses on my PC's.

Thanks again,
SB