DOS attack logged by Netgear router DG836G

From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
service every **10** minutes, +/- 1 second..

*** During these 10 hrs no PC was powered on, but the router is
powered on 24/7 ***

Here is one log entry, all others are the same except date/time:-

UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx. xx,5060
[DOS] UDP Packet -
Source:121.165.117.62,5191
Destination:109.176.xxx.xx,5060 - [DOS]

The destination address is my dynamic IP address, which I have munged.

The logs stopped after the router logged the following:-
Sun, 2011-11-20 02:58:28 - LCP down.
Sun, 2011-11-20 02:58:31 - Initialize LCP.
Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
Sun, 2011-11-20 02:58:32 - CHAP authentication success
Sun, 2011-11-20 09:45:39 - Administrator login successful -
IP:192.168.0.2

The Sunday morning logon reveals that my dynamic IP address is no
longer that shown in the DOS logs.

Whatever was going on my ISP has refused to knock off the approx 2.8GB
of data which has taken me over my usage as he says the data was voice
and video. I dont have any form of voip on my PCs.

The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
5191= name = aol-1, purpose = AmericaOnline1.

So it does look like an attempt to connect for voice ( port 5060 =
sip) from an AOL user in Korea.

There are a few of questions:

1. How does the Netgear DG836G decide to log a DOS?

2. How could someone using 'voice' manage to get connected to my
dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
DG836 router?

3. Is there anything that can be done to kill such traffic getting to
my router, other powering it off?

4. I don't believe I should bear the cost for this problem, whether it
was deliberate or accidental. 2.8GB in 10hr 40 min could have got
even more expensive if I hadn't got a dynamic IP and whatever caused
the router to do a "LCP down" at 02:58 on Sunday morning.
Are there any guidelines for what ISPs should do in this situation?

5. It seems to me that this sort of thing could happen any time and
get expensive. Is there an ISP who could spot this happening and kill
it, I will probably move if there is one?

--
brightside S9

brightside S9 wrote:
> From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
> service every **10** minutes, +/- 1 second..
>
> *** During these 10 hrs no PC was powered on, but the router is
> powered on 24/7 ***
>
> Here is one log entry, all others are the same except date/time:-
>
> UDP Packet -
> Source:121.165.117.62,5191
> Destination:109.176.xxx. xx,5060
> [DOS] UDP Packet -
> Source:121.165.117.62,5191
> Destination:109.176.xxx.xx,5060 - [DOS]
>
> The destination address is my dynamic IP address, which I have munged.
>
> The logs stopped after the router logged the following:-
> Sun, 2011-11-20 02:58:28 - LCP down.
> Sun, 2011-11-20 02:58:31 - Initialize LCP.
> Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
> Sun, 2011-11-20 02:58:32 - CHAP authentication success
> Sun, 2011-11-20 09:45:39 - Administrator login successful -
> IP:192.168.0.2
>
> The Sunday morning logon reveals that my dynamic IP address is no
> longer that shown in the DOS logs.
>
> Whatever was going on my ISP has refused to knock off the approx 2.8GB
> of data which has taken me over my usage as he says the data was voice
> and video. I dont have any form of voip on my PCs.
>
> The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
> 5191= name = aol-1, purpose = AmericaOnline1.
>

The source port is almost irrelevant, but its a weird port to be getting
a DOSattak on.

> So it does look like an attempt to connect for voice ( port 5060 =
> sip) from an AOL user in Korea.
>
No, its from a user in korea. Sorce ports are usually randowm

IPv4 Address : 121.160.0.0 - 121.191.255.255 (/11)
Service Name : KORNET
Organization Name : Korea Telecom
Organization ID : ORG1600
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Registration Date : 20061106


> There are a few of questions:
>
> 1. How does the Netgear DG836G decide to log a DOS?
>
I would GUESS when more than X packets in Y time hit a port that's not
in use or known to it.


> 2. How could someone using 'voice' manage to get connected to my
> dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
> DG836 router?
>
They didn't get connected. They merely threw a load of UDP packets at you.

Why, lord alone knows. One suspects they were trying to phone someone
and had the wrong ip address.

Or it was just plain malice, or they were hoping for some kind of stress
based attack.

Or you have some malware on your PCs you don't know about..but in that
case you should have seen bursts of outbound traffic.


> 3. Is there anything that can be done to kill such traffic getting to
> my router, other powering it off?
>

Nothing at all.

Although if you are on a dynamic address, resynching to a different one
is a good idea.

> 4. I don't believe I should bear the cost for this problem, whether it
> was deliberate or accidental. 2.8GB in 10hr 40 min could have got
> even more expensive if I hadn't got a dynamic IP and whatever caused
> the router to do a "LCP down" at 02:58 on Sunday morning.
> Are there any guidelines for what ISPs should do in this situation?
>

Nope. They transferred the packets to you. You threw them away. It costs
them to do it. Who should pay? You? all their other customers?


> 5. It seems to me that this sort of thing could happen any time and
> get expensive. Is there an ISP who could spot this happening and kill
> it, I will probably move if there is one?
>

Pretty damned hard frankly. You MIGHT set up our won NAT router online
somewhere on a virtual host and run your own firewall.. but its getting
VERY complicated.

The beauty of using VOIP packets is that most ISPs will give them top
priority. After all, they guy MIGHT have been phoning you.

What is more worthwhile and may yet happen is that ISPs will offer user
level firewalling at their site so you can at least block this crap at
'ISP central' rather than in our own home so to speak. As they do with spam.


Tell you what though, look at this


#telnet 121.165.117.62
Trying 121.165.117.62...
Connected to 121.165.117.62.
Escape character is '^]'.
Fedora release 12 (Constantine)
Kernel 2.6.32.14-127.fc12.i686.PAE on an i686 (3)
login:

so guys this site has an open TELNET login on a box running redhat...

I leave the rest to you

In article <(E-Mail Removed)>,
brightside S9 <(E-Mail Removed)> wrote:
>From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
>service every **10** minutes, +/- 1 second..
>
>*** During these 10 hrs no PC was powered on, but the router is
>powered on 24/7 ***
>
>Here is one log entry, all others are the same except date/time:-
>
>UDP Packet -
>Source:121.165.117.62,5191
>Destination:109.176.xxx. xx,5060
>[DOS] UDP Packet -
>Source:121.165.117.62,5191
>Destination:109.176.xxx.xx,5060 - [DOS]

It's probably a sipvicious attack. Google it.

However SV usually attacks faster than that - I've seen it max out at
about 300/sec.

But basically you're screwed over for the duration of the attack.

>Whatever was going on my ISP has refused to knock off the approx 2.8GB
>of data which has taken me over my usage as he says the data was voice
>and video. I dont have any form of voip on my PCs.

Yup. Most ISPs just don't give a shit. They don't care. I've had customer
sites had to apply top-up payments to their ISPs just to keep their
services open until the attack subsides. 3 days is the longest I've seen.

However are you sure you don't run any SIP services?

Sipvicious checks beforehand and will only launch a full-on attack if it
thinks there is a SIP PBX of some sort behind the IP address.

>3. Is there anything that can be done to kill such traffic getting to
>my router, other powering it off?

If it is sipvicious then you can sometimes crash it - you need to get
the sv source code (it's hosted on google) and run teh crash program.
(you'll need a PC with python) however it doesn't always work

>4. I don't believe I should bear the cost for this problem, whether it
>was deliberate or accidental. 2.8GB in 10hr 40 min could have got
>even more expensive if I hadn't got a dynamic IP and whatever caused
>the router to do a "LCP down" at 02:58 on Sunday morning.
>Are there any guidelines for what ISPs should do in this situation?

No - and they don't care either. My exprience is that knowing a techie
inside the ISP helped to get it blocked, or going with an ISP that
actually cares might help, but most don't and you'll find it almost
impossible to get past the customer support firewall.

>5. It seems to me that this sort of thing could happen any time and
>get expensive. Is there an ISP who could spot this happening and kill
>it, I will probably move if there is one?

AAISP is probably the best there is, but they're reassuringly expensive.

Gordon

Gordon Henderson wrote:
> In article <(E-Mail Removed)>,
> brightside S9 <(E-Mail Removed)> wrote:
>>From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
>> service every **10** minutes, +/- 1 second..
>>
>> *** During these 10 hrs no PC was powered on, but the router is
>> powered on 24/7 ***
>>
>> Here is one log entry, all others are the same except date/time:-
>>
>> UDP Packet -
>> Source:121.165.117.62,5191
>> Destination:109.176.xxx. xx,5060
>> [DOS] UDP Packet -
>> Source:121.165.117.62,5191
>> Destination:109.176.xxx.xx,5060 - [DOS]
>
> It's probably a sipvicious attack. Google it.
>
> However SV usually attacks faster than that - I've seen it max out at
> about 300/sec.
>
> But basically you're screwed over for the duration of the attack.
>
>> Whatever was going on my ISP has refused to knock off the approx 2.8GB
>> of data which has taken me over my usage as he says the data was voice
>> and video. I dont have any form of voip on my PCs.
>
> Yup. Most ISPs just don't give a shit. They don't care. I've had customer
> sites had to apply top-up payments to their ISPs just to keep their
> services open until the attack subsides. 3 days is the longest I've seen.
>
> However are you sure you don't run any SIP services?
>
> Sipvicious checks beforehand and will only launch a full-on attack if it
> thinks there is a SIP PBX of some sort behind the IP address.
>
>> 3. Is there anything that can be done to kill such traffic getting to
>> my router, other powering it off?
>
> If it is sipvicious then you can sometimes crash it - you need to get
> the sv source code (it's hosted on google) and run teh crash program.
> (you'll need a PC with python) however it doesn't always work
>
>> 4. I don't believe I should bear the cost for this problem, whether it
>> was deliberate or accidental. 2.8GB in 10hr 40 min could have got
>> even more expensive if I hadn't got a dynamic IP and whatever caused
>> the router to do a "LCP down" at 02:58 on Sunday morning.
>> Are there any guidelines for what ISPs should do in this situation?
>
> No - and they don't care either. My exprience is that knowing a techie
> inside the ISP helped to get it blocked, or going with an ISP that
> actually cares might help, but most don't and you'll find it almost
> impossible to get past the customer support firewall.
>
>> 5. It seems to me that this sort of thing could happen any time and
>> get expensive. Is there an ISP who could spot this happening and kill
>> it, I will probably move if there is one?
>
> AAISP is probably the best there is, but they're reassuringly expensive.
>
> Gordon

I've scouted around the machine at the far end, and it appears to be a
brand new unfirewalled Linux installation.

Its got a bare web server, and telnet and ftp access.

Now if its the same machine that was launching the DOS attacks its wide
open itself, and may well have been rootkitted already.

Now your knowledge has added to the picture..sipvicious is indeed
something that may be on that box.. its available as a linux tool.

So maybe its some pimply korean hacker who left a scanner running..on
his vulnerable Linix box :-)

Over to you to run a zillion name/password combos on the telnet port :-)

On 22/11/2011 18:56, The Natural Philosopher wrote:
>
> so guys this site has an open TELNET login on a box running redhat...
>
> I leave the rest to you

That may well be how the malware got into his machine.

Andy

Andy Champ wrote:
> On 22/11/2011 18:56, The Natural Philosopher wrote:
>>
>> so guys this site has an open TELNET login on a box running redhat...
>>
>> I leave the rest to you
>
> That may well be how the malware got into his machine.
>
> Andy
well port 25 was open, so 'root' now has a warning email.

brightside S9 <address@replyto_is_not.invalid> wrote:

> From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
> service every **10** minutes, +/- 1 second..
>
> *** During these 10 hrs no PC was powered on, but the router is
> powered on 24/7 ***

If you have limited bandwidth allowance then it's best to turn off the
router when you're not using your computer, then no data can be sent since
there will be no internet connection and no IP address assigned to your
account at those times. Turning off the router also saves electricity!

Oh dear a conspiracy theorist.

Firstly some that comes in every 0.1S is probably a DOS attack, but every 10
minutes - hardly. NOR could this possibly account for 2.8Gb in 10 hours -
probably not even 2.8Mb.

What has probably happened.

A Voip user in South Korea has registered his Voip phone and it would appear
likely from the same short IP address as you. The connection has been
broken, so every ten minutes or so his SIP server is trying to re-establish
the connect and [by chance] the 'poll' is coming to you rather than where he
was.

Try ringing it!

OTOH your PC probably has an unrelated 'bot

"brightside S9" <address@replyto_is_not.invalid> wrote in message
news:(E-Mail Removed)...
> From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
> service every **10** minutes, +/- 1 second..
>
> *** During these 10 hrs no PC was powered on, but the router is
> powered on 24/7 ***
>
> Here is one log entry, all others are the same except date/time:-
>
> UDP Packet -
> Source:121.165.117.62,5191
> Destination:109.176.xxx. xx,5060
> [DOS] UDP Packet -
> Source:121.165.117.62,5191
> Destination:109.176.xxx.xx,5060 - [DOS]
>
> The destination address is my dynamic IP address, which I have munged.
>
> The logs stopped after the router logged the following:-
> Sun, 2011-11-20 02:58:28 - LCP down.
> Sun, 2011-11-20 02:58:31 - Initialize LCP.
> Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
> Sun, 2011-11-20 02:58:32 - CHAP authentication success
> Sun, 2011-11-20 09:45:39 - Administrator login successful -
> IP:192.168.0.2
>
> The Sunday morning logon reveals that my dynamic IP address is no
> longer that shown in the DOS logs.
>
> Whatever was going on my ISP has refused to knock off the approx 2.8GB
> of data which has taken me over my usage as he says the data was voice
> and video. I dont have any form of voip on my PCs.
>
> The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
> 5191= name = aol-1, purpose = AmericaOnline1.
>
> So it does look like an attempt to connect for voice ( port 5060 =
> sip) from an AOL user in Korea.
>
> There are a few of questions:
>
> 1. How does the Netgear DG836G decide to log a DOS?
>
> 2. How could someone using 'voice' manage to get connected to my
> dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
> DG836 router?
>
> 3. Is there anything that can be done to kill such traffic getting to
> my router, other powering it off?
>
> 4. I don't believe I should bear the cost for this problem, whether it
> was deliberate or accidental. 2.8GB in 10hr 40 min could have got
> even more expensive if I hadn't got a dynamic IP and whatever caused
> the router to do a "LCP down" at 02:58 on Sunday morning.
> Are there any guidelines for what ISPs should do in this situation?
>
> 5. It seems to me that this sort of thing could happen any time and
> get expensive. Is there an ISP who could spot this happening and kill
> it, I will probably move if there is one?
>
> --
> brightside S9

On 2011-11-22, Gordon Henderson <gordon+(E-Mail Removed)> wrote:
> In article <(E-Mail Removed)>,
> brightside S9 <(E-Mail Removed)> wrote:
>>From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
>>service every **10** minutes, +/- 1 second..
>>
>>*** During these 10 hrs no PC was powered on, but the router is
>>powered on 24/7 ***
>>
>>Here is one log entry, all others are the same except date/time:-
>>
>>UDP Packet -
>>Source:121.165.117.62,5191
>>Destination:109.176.xxx. xx,5060
>>[DOS] UDP Packet -
>>Source:121.165.117.62,5191
>>Destination:109.176.xxx.xx,5060 - [DOS]
>
> It's probably a sipvicious attack. Google it.
>
> However SV usually attacks faster than that - I've seen it max out at
> about 300/sec.
>
> But basically you're screwed over for the duration of the attack.

When someone tries this against my little Geode VoIP server at home
(which needs to be net-visible to support remote extensions) I have
a script that watches the log so when any failed login attempt comes
in it's promptly firewalled (yes, this doesn't stop the attack but it
eases the CPU load so my tiny box can continue to work as it should),
and the automated attacks usually stop after that. If someone is being
persistent sending a single UDP packet of junk at that IP and port
tends to make SipVicious stop in its tracks. Any UDP flood tool will
have the desired effect, and it could be possible to modify it to
send a single packet instead of a short flood of them.

I would have my Asterisk box do that automagically but unfortunately
it doesn't write the source port in its logs

--
-- Michael "Soruk" McConnell Eridani Star System
MailStripper - http://www.MailStripper.eu/ - SMTP spam filter
Second Number - http://secondnumber.matrixnetwork.co.uk/
Matrix Dial: International Calls - http://www.matrixdial.co.uk/

On Wed, 23 Nov 2011 02:31:56 -0000, "R. Mark Clayton"
<(E-Mail Removed)> wrote:

>Oh dear a conspiracy theorist.

What conspiracy am I theorising?
>
>Firstly some that comes in every 0.1S is probably a DOS attack, but every 10
>minutes - hardly. NOR could this possibly account for 2.8Gb in 10 hours -
>probably not even 2.8Mb.

I don't know how the router decides to log a 'DOS' attack, I did ask.
The only information I have is the router log, the IP addresses and
the data amount from my ISP. So I have the numbers you don't.


>
>What has probably happened.
>
>A Voip user in South Korea has registered his Voip phone and it would appear
>likely from the same short IP address as you. The connection has been
>broken, so every ten minutes or so his SIP server is trying to re-establish
>the connect and [by chance] the 'poll' is coming to you rather than where he
>was.
>
>Try ringing it!

With what. I did say I have no voip stuff on my PC and wouldn't know
how to set it up or use it, so what am I suypposed to ring?


>OTOH your PC probably has an unrelated 'bot

Well I did say my PCs were turned off during the time the router was
logging. You obviously haven't read (or understood, more likely, the
original post).

Not a helpful top posted reply.



>
>"brightside S9" <address@replyto_is_not.invalid> wrote in message
>news:(E-Mail Removed).. .
>> From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
>> service every **10** minutes, +/- 1 second..
>>
>> *** During these 10 hrs no PC was powered on, but the router is
>> powered on 24/7 ***
>>
>> Here is one log entry, all others are the same except date/time:-
>>
>> UDP Packet -
>> Source:121.165.117.62,5191
>> Destination:109.176.xxx. xx,5060
>> [DOS] UDP Packet -
>> Source:121.165.117.62,5191
>> Destination:109.176.xxx.xx,5060 - [DOS]
>>
>> The destination address is my dynamic IP address, which I have munged.
>>
>> The logs stopped after the router logged the following:-
>> Sun, 2011-11-20 02:58:28 - LCP down.
>> Sun, 2011-11-20 02:58:31 - Initialize LCP.
>> Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
>> Sun, 2011-11-20 02:58:32 - CHAP authentication success
>> Sun, 2011-11-20 09:45:39 - Administrator login successful -
>> IP:192.168.0.2
>>
>> The Sunday morning logon reveals that my dynamic IP address is no
>> longer that shown in the DOS logs.
>>
>> Whatever was going on my ISP has refused to knock off the approx 2.8GB
>> of data which has taken me over my usage as he says the data was voice
>> and video. I dont have any form of voip on my PCs.
>>
>> The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
>> 5191= name = aol-1, purpose = AmericaOnline1.
>>
>> So it does look like an attempt to connect for voice ( port 5060 =
>> sip) from an AOL user in Korea.
>>
>> There are a few of questions:
>>
>> 1. How does the Netgear DG836G decide to log a DOS?
>>
>> 2. How could someone using 'voice' manage to get connected to my
>> dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
>> DG836 router?
>>
>> 3. Is there anything that can be done to kill such traffic getting to
>> my router, other powering it off?
>>
>> 4. I don't believe I should bear the cost for this problem, whether it
>> was deliberate or accidental. 2.8GB in 10hr 40 min could have got
>> even more expensive if I hadn't got a dynamic IP and whatever caused
>> the router to do a "LCP down" at 02:58 on Sunday morning.
>> Are there any guidelines for what ISPs should do in this situation?
>>
>> 5. It seems to me that this sort of thing could happen any time and
>> get expensive. Is there an ISP who could spot this happening and kill
>> it, I will probably move if there is one?
>>
>> --
>> brightside S9
>

--
brightside S9