Is my router under attack?

I'm an NTL cable modem customer have also posted the following on an NTL
discussion group:

I am using a Netgear WGR614 wireless router connected to a Motorola
Surfboard cable modem. I'm connected to the 1MB service.

During the last few days I have noticed that the Internet activity light is
flickering away even when none of the networked PCs are switched on. I have
also had to reset (power cycle) the router occasionally - something that has
not been necessary before.

The wireless section of the router is set to maximum security (128bit WEP,
Mac addresses of connected machines required, etc.) and no unwanted wireless
guests are showing up on the status and log resources.

Maybe an unconnected problem, but I'll mention it anyway - I have noticed
that visiting one particular site (one that I visit routinely as part of my
work) now seems to co-incide with Internet access dying, requiring a router
reset.

Is this all a bit mysterious?

Any insight into the above would be very welcome. I'm based in the Hemel
Hempstead (NTL Luton?) area.

Thanks in advance,

Ian

Ian Burley wrote:

> I'm an NTL cable modem customer have also posted the following on an NTL
> discussion group:
>
> I am using a Netgear WGR614 wireless router connected to a Motorola
> Surfboard cable modem. I'm connected to the 1MB service.
>
> During the last few days I have noticed that the Internet activity light
> is flickering away even when none of the networked PCs are switched on. I
> have also had to reset (power cycle) the router occasionally - something
> that has not been necessary before.
>
> The wireless section of the router is set to maximum security (128bit WEP,
> Mac addresses of connected machines required, etc.) and no unwanted
> wireless guests are showing up on the status and log resources.
>
> Maybe an unconnected problem, but I'll mention it anyway - I have noticed
> that visiting one particular site (one that I visit routinely as part of
> my work) now seems to co-incide with Internet access dying, requiring a
> router reset.
>
> Is this all a bit mysterious?

If your running Linux there is a good diagnostic program to exam the
traffic, sorry can't remember the name it was in last month's linuc format.

>
> Any insight into the above would be very welcome. I'm based in the Hemel
> Hempstead (NTL Luton?) area.
>
> Thanks in advance,
>
> Ian

--
Lioncom adsl 4 port router, Nildram adsl running on Redhat 7.3. You can see
and hear me and my pal Joe Longthorne on uktalent.org.

Ian Burley wrote:
> I'm an NTL cable modem customer have also posted the following on an NTL
> discussion group:
>
> I am using a Netgear WGR614 wireless router connected to a Motorola
> Surfboard cable modem. I'm connected to the 1MB service.
>
> During the last few days I have noticed that the Internet activity light is
> flickering away even when none of the networked PCs are switched on. I have
> also had to reset (power cycle) the router occasionally - something that has
> not been necessary before.
>
> The wireless section of the router is set to maximum security (128bit WEP,
> Mac addresses of connected machines required, etc.) and no unwanted wireless
> guests are showing up on the status and log resources.
>
> Maybe an unconnected problem, but I'll mention it anyway - I have noticed
> that visiting one particular site (one that I visit routinely as part of my
> work) now seems to co-incide with Internet access dying, requiring a router
> reset.
>
> Is this all a bit mysterious?
>
> Any insight into the above would be very welcome. I'm based in the Hemel
> Hempstead (NTL Luton?) area.
>
> Thanks in advance,
>
I would have thought it more likely to be some spyware or trojan on a PC.
Try running AdAware AND Spybot Search & Destroy and see if anything turns up.

This is an area where a good personal firewall is useful as you can spot
such problems immediately.

--
Julian Knight, http://www.knightnet.org.uk/
Sheffield, United Kingdom
Security, Directory, Messaging, Network & PC Consultant
Instant Messaging:Jabber=(E-Mail Removed), Yahoo!=knighjm

No, it's inbound packets from NTL. The activity is intense even when no
local network PCs are switched on.

Ian

"Julian Knight" <news003@[127.0.0.1]> wrote in message
news:Mrjtc.8768$(E-Mail Removed)...
> Ian Burley wrote:
> > I'm an NTL cable modem customer have also posted the following on an NTL
> > discussion group:
> >
> > I am using a Netgear WGR614 wireless router connected to a Motorola
> > Surfboard cable modem. I'm connected to the 1MB service.
> >
> > During the last few days I have noticed that the Internet activity light
is
> > flickering away even when none of the networked PCs are switched on. I
have
> > also had to reset (power cycle) the router occasionally - something that
has
> > not been necessary before.
> >
> > The wireless section of the router is set to maximum security (128bit
WEP,
> > Mac addresses of connected machines required, etc.) and no unwanted
wireless
> > guests are showing up on the status and log resources.
> >
> > Maybe an unconnected problem, but I'll mention it anyway - I have
noticed
> > that visiting one particular site (one that I visit routinely as part of
my
> > work) now seems to co-incide with Internet access dying, requiring a
router
> > reset.
> >
> > Is this all a bit mysterious?
> >
> > Any insight into the above would be very welcome. I'm based in the Hemel
> > Hempstead (NTL Luton?) area.
> >
> > Thanks in advance,
> >
> I would have thought it more likely to be some spyware or trojan on a PC.
> Try running AdAware AND Spybot Search & Destroy and see if anything turns
up.
>
> This is an area where a good personal firewall is useful as you can spot
> such problems immediately.
>
> --
> Julian Knight, http://www.knightnet.org.uk/
> Sheffield, United Kingdom
> Security, Directory, Messaging, Network & PC Consultant
> Instant Messaging:Jabber=(E-Mail Removed), Yahoo!=knighjm

We've analysed the packets and around half of them aren't admitted past the
router's firewall.

Ian

"Tiny Ramsden" <(E-Mail Removed)> wrote in message
news:40b5b3da$0$6333$(E-Mail Removed). ..
> Ian Burley wrote:
>
> > I'm an NTL cable modem customer have also posted the following on an NTL
> > discussion group:
> >
> > I am using a Netgear WGR614 wireless router connected to a Motorola
> > Surfboard cable modem. I'm connected to the 1MB service.
> >
> > During the last few days I have noticed that the Internet activity light
> > is flickering away even when none of the networked PCs are switched on.
I
> > have also had to reset (power cycle) the router occasionally - something
> > that has not been necessary before.
> >
> > The wireless section of the router is set to maximum security (128bit
WEP,
> > Mac addresses of connected machines required, etc.) and no unwanted
> > wireless guests are showing up on the status and log resources.
> >
> > Maybe an unconnected problem, but I'll mention it anyway - I have
noticed
> > that visiting one particular site (one that I visit routinely as part of
> > my work) now seems to co-incide with Internet access dying, requiring a
> > router reset.
> >
> > Is this all a bit mysterious?
>
> If your running Linux there is a good diagnostic program to exam the
> traffic, sorry can't remember the name it was in last month's linuc
format.
>
> >
> > Any insight into the above would be very welcome. I'm based in the Hemel
> > Hempstead (NTL Luton?) area.
> >
> > Thanks in advance,
> >
> > Ian
>
> --
> Lioncom adsl 4 port router, Nildram adsl running on Redhat 7.3. You can
see
> and hear me and my pal Joe Longthorne on uktalent.org.

Ian Burley wrote:
> No, it's inbound packets from NTL. The activity is intense even when no
> local network PCs are switched on.
>
Ah, OK. Then it is possible that something is probing your address though
it may well be a misconfigured piece of network infrastructure somewhere
rather than an attack. The only real way to tell is to accept some of the
packets and do an analysis with Ethereal or something similar.

--
Julian Knight, http://www.knightnet.org.uk/
Sheffield, United Kingdom
Security, Directory, Messaging, Network & PC Consultant
Instant Messaging:Jabber=(E-Mail Removed), Yahoo!=knighjm

On Thu, 27 May 2004 16:11:50 +0100, "Ian Burley"
<(E-Mail Removed)> wrote:

>No, it's inbound packets from NTL. The activity is intense even when no
>local network PCs are switched on.

its just the usual ARP traffic. Forget about it.

Theres always a certain amount of background low-level traffic imho.

For example: if you use a P2P network or a network game and shut down your
PC, for a few minutes afterwards your router might be getting some UDP
traffic of other peers trying to contact your software.
Think of all the people on the net, imagine how many of them might be doing
pings, running port scanners, analysing IP addresses bla bla bla whatever
people get up to.
Then theres your ISP: may be checking your IP is still alive and there is a
device connected?
I don't know if any IM services do this: after you sign out of their network
or don't sign out gracefully do they attempt to contact your IP?
Are there any other users who know your IP address who are attempting to
contact services you run?
Does your router run any Dynamic DNS updater services? Does it use RIP? BGP?
NNTP?

There are billions and billions of possibilities. Just add up the traffic
from those above or a different combination of others. You get the picture
of how much background activity goes on. I frequently see my router blinking
late at night when all the computers are dark and silent. You could always
configure a disconnect-if-idle timeout if you don't like it.


--
-Lawrence Stromski.
http://www.wc3.co.uk
http://www.helpforce.com
"Mark McIntyre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 27 May 2004 16:11:50 +0100, "Ian Burley"
> <(E-Mail Removed)> wrote:
>
> >No, it's inbound packets from NTL. The activity is intense even when no
> >local network PCs are switched on.
>
> its just the usual ARP traffic. Forget about it.
>

I wouldn't worry about it. I use NTL broadband too and with a Limksys
Wireless Broadband Router and even if I power off all of my PCs the cable
modem still shows constant activity. Whatever it is, it's normal.

"Ian Burley" <(E-Mail Removed)> wrote in message
news:ZP6tc.104$qM2.38@newsfe4-gui...
....
> During the last few days I have noticed that the Internet activity light
is
> flickering away even when none of the networked PCs are switched on. I
have
> also had to reset (power cycle) the router occasionally - something that
has
> not been necessary before.
....