DOS attack logged by Netgear router DG836G

Discussion in 'Broadband' started by brightside S9, Nov 22, 2011.

  1. From 19/11/11 at 1610 gmt to 20/11/11 at 0250 gmt my router denial of
    service every **10** minutes, +/- 1 second..

    *** During these 10 hrs no PC was powered on, but the router is
    powered on 24/7 ***

    Here is one log entry, all others are the same except date/time:-

    UDP Packet -
    Source:121.165.117.62,5191
    Destination:109.176.xxx. xx,5060
    [DOS] UDP Packet -
    Source:121.165.117.62,5191
    Destination:109.176.xxx.xx,5060 - [DOS]

    The destination address is my dynamic IP address, which I have munged.

    The logs stopped after the router logged the following:-
    Sun, 2011-11-20 02:58:28 - LCP down.
    Sun, 2011-11-20 02:58:31 - Initialize LCP.
    Sun, 2011-11-20 02:58:31 - LCP is allowed to come up.
    Sun, 2011-11-20 02:58:32 - CHAP authentication success
    Sun, 2011-11-20 09:45:39 - Administrator login successful -
    IP:192.168.0.2

    The Sunday morning logon reveals that my dynamic IP address is no
    longer that shown in the DOS logs.

    Whatever was going on my ISP has refused to knock off the approx 2.8GB
    of data which has taken me over my usage as he says the data was voice
    and video. I dont have any form of voip on my PCs.

    The logged ports are AFAICT are 5060 = name = sip, purpose = sip, and
    5191= name = aol-1, purpose = AmericaOnline1.

    So it does look like an attempt to connect for voice ( port 5060 =
    sip) from an AOL user in Korea.

    There are a few of questions:

    1. How does the Netgear DG836G decide to log a DOS?

    2. How could someone using 'voice' manage to get connected to my
    dynamic IP when I have, AFAICT, no voip on my PCs, nor in the Netgear
    DG836 router?

    3. Is there anything that can be done to kill such traffic getting to
    my router, other powering it off?

    4. I don't believe I should bear the cost for this problem, whether it
    was deliberate or accidental. 2.8GB in 10hr 40 min could have got
    even more expensive if I hadn't got a dynamic IP and whatever caused
    the router to do a "LCP down" at 02:58 on Sunday morning.
    Are there any guidelines for what ISPs should do in this situation?

    5. It seems to me that this sort of thing could happen any time and
    get expensive. Is there an ISP who could spot this happening and kill
    it, I will probably move if there is one?
     
    brightside S9, Nov 22, 2011
    #1
    1. Advertisements

  2. The source port is almost irrelevant, but its a weird port to be getting
    a DOSattak on.
    No, its from a user in korea. Sorce ports are usually randowm

    IPv4 Address : 121.160.0.0 - 121.191.255.255 (/11)
    Service Name : KORNET
    Organization Name : Korea Telecom
    Organization ID : ORG1600
    Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
    Zip Code : 463-711
    Registration Date : 20061106

    I would GUESS when more than X packets in Y time hit a port that's not
    in use or known to it.

    They didn't get connected. They merely threw a load of UDP packets at you.

    Why, lord alone knows. One suspects they were trying to phone someone
    and had the wrong ip address.

    Or it was just plain malice, or they were hoping for some kind of stress
    based attack.

    Or you have some malware on your PCs you don't know about..but in that
    case you should have seen bursts of outbound traffic.

    Nothing at all.

    Although if you are on a dynamic address, resynching to a different one
    is a good idea.
    Nope. They transferred the packets to you. You threw them away. It costs
    them to do it. Who should pay? You? all their other customers?

    Pretty damned hard frankly. You MIGHT set up our won NAT router online
    somewhere on a virtual host and run your own firewall.. but its getting
    VERY complicated.

    The beauty of using VOIP packets is that most ISPs will give them top
    priority. After all, they guy MIGHT have been phoning you.

    What is more worthwhile and may yet happen is that ISPs will offer user
    level firewalling at their site so you can at least block this crap at
    'ISP central' rather than in our own home so to speak. As they do with spam.


    Tell you what though, look at this


    #telnet 121.165.117.62
    Trying 121.165.117.62...
    Connected to 121.165.117.62.
    Escape character is '^]'.
    Fedora release 12 (Constantine)
    Kernel 2.6.32.14-127.fc12.i686.PAE on an i686 (3)
    login:

    so guys this site has an open TELNET login on a box running redhat...

    I leave the rest to you
     
    The Natural Philosopher, Nov 22, 2011
    #2
    1. Advertisements

  3. It's probably a sipvicious attack. Google it.

    However SV usually attacks faster than that - I've seen it max out at
    about 300/sec.

    But basically you're screwed over for the duration of the attack.
    Yup. Most ISPs just don't give a shit. They don't care. I've had customer
    sites had to apply top-up payments to their ISPs just to keep their
    services open until the attack subsides. 3 days is the longest I've seen.

    However are you sure you don't run any SIP services?

    Sipvicious checks beforehand and will only launch a full-on attack if it
    thinks there is a SIP PBX of some sort behind the IP address.
    If it is sipvicious then you can sometimes crash it - you need to get
    the sv source code (it's hosted on google) and run teh crash program.
    (you'll need a PC with python) however it doesn't always work
    No - and they don't care either. My exprience is that knowing a techie
    inside the ISP helped to get it blocked, or going with an ISP that
    actually cares might help, but most don't and you'll find it almost
    impossible to get past the customer support firewall.
    AAISP is probably the best there is, but they're reassuringly expensive.

    Gordon
     
    Gordon Henderson, Nov 22, 2011
    #3
  4. I've scouted around the machine at the far end, and it appears to be a
    brand new unfirewalled Linux installation.

    Its got a bare web server, and telnet and ftp access.

    Now if its the same machine that was launching the DOS attacks its wide
    open itself, and may well have been rootkitted already.

    Now your knowledge has added to the picture..sipvicious is indeed
    something that may be on that box.. its available as a linux tool.

    So maybe its some pimply korean hacker who left a scanner running..on
    his vulnerable Linix box :)

    Over to you to run a zillion name/password combos on the telnet port :)
     
    The Natural Philosopher, Nov 22, 2011
    #4
  5. brightside S9

    Andy Champ Guest

    That may well be how the malware got into his machine.

    Andy
     
    Andy Champ, Nov 22, 2011
    #5
  6. well port 25 was open, so 'root' now has a warning email.
     
    The Natural Philosopher, Nov 22, 2011
    #6
  7. If you have limited bandwidth allowance then it's best to turn off the
    router when you're not using your computer, then no data can be sent since
    there will be no internet connection and no IP address assigned to your
    account at those times. Turning off the router also saves electricity!
     
    Gordon Freeman, Nov 23, 2011
    #7
  8. Oh dear a conspiracy theorist.

    Firstly some that comes in every 0.1S is probably a DOS attack, but every 10
    minutes - hardly. NOR could this possibly account for 2.8Gb in 10 hours -
    probably not even 2.8Mb.

    What has probably happened.

    A Voip user in South Korea has registered his Voip phone and it would appear
    likely from the same short IP address as you. The connection has been
    broken, so every ten minutes or so his SIP server is trying to re-establish
    the connect and [by chance] the 'poll' is coming to you rather than where he
    was.

    Try ringing it!

    OTOH your PC probably has an unrelated 'bot

     
    R. Mark Clayton, Nov 23, 2011
    #8
  9. brightside S9

    Soruk Guest

    When someone tries this against my little Geode VoIP server at home
    (which needs to be net-visible to support remote extensions) I have
    a script that watches the log so when any failed login attempt comes
    in it's promptly firewalled (yes, this doesn't stop the attack but it
    eases the CPU load so my tiny box can continue to work as it should),
    and the automated attacks usually stop after that. If someone is being
    persistent sending a single UDP packet of junk at that IP and port
    tends to make SipVicious stop in its tracks. Any UDP flood tool will
    have the desired effect, and it could be possible to modify it to
    send a single packet instead of a short flood of them.

    I would have my Asterisk box do that automagically but unfortunately
    it doesn't write the source port in its logs :(
     
    Soruk, Nov 23, 2011
    #9
  10. What conspiracy am I theorising?
    I don't know how the router decides to log a 'DOS' attack, I did ask.
    The only information I have is the router log, the IP addresses and
    the data amount from my ISP. So I have the numbers you don't.

    With what. I did say I have no voip stuff on my PC and wouldn't know
    how to set it up or use it, so what am I suypposed to ring?

    Well I did say my PCs were turned off during the time the router was
    logging. You obviously haven't read (or understood, more likely, the
    original post).

    Not a helpful top posted reply.


     
    brightside S9, Nov 23, 2011
    #10
  11.  
    Monsieur Merde, Nov 23, 2011
    #11
  12. Thanks for that, Ii understand a little better what was happening.
     
    brightside S9, Nov 23, 2011
    #12
  13. I have asked, the techie understood the problem, but couldn't give me
    an answer. It looks like pay out for more data, I've 3 weeks to go
    befor the end of my billing period!
    Yes. if it happens again I will contact them and ask how they would
    handle the situation.

    Thanks for the time and trouble to explain what might have been going
    on.
     
    brightside S9, Nov 23, 2011
    #13
  14. That is a sure way to stop it and I'll look at putting the router on a
    radio controlled mains switch, but it if I could make my router
    demand a new dynamic IP address, say every hour, that would also stop
    it gobbling up my allowance. I can do this manually from the router
    connection status panel, but some automatic timed disconnect /
    reconnect when the PCs are switched off would be a more suitable
    solution. Is that possible to do in the Netgear DG834G, or indeed in
    any router (at a suitable price for a home user)?

    This little episode gobbled up data at ~ 270MB / hour, (on a BB link
    with synch speed generally ~ 2400Kbps, and has never exceeded
    2600Kbps). I could live with that, hitting my usage for 1 hour and the
    hope that the new IP address didn't get picked up.
     
    brightside S9, Nov 23, 2011
    #14
  15. That you were suffering a DoS attack from South Korea.
    You might have Voip in your mobile. or run something temporarily.
    Yes the router is logging a short poll every ten minutes - perhaps 1Mb per
    hour at worst.

    The 2.8Gb will have some other cause perhaps a bot operating when your
    computer IS on.
     
    R. Mark Clayton, Nov 24, 2011
    #15
  16. Is your router in some hard to access location? With mine I simply flip
    the router off at the mains switch after I've turned the computer off.

    However I recall hearing of a smart mains switch or extension lead which
    will turn a whole set of appliances off when it detects that one master
    device has been turned off or put into standby mode.

    I'd be wary of telling the router to disconnect and reconnect too
    frequently though, the DSLAM is liable to think the router is having
    difficulty maintaining a connection and will lower your BRAS profile.
     
    Gordon Freeman, Nov 24, 2011
    #16
  17. A very old version of DeadRat at that...
     
    Mike Tomlinson, Nov 24, 2011
    #17
  18. yes.. its about 3 years behind the bleeding edge.

    Should work OK then :)
     
    The Natural Philosopher, Nov 24, 2011
    #18
  19. telnet to the router and at the shell prompt type:
    iptables -nvL DOS
    to see the firewall rules which determine what a DOS is.

    [ I'm not familiar with the 836G, this is from a DG834GT ]
     
    Andrew Benham, Nov 24, 2011
    #19
  20. brightside S9

    Andy Champ Guest

    I have one of these. The PC is the master, the screen, printer, etc are
    all slaves...
    .... except that the router isn't switched.

    Andy
     
    Andy Champ, Nov 24, 2011
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.