DoS investigation
February 26, 2006 4:17 AM Subscribe
My router logs show that I have been under what looks like a sustained low level DOS attack for quite a while now. An example entry is:
1 Blocked by DoS protection 10.69.0.1
I assume the IP is spoofed because it is a reserved IP and I am on a 192.168.*.* local network. What can I find out or determine about the attack? What tools and resources are available?
Generally, if you're under a DOS attack, you'll know it, because nothing will work right. A low-level DoS attack means nothing... it has to be high-level to be a DoS!
It's possible you're intercepting spoofed packets. It's also entirely possible that 10.69.0.1 is a router address in your provider's network. Routers don't have to have globally-routable addresses. The Net usually doesn't need to reach a router, it just has to reach YOU, so your ISP's routers can carry public IP traffic over private IP addresses.
By itself, the message you're repeating here isn't enough for an actual diagnosis. But chances are pretty good that it's some kind of signaling message coming from your provider's network... it's very possible that it's being improperly blocked by your firewall. (BlackIce Defender was particularly notable for false positives, as an example.)
If there's any more info, please feel free to post it. Otherwise... I wouldn't worry too much. I get, geeze, hundreds if not thousands of scans a day here, the vast majority of which are looking for ancient exploits that don't work anymore.
I turned off logging on my home firewall long ago, just from the sheer noise volume.
posted by Malor at 4:30 AM on February 26, 2006
It's possible you're intercepting spoofed packets. It's also entirely possible that 10.69.0.1 is a router address in your provider's network. Routers don't have to have globally-routable addresses. The Net usually doesn't need to reach a router, it just has to reach YOU, so your ISP's routers can carry public IP traffic over private IP addresses.
By itself, the message you're repeating here isn't enough for an actual diagnosis. But chances are pretty good that it's some kind of signaling message coming from your provider's network... it's very possible that it's being improperly blocked by your firewall. (BlackIce Defender was particularly notable for false positives, as an example.)
If there's any more info, please feel free to post it. Otherwise... I wouldn't worry too much. I get, geeze, hundreds if not thousands of scans a day here, the vast majority of which are looking for ancient exploits that don't work anymore.
I turned off logging on my home firewall long ago, just from the sheer noise volume.
posted by Malor at 4:30 AM on February 26, 2006
If you're on a cable modem, chances are you are being port scanned thousands of times a day. Not really a big deal, it happens.
posted by mathowie at 7:33 AM on February 26, 2006
posted by mathowie at 7:33 AM on February 26, 2006
Response by poster: It was the overzealous Belkin router firewall mentioned in the thread found by the wheaty agropyron.
posted by srboisvert at 7:44 AM on February 26, 2006
posted by srboisvert at 7:44 AM on February 26, 2006
There is an astounding amount of random traffic out there on the net. Some of it is attempts to get in, some of it is mistakes, some is curiosity, some is your own ISP poking around in the system for their own purposes. Some is the byproduct of bots and worms, some of it you'll never really know. If your IP address changes, you could be looking at leftover connection attempts from gamers or music services that had that number before you.
If you're interested there are resources available for looking into it, but how much of your life do you want to devote to it? So long as they don't get in you can just ignore it.
posted by Ken McE at 6:26 PM on February 26, 2006
If you're interested there are resources available for looking into it, but how much of your life do you want to devote to it? So long as they don't get in you can just ignore it.
posted by Ken McE at 6:26 PM on February 26, 2006
This thread is closed to new comments.
Assuming you're on a cable modem or DSL network, it's possible that your ISP uses 10.0.0.0 address space for something, and it's being routed by their routers. Try tracerouting to that IP and see if you get anywhere.
Upon googling your log message, I found this thread, which opines:
1) the 10.x.x.x range is apparently used by the cable companies to handle the routers between their "head end" routers and customers. The devices in these subnets apparently don't need published domain names. Security is improved, as each of these subnets becomes something of a private cell that people can't reach from outside it, and as you noted, it also lets the cable companies save routable IP addresses.
2) the volume of hits I'm seeing: 5 a second from one router, and a short 5-ping burst once a minute from another, are apparently normal router traffic (e.g., ARP broadcast, port scans, etc.).
3) the fact that the Belkin firewall sees this as an attack is apparently just the firewall being a bit overzealous in blocking outside traffic. I did some searching, and saw others complaining about earlier Belkin models doing the exact same thing - filling up the logs with normal WAN / ISP traffic when there was no problem.
So - conclusion seems to be that there is no problem from the outside. If I can live with the fact that my logs fill and flush any meaningful entry every few minutes (which means I couldn't trace a REAL attack unless I happened to catch it when it happened and save the log really quickly), then everything is working just fine.
posted by agropyron at 4:28 AM on February 26, 2006