Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Networking Networking
Search Search
Search for:
Tech Support Guy > > >

UDP Flood attack


(!)

01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 11:59 AM #1
UDP Flood attack
I've recently switched from a BT homehub (which broke [stopped giving out more that 1 bar of signal]) back to our old Belkin router (model #F5D7632-4)

I can access the internet for about 5 minutes, before I lose it and get "could not connect" type messages from my browser. After investigating further I noticed something interesting in the routers security log, A UDP flood.. I'll put the log below:

Code:
03/31/2010  17:29:33 **UDP Flood to Host** 192.168.2.2, 56853->> 158.43.240.4, 53 (from ATM1 Outbound)
03/31/2010  17:29:32 **UDP Flood to Host** 192.168.2.2, 56853->> 194.72.0.98, 53 (from ATM1 Outbound)
03/31/2010  17:29:31 **UDP Flood to Host** 192.168.2.2, 56853->> 8.8.8.8, 53 (from ATM1 Outbound)
03/31/2010  17:29:22 **SYN Flood to Host** 192.168.2.2, 50549->> 72.21.81.133, 80 (from ATM1 Outbound)
03/31/2010  17:29:05 192.168.2.2 login success
03/31/2010  17:29:00 NTP Date/Time updated.   
08/01/2003  00:00:16 If(ATM1) PPP connection ok !
08/01/2003  00:00:15 ATM1 get IP:86.146.56.136
08/01/2003  00:00:13 ATM1 start PPP           
08/01/2003  00:00:13 ADSL Media Up !          
08/01/2003  00:00:01 sending ACK to 192.168.2.2
There's also a SYN flood just before the others.

Anyone have a clue about why this might be happening? Am I at the receiving end of someone just having fun giving me a DDOS attack, or have I got a dodgy configuration somewhere. I've scanned my computer with AVG to no avail.

Oh, also, I can still access the internet wireless, even when the internet is unavailable on the wired computer

EDIT: here's a pingtest result. yes, that is 96% packet loss.

EDIT2: latest security log:
Code:
03/31/2010  19:11:51 **SYN Flood to Host** 192.168.2.2, 51439->> 72.21.81.133, 80 (from ATM1 Outbound)
03/31/2010  19:10:02 **UDP Flood to Host** 192.168.2.2, 8080->> 213.229.66.233, 8080 (from ATM1 Outbound)
03/31/2010  19:06:31 sending ACK to 192.168.2.4
03/31/2010  19:06:31 sending OFFER to 192.168.2.4
03/31/2010  18:51:32 sending ACK to 192.168.2.3
03/31/2010  18:48:36 **UDP Flood to Host** 192.168.2.2, 59068->> 158.43.240.4, 53 (from ATM1 Outbound)
03/31/2010  18:48:35 **UDP Flood to Host** 192.168.2.2, 63235->> 194.72.0.98, 53 (from ATM1 Outbound)
03/31/2010  18:48:34 **UDP Flood to Host** 192.168.2.2, 58891->> 8.8.8.8, 53 (from ATM1 Outbound)
03/31/2010  18:01:53 sending ACK to 192.168.2.5
03/31/2010  17:54:14 192.168.2.2 login success 
03/31/2010  17:54:10 sending ACK to 192.168.2.5
03/31/2010  17:53:32 **SYN Flood to Host** 192.168.2.2, 51078->> 72.21.81.133, 80 (from ATM1 Outbound)
03/31/2010  17:53:29 sending ACK to 192.168.2.3
03/31/2010  17:52:54 NTP Date/Time updated.    
08/01/2003  00:00:20 If(ATM1) PPP connection ok !
08/01/2003  00:00:19 ATM1 get IP:86.128.35.104 
08/01/2003  00:00:14 ATM1 start PPP            
08/01/2003  00:00:14 ADSL Media Up !           
08/01/2003  00:00:03 sending ACK to 192.168.2.2

Last edited by 01993james; 31-Mar-2010 at 01:15 PM..
zx10guy's Avatar
Computer Specs
Trusted Advisor with 4,095 posts.
 
Join Date: Mar 2008
31-Mar-2010, 12:30 PM #2
Are you running any peer to peer software?
01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 01:09 PM #3
No, I saw a thread saying that p2p might be the problem, but I haven't run utorrent in AGES, plus, in the security log it says ports 80 and 53, which aren't p2p ports.
zx10guy's Avatar
Computer Specs
Trusted Advisor with 4,095 posts.
 
Join Date: Mar 2008
31-Mar-2010, 01:13 PM #4
Well, you have something screwy going on with what ever PC is sitting on 192.168.2.2. Because the traffic is originating from that box going out bound. The only time I've seen this type of behavior is if there is some sort of peer to peer software running on that box or the box has been compromised in some fashion. Since you said you haven't run utorrent in ages, this would indicate to me at some time you had it running on this computer.
01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 01:19 PM #5
IP 192.168.2.2 is the computer which I cant access the internet on.
And yes, to confirm, I have run utorrent before.

should I try running a few antivirus scans with stuff like MBAM and Kapersky?
zx10guy's Avatar
Computer Specs
Trusted Advisor with 4,095 posts.
 
Join Date: Mar 2008
31-Mar-2010, 01:21 PM #6
Yes. You can try that. But personally, when a box gets compromised, it's a total rebuild for me. Meaning, the entire box is going to get wiped and reloaded.
Saga Lout's Avatar
Senior Member with 3,791 posts.
 
Join Date: Sep 2004
Location: Newport Pagnell, England
Experience: Intermediate
31-Mar-2010, 01:25 PM #7
Oh dear - your location could have something to do with it. Without giving out any personal information, roughly how far within that fifty miles of an MK server are you@. Ten miles or so to the south and you might have been affected by the damage caused to some cabling yesterday. In the MK are itself, it could just be the cheapskate aluminium cables they used when putting in the infratructure.

01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 01:27 PM #8
Sigh, but its only like 1-2 months old. I might try a system restore to the earliest time I have.

When you say compromised, do you mean virus or what? because if it is a virus, then I'm sure it can be removed. :S
01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 01:31 PM #9
@saga lout

I am about 30 miles west by south west, which is not far north west of oxford.

still a chance? I'm not sure it would cause a problem like this though :S
Saga Lout's Avatar
Senior Member with 3,791 posts.
 
Join Date: Sep 2004
Location: Newport Pagnell, England
Experience: Intermediate
31-Mar-2010, 01:44 PM #10
Quote:
Originally Posted by 01993james View Post
@saga lout

I am about 30 miles west by south west, which is not far north west of oxford.

still a chance? I'm not sure it would cause a problem like this though :S

Probably not then - that problem was to the South by the A5 road. Reading the thread through again, your problem is internal. Are there three machines in the Network?

zx10guy's Avatar
Computer Specs
Trusted Advisor with 4,095 posts.
 
Join Date: Mar 2008
31-Mar-2010, 01:57 PM #11
Quote:
Originally Posted by 01993james View Post
Sigh, but its only like 1-2 months old. I might try a system restore to the earliest time I have.

When you say compromised, do you mean virus or what? because if it is a virus, then I'm sure it can be removed. :S
A system restore might help. Something is going on where there is something running on your box sending out this traffic in enough quantity where your router is flagging it as a UDP flood. This behavior is unusual in any normal circumstance even if there is some sort of OS issue. Hence why I feel the box has some sort of malware issue with it.

In regards to running anti-virus/anti-malware tools, it may remove the offending code an then again it may not. Too many people put too much emphasis on these things. The tools are only as good as their signature files and modeling engines. If there is some new virus out in the wild which no one has been able to detect yet, guess what....

That's why I say to be sure, you need to do a complete wipe and reload. This is also why I run utilities like Deep Freeze and do periodic images of my laptop which I use to touch the internet. If anything goes wrong, all I have to do is re-image the hard drive. I also don't keep any data on the hard drive. All data is saved off on thumb drives, external hard drives, or my central file server.

And I doubt this is a hardware issue.
01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 02:02 PM #12
Quote:
Originally Posted by Saga Lout View Post
Probably not then - that problem was to the South by the A5 road. Reading the thread through again, your problem is internal. Are there three machines in the Network?

192.168.2.2 - Nero
192.168.2.3 - foo
192.168.2.4 - lappie
192.168.2.5 - iPod-touch

those are clients listed by my router. Nero is the "infected" one, foo is downstairs as a desktop, and lappie is guess what - a laptop.
01993james's Avatar
01993james 01993james is offline
Computer Specs
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Advanced
31-Mar-2010, 02:19 PM #13
Quote:
Originally Posted by zx10guy View Post
A system restore might help. Something is going on where there is something running on your box sending out this traffic in enough quantity where your router is flagging it as a UDP flood. This behavior is unusual in any normal circumstance even if there is some sort of OS issue. Hence why I feel the box has some sort of malware issue with it.

In regards to running anti-virus/anti-malware tools, it may remove the offending code an then again it may not. Too many people put too much emphasis on these things. The tools are only as good as their signature files and modeling engines. If there is some new virus out in the wild which no one has been able to detect yet, guess what....

That's why I say to be sure, you need to do a complete wipe and reload. This is also why I run utilities like Deep Freeze and do periodic images of my laptop which I use to touch the internet. If anything goes wrong, all I have to do is re-image the hard drive. I also don't keep any data on the hard drive. All data is saved off on thumb drives, external hard drives, or my central file server.

And I doubt this is a hardware issue.
Ok, well I'm running MBAM now. I'll see what crops up.

I image my computer, but due to the fact that I only have a 500GB external drive, I can only store 1 image, and I choose to keep it updated incase of a hdd failure or something like that.

Also: I want a file server! I've thought of getting windows home server a few times before :3
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
ddos, flood, router, syn, upd

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2