1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

UDP Flood attack

Discussion in 'Networking' started by 01993james, Mar 31, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    I've recently switched from a BT homehub (which broke [stopped giving out more that 1 bar of signal]) back to our old Belkin router (model #F5D7632-4)

    I can access the internet for about 5 minutes, before I lose it and get "could not connect" type messages from my browser. After investigating further I noticed something interesting in the routers security log, A UDP flood.. I'll put the log below:

    Code:
    03/31/2010  17:29:33 **UDP Flood to Host** 192.168.2.2, 56853->> 158.43.240.4, 53 (from ATM1 Outbound)
    03/31/2010  17:29:32 **UDP Flood to Host** 192.168.2.2, 56853->> 194.72.0.98, 53 (from ATM1 Outbound)
    03/31/2010  17:29:31 **UDP Flood to Host** 192.168.2.2, 56853->> 8.8.8.8, 53 (from ATM1 Outbound)
    03/31/2010  17:29:22 **SYN Flood to Host** 192.168.2.2, 50549->> 72.21.81.133, 80 (from ATM1 Outbound)
    03/31/2010  17:29:05 192.168.2.2 login success
    03/31/2010  17:29:00 NTP Date/Time updated.   
    08/01/2003  00:00:16 If(ATM1) PPP connection ok !
    08/01/2003  00:00:15 ATM1 get IP:86.146.56.136
    08/01/2003  00:00:13 ATM1 start PPP           
    08/01/2003  00:00:13 ADSL Media Up !          
    08/01/2003  00:00:01 sending ACK to 192.168.2.2
    There's also a SYN flood just before the others.

    Anyone have a clue about why this might be happening? Am I at the receiving end of someone just having fun giving me a DDOS attack, or have I got a dodgy configuration somewhere. I've scanned my computer with AVG to no avail.

    Oh, also, I can still access the internet wireless, even when the internet is unavailable on the wired computer

    EDIT: here's a pingtest result. yes, that is 96% packet loss. [​IMG]

    EDIT2: latest security log:
    Code:
    03/31/2010  19:11:51 **SYN Flood to Host** 192.168.2.2, 51439->> 72.21.81.133, 80 (from ATM1 Outbound)
    03/31/2010  19:10:02 **UDP Flood to Host** 192.168.2.2, 8080->> 213.229.66.233, 8080 (from ATM1 Outbound)
    03/31/2010  19:06:31 sending ACK to 192.168.2.4
    03/31/2010  19:06:31 sending OFFER to 192.168.2.4
    03/31/2010  18:51:32 sending ACK to 192.168.2.3
    03/31/2010  18:48:36 **UDP Flood to Host** 192.168.2.2, 59068->> 158.43.240.4, 53 (from ATM1 Outbound)
    03/31/2010  18:48:35 **UDP Flood to Host** 192.168.2.2, 63235->> 194.72.0.98, 53 (from ATM1 Outbound)
    03/31/2010  18:48:34 **UDP Flood to Host** 192.168.2.2, 58891->> 8.8.8.8, 53 (from ATM1 Outbound)
    03/31/2010  18:01:53 sending ACK to 192.168.2.5
    03/31/2010  17:54:14 192.168.2.2 login success 
    03/31/2010  17:54:10 sending ACK to 192.168.2.5
    03/31/2010  17:53:32 **SYN Flood to Host** 192.168.2.2, 51078->> 72.21.81.133, 80 (from ATM1 Outbound)
    03/31/2010  17:53:29 sending ACK to 192.168.2.3
    03/31/2010  17:52:54 NTP Date/Time updated.    
    08/01/2003  00:00:20 If(ATM1) PPP connection ok !
    08/01/2003  00:00:19 ATM1 get IP:86.128.35.104 
    08/01/2003  00:00:14 ATM1 start PPP            
    08/01/2003  00:00:14 ADSL Media Up !           
    08/01/2003  00:00:03 sending ACK to 192.168.2.2
     
  2. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,371
    Are you running any peer to peer software?
     
  3. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    No, I saw a thread saying that p2p might be the problem, but I haven't run utorrent in AGES, plus, in the security log it says ports 80 and 53, which aren't p2p ports.
     
  4. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,371
    Well, you have something screwy going on with what ever PC is sitting on 192.168.2.2. Because the traffic is originating from that box going out bound. The only time I've seen this type of behavior is if there is some sort of peer to peer software running on that box or the box has been compromised in some fashion. Since you said you haven't run utorrent in ages, this would indicate to me at some time you had it running on this computer.
     
  5. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    IP 192.168.2.2 is the computer which I cant access the internet on.
    And yes, to confirm, I have run utorrent before.

    should I try running a few antivirus scans with stuff like MBAM and Kapersky?
     
  6. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,371
    Yes. You can try that. But personally, when a box gets compromised, it's a total rebuild for me. Meaning, the entire box is going to get wiped and reloaded.
     
  7. Saga Lout

    Saga Lout

    Joined:
    Sep 15, 2004
    Messages:
    3,791
    Oh dear - your location could have something to do with it. Without giving out any personal information, roughly how far within that fifty miles of an MK server are you@. Ten miles or so to the south and you might have been affected by the damage caused to some cabling yesterday. In the MK are itself, it could just be the cheapskate aluminium cables they used when putting in the infratructure.

     
  8. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    Sigh, but its only like 1-2 months old. I might try a system restore to the earliest time I have.

    When you say compromised, do you mean virus or what? because if it is a virus, then I'm sure it can be removed. :S
     
  9. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    @saga lout

    I am about 30 miles west by south west, which is not far north west of oxford.

    still a chance? I'm not sure it would cause a problem like this though :S
     
  10. Saga Lout

    Saga Lout

    Joined:
    Sep 15, 2004
    Messages:
    3,791

    Probably not then - that problem was to the South by the A5 road. Reading the thread through again, your problem is internal. Are there three machines in the Network?

     
  11. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    4,371
    A system restore might help. Something is going on where there is something running on your box sending out this traffic in enough quantity where your router is flagging it as a UDP flood. This behavior is unusual in any normal circumstance even if there is some sort of OS issue. Hence why I feel the box has some sort of malware issue with it.

    In regards to running anti-virus/anti-malware tools, it may remove the offending code an then again it may not. Too many people put too much emphasis on these things. The tools are only as good as their signature files and modeling engines. If there is some new virus out in the wild which no one has been able to detect yet, guess what....

    That's why I say to be sure, you need to do a complete wipe and reload. This is also why I run utilities like Deep Freeze and do periodic images of my laptop which I use to touch the internet. If anything goes wrong, all I have to do is re-image the hard drive. I also don't keep any data on the hard drive. All data is saved off on thumb drives, external hard drives, or my central file server.

    And I doubt this is a hardware issue.
     
  12. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    192.168.2.2 - Nero
    192.168.2.3 - foo
    192.168.2.4 - lappie
    192.168.2.5 - iPod-touch

    those are clients listed by my router. Nero is the "infected" one, foo is downstairs as a desktop, and lappie is guess what - a laptop.
     
  13. 01993james

    01993james Thread Starter

    Joined:
    Mar 31, 2010
    Messages:
    7
    Ok, well I'm running MBAM now. I'll see what crops up.

    I image my computer, but due to the fact that I only have a 500GB external drive, I can only store 1 image, and I choose to keep it updated incase of a hdd failure or something like that.

    Also: I want a file server! I've thought of getting windows home server a few times before :3
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913839