andyosira
2008-11-19, 19:22
Hi
Just a quickie - I am a newbie to this forum so apologies if I am posting my question in the wrong place. I have checked the suggested threads to add to but none of them are this basic !:red:
I am getting masses of smurfing (ICMP) syn flood and ip spoofing attacks as shown in the intrusion detector logs of the wireless router, and my cable ISP (virgin media in the UK) is having a hard time helping me. Even their high up IT security analysts make sucking noises like posh plumbers giving out quotes for work on your bathroom. I have come to the conclusion they have no idea for a fix. The orginal IP they had me on has been binned, I am assured but now the prob is getting worse -
Their supplied cable modem (SB5200i motorola) is coaxed to their roadside junction box, and an ethernet cable connects this modem to my buffalo airstation wireless router WAN port. The buffalo alleges it has a firewall, the two winxp sp3 laptops are firewalled, used have spybot macafee etc, and have had all trojans etc removed recently - the iphone I can't tell, and the applemac I also use is in stealth mode setting with its ipfw firewall, no UDP traffic even ....
here's the weird bit -
Even when the UBR's hand me a brand new ip address (and I have had to moan for a week now to get them to do that) within seconds of the cable modem being turned on I get ip spoofing attacks from 10.88.0.1 and then usually the syn flood, followed by the smurf attacks, followed by the occasional NMAP port scanning etc.... see below, pls comment, and if I am in the wrong place please accept my apologies and let me know where I should be posting this
Oh yeah - the symptoms are typical - can't log on, slow internet, wireless router too busy handing out ack to the syn flood to concentrate on giving me service !! - the winxp lappies can be the worst to hook up to the network and thus the internet, hanging til give time with error 'acquiring network address' (my assumption is they are just not being assigned ip addresses by the buffalo wireless router ?)
these logs represent a small snapshot - in one 72 hr period I got over 10500 ip spoof attacks, and all the syn floods and smurfing were from totally random ip's (hundreds)
Thanks,
AndyO
SMURF attack
82.44.241.42 82.44.75.97 2008/11/19 17:19:47 - 2008/11/19 17:19:47
1
TCP SYN FLOOD attack
172.21.231.24 82.44.75.97 2008/11/19 17:04:26 - 2008/11/19 17:04:26
1
TCP SYN FLOOD attack
172.21.83.12 82.44.75.97 2008/11/19 16:34:28 - 2008/11/19 16:34:28
1
SMURF attack
89.136.20.64 82.44.75.97 2008/11/19 16:20:56 - 2008/11/19 16:20:58
2
TCP SYN FLOOD attack
172.21.21.34 82.44.75.97 2008/11/19 16:19:29 - 2008/11/19 16:19:29
1
TCP SYN FLOOD attack
172.21.34.1 82.44.75.97 2008/11/19 16:04:28 - 2008/11/19 16:04:28
1
SMURF attack
88.158.221.80 82.44.75.97 2008/11/19 15:56:04 - 2008/11/19 15:56:07
2
SMURF attack
66.160.215.201 82.44.75.97 2008/11/19 15:51:38 - 2008/11/19 15:51:40
2
TCP SYN FLOOD attack
172.21.105.2 82.44.75.97 2008/11/19 15:49:28 - 2008/11/19 15:49:28
1
TCP SYN FLOOD attack
172.21.235.7 82.44.75.97 2008/11/19 15:34:29 - 2008/11/19 15:34:29
1
TCP SYN FLOOD attack
172.21.235.4 82.44.75.97 2008/11/19 15:19:30 - 2008/11/19 15:19:30
1
TCP SYN FLOOD attack
172.21.22.6 82.44.75.97 2008/11/19 15:04:29 - 2008/11/19 16:49:27
2
TCP SYN FLOOD attack
64.233.183.111 82.44.75.97 2008/11/19 14:58:39 - 2008/11/19 14:58:39
1
TCP SYN FLOOD attack
172.21.237.9 82.44.75.97 2008/11/19 14:49:33 - 2008/11/19 14:49:33
1
TCP SYN FLOOD attack
172.21.22.5 82.44.75.97 2008/11/19 14:34:29 - 2008/11/19 14:34:29
1
TCP SYN FLOOD attack
123.129.255.227 82.44.75.97 2008/11/19 14:15:09 - 2008/11/19 15:19:30
2
TCP SYN FLOOD attack
125.76.244.59 82.44.75.97 2008/11/19 14:13:10 - 2008/11/19 15:17:31
2
TCP SYN FLOOD attack
172.21.34.6 82.44.75.97 2008/11/19 14:04:29 - 2008/11/19 14:04:29
1
TCP SYN FLOOD attack
172.21.21.32 82.44.75.97 2008/11/19 13:49:30 - 2008/11/19 13:49:30
1
TCP SYN FLOOD attack
172.21.237.10 82.44.75.97 2008/11/19 13:34:31 - 2008/11/19 13:34:31
1
TCP SYN FLOOD attack
172.21.21.31 82.44.75.97 2008/11/19 13:19:30 - 2008/11/19 17:19:29
3
NMAP port scan
207.123.61.126 82.44.75.97 2008/11/19 13:10:42 - 2008/11/19 13:11:10
2
TCP SYN FLOOD attack
172.21.233.4 82.44.75.97 2008/11/19 13:04:29 - 2008/11/19 13:04:29
1
TCP SYN FLOOD attack
172.21.231.25 82.44.75.97 2008/11/19 12:49:31 - 2008/11/19 12:49:31
1
TCP SYN FLOOD attack
172.21.137.5 82.44.75.97 2008/11/19 12:45:00 - 2008/11/19 12:45:00
1
TCP SYN FLOOD attack
172.21.237.7 82.44.75.97 2008/11/19 12:31:47 - 2008/11/19 14:19:29
2
SMURF attack
218.48.9.23 82.44.75.97 2008/11/19 12:17:27 - 2008/11/19 12:17:30
2
NMAP port scan
87.248.114.173 82.44.75.97 2008/11/19 12:06:16 - 2008/11/19 12:10:01
6
TCP SYN FLOOD attack
87.248.114.173 82.44.75.97 2008/11/19 12:00:38 - 2008/11/19 14:52:59
30
IP SPOOFING attack
10.88.0.1 255.255.255.255 2008/11/19 11:45:13 - 2008/11/19 17:25:39
1586
Just a quickie - I am a newbie to this forum so apologies if I am posting my question in the wrong place. I have checked the suggested threads to add to but none of them are this basic !:red:
I am getting masses of smurfing (ICMP) syn flood and ip spoofing attacks as shown in the intrusion detector logs of the wireless router, and my cable ISP (virgin media in the UK) is having a hard time helping me. Even their high up IT security analysts make sucking noises like posh plumbers giving out quotes for work on your bathroom. I have come to the conclusion they have no idea for a fix. The orginal IP they had me on has been binned, I am assured but now the prob is getting worse -
Their supplied cable modem (SB5200i motorola) is coaxed to their roadside junction box, and an ethernet cable connects this modem to my buffalo airstation wireless router WAN port. The buffalo alleges it has a firewall, the two winxp sp3 laptops are firewalled, used have spybot macafee etc, and have had all trojans etc removed recently - the iphone I can't tell, and the applemac I also use is in stealth mode setting with its ipfw firewall, no UDP traffic even ....
here's the weird bit -
Even when the UBR's hand me a brand new ip address (and I have had to moan for a week now to get them to do that) within seconds of the cable modem being turned on I get ip spoofing attacks from 10.88.0.1 and then usually the syn flood, followed by the smurf attacks, followed by the occasional NMAP port scanning etc.... see below, pls comment, and if I am in the wrong place please accept my apologies and let me know where I should be posting this
Oh yeah - the symptoms are typical - can't log on, slow internet, wireless router too busy handing out ack to the syn flood to concentrate on giving me service !! - the winxp lappies can be the worst to hook up to the network and thus the internet, hanging til give time with error 'acquiring network address' (my assumption is they are just not being assigned ip addresses by the buffalo wireless router ?)
these logs represent a small snapshot - in one 72 hr period I got over 10500 ip spoof attacks, and all the syn floods and smurfing were from totally random ip's (hundreds)
Thanks,
AndyO
SMURF attack
82.44.241.42 82.44.75.97 2008/11/19 17:19:47 - 2008/11/19 17:19:47
1
TCP SYN FLOOD attack
172.21.231.24 82.44.75.97 2008/11/19 17:04:26 - 2008/11/19 17:04:26
1
TCP SYN FLOOD attack
172.21.83.12 82.44.75.97 2008/11/19 16:34:28 - 2008/11/19 16:34:28
1
SMURF attack
89.136.20.64 82.44.75.97 2008/11/19 16:20:56 - 2008/11/19 16:20:58
2
TCP SYN FLOOD attack
172.21.21.34 82.44.75.97 2008/11/19 16:19:29 - 2008/11/19 16:19:29
1
TCP SYN FLOOD attack
172.21.34.1 82.44.75.97 2008/11/19 16:04:28 - 2008/11/19 16:04:28
1
SMURF attack
88.158.221.80 82.44.75.97 2008/11/19 15:56:04 - 2008/11/19 15:56:07
2
SMURF attack
66.160.215.201 82.44.75.97 2008/11/19 15:51:38 - 2008/11/19 15:51:40
2
TCP SYN FLOOD attack
172.21.105.2 82.44.75.97 2008/11/19 15:49:28 - 2008/11/19 15:49:28
1
TCP SYN FLOOD attack
172.21.235.7 82.44.75.97 2008/11/19 15:34:29 - 2008/11/19 15:34:29
1
TCP SYN FLOOD attack
172.21.235.4 82.44.75.97 2008/11/19 15:19:30 - 2008/11/19 15:19:30
1
TCP SYN FLOOD attack
172.21.22.6 82.44.75.97 2008/11/19 15:04:29 - 2008/11/19 16:49:27
2
TCP SYN FLOOD attack
64.233.183.111 82.44.75.97 2008/11/19 14:58:39 - 2008/11/19 14:58:39
1
TCP SYN FLOOD attack
172.21.237.9 82.44.75.97 2008/11/19 14:49:33 - 2008/11/19 14:49:33
1
TCP SYN FLOOD attack
172.21.22.5 82.44.75.97 2008/11/19 14:34:29 - 2008/11/19 14:34:29
1
TCP SYN FLOOD attack
123.129.255.227 82.44.75.97 2008/11/19 14:15:09 - 2008/11/19 15:19:30
2
TCP SYN FLOOD attack
125.76.244.59 82.44.75.97 2008/11/19 14:13:10 - 2008/11/19 15:17:31
2
TCP SYN FLOOD attack
172.21.34.6 82.44.75.97 2008/11/19 14:04:29 - 2008/11/19 14:04:29
1
TCP SYN FLOOD attack
172.21.21.32 82.44.75.97 2008/11/19 13:49:30 - 2008/11/19 13:49:30
1
TCP SYN FLOOD attack
172.21.237.10 82.44.75.97 2008/11/19 13:34:31 - 2008/11/19 13:34:31
1
TCP SYN FLOOD attack
172.21.21.31 82.44.75.97 2008/11/19 13:19:30 - 2008/11/19 17:19:29
3
NMAP port scan
207.123.61.126 82.44.75.97 2008/11/19 13:10:42 - 2008/11/19 13:11:10
2
TCP SYN FLOOD attack
172.21.233.4 82.44.75.97 2008/11/19 13:04:29 - 2008/11/19 13:04:29
1
TCP SYN FLOOD attack
172.21.231.25 82.44.75.97 2008/11/19 12:49:31 - 2008/11/19 12:49:31
1
TCP SYN FLOOD attack
172.21.137.5 82.44.75.97 2008/11/19 12:45:00 - 2008/11/19 12:45:00
1
TCP SYN FLOOD attack
172.21.237.7 82.44.75.97 2008/11/19 12:31:47 - 2008/11/19 14:19:29
2
SMURF attack
218.48.9.23 82.44.75.97 2008/11/19 12:17:27 - 2008/11/19 12:17:30
2
NMAP port scan
87.248.114.173 82.44.75.97 2008/11/19 12:06:16 - 2008/11/19 12:10:01
6
TCP SYN FLOOD attack
87.248.114.173 82.44.75.97 2008/11/19 12:00:38 - 2008/11/19 14:52:59
30
IP SPOOFING attack
10.88.0.1 255.255.255.255 2008/11/19 11:45:13 - 2008/11/19 17:25:39
1586