Belkin router showing UDP Flood, loop, TCP FIN Scans

[Choofers]

I've done a bit of research on my own about this, apparently this is a form of DDoS attack. I've tried putting up a firewall, tweaking some settings on the router, but to no avail. I thought it was just my computer having the issue, but my brother's iPad is also showing up in the security logs.

Code:

08/23/2012 15:10:25	**UDP Flood to Host** 68.149.137.211, 36020->> 192.168.2.60, 26827 (from WAN Inbound)
08/23/2012 14:35:34	**UDP Loop** 109.200.206.189, 58473->> 68.224.31.31, 19 (from WAN Inbound)
08/23/2012 11:13:06	**TCP FIN Scan** 192.168.2.2, 56433->> 24.234.21.98, 80 (from WAN Outbound)
08/23/2012 11:13:06	**TCP FIN Scan** 192.168.2.2, 56399->> 24.234.21.82, 80 (from WAN Outbound)
08/23/2012 11:05:58	**TCP FIN Scan** 192.168.2.2, 56193->> 74.125.239.9, 80 (from WAN Outbound)
08/23/2012 11:05:58	**TCP FIN Scan** 192.168.2.2, 56090->> 50.16.242.182, 80 (from WAN Outbound)
08/23/2012 11:05:58	**TCP FIN Scan** 192.168.2.2, 56093->> 204.11.109.63, 80 (from WAN Outbound)
08/23/2012 11:05:58	**TCP FIN Scan** 192.168.2.2, 56107->> 74.125.239.4, 80 (from WAN Outbound)
08/23/2012 11:05:58	**TCP FIN Scan** 192.168.2.2, 56088->> 72.21.81.253, 80 (from WAN Outbound)
08/23/2012 10:56:02	**TCP FIN Scan** 192.168.2.2, 55859->> 184.169.77.33, 80 (from WAN Outbound)
08/23/2012 10:56:02	**TCP FIN Scan** 192.168.2.2, 55871->> 205.251.203.119, 80 (from WAN Outbound)
08/23/2012 10:56:02	**TCP FIN Scan** 192.168.2.2, 55875->> 205.251.203.154, 80 (from WAN Outbound)
08/23/2012 10:56:02	**TCP FIN Scan** 192.168.2.2, 55880->> 91.201.200.10, 80 (from WAN Outbound)
08/23/2012 10:55:14	**TCP FIN Scan** 192.168.2.2, 55834->> 23.21.166.65, 80 (from WAN Outbound)
08/23/2012 10:55:14	**TCP FIN Scan** 192.168.2.2, 55835->> 50.19.90.148, 80 (from WAN Outbound)
08/23/2012 10:55:14	**TCP FIN Scan** 192.168.2.2, 55841->> 205.251.203.144, 80 (from WAN Outbound)
08/23/2012 10:55:14	**TCP FIN Scan** 192.168.2.2, 55843->> 205.251.203.37, 80 (from WAN Outbound)
08/23/2012 10:55:14	**TCP FIN Scan** 192.168.2.2, 55845->> 2.17.159.144, 80 (from WAN Outbound)
08/23/2012 10:46:32	**TCP SYN,FIN Scan** 192.168.2.2, 55633->> 78.141.179.13, 12350 (from WAN Outbound)
08/23/2012 10:40:56	**TCP SYN,FIN Scan** 192.168.2.2, 55633->> 78.141.179.13, 12350 (from WAN Outbound)

Could this be malware related? Should I get a new router? Should I do a clean install on my computer?

[PsYcHoZeRoSk8eR]

Based on the little information that you have given, it could be the result of a DDoS Trojan. I'd honestly need to see more logs and know more about your current network topology. Is there any chance that you could run a packet capture while this is going on, it would provide a lot more information. Specifically after disconnecting and then reconnecting to your network. Also, is there any way that you could turn up the logging, from what you've posted there is barely enough for very detailed analysis.

Also, is this activity currently ongoing, or does it occur at seemingly random times? If it's consistently ongoing, then there is most certainly a problem. This might sound stupid, but have you tried turning everything (entire network) off for a little while to see if the problem persists? Not something that I would normally prescribe, but in a small enough home network it might be useful to see where/when this activity is occurring. I would also run a rootkit/malware scanner to see if that pulls anything on your device.

TL:DR
-If you can, I'd like to get more logs, and preferably a pcap of that activity.
-Possibly related to malware, without more information I can't claim one way or another
-Getting a new router seems like a stretch at this point, but it might not be a bad idea to flash it later if the problem persists
-As of right now, I see no reason to do a clean install. Realistically, there is a chance that it would fix the problem, however without knowing what went wrong you could easily fall victim to the same problem in the future. I'd suggest holding off until you get some more information.

[prefx]

Def looks like a Ddos from the range differences, as well since those appear to be incoming and not outgoing it looks like you're being specifically targetted rather than being an outputter into a botnet as most trojans or malware do. If you'd like I'll look into getting you the info you need to set up mitigatory nodes. Also I do know what Im talking about as I used to be community manager over the rank #2 Maplestory Private server. If you're interested please PM me as I dont wanna be to public with the availability of my Anti-Ddos tech

Those are also some curiously weak ass incoming pings, I've dealt with upwards of 30,000 per second.

[Choofers]

Quote:

Originally Posted by PsYcHoZeRoSk8eR

Based on the little information that you have given, it could be the result of a DDoS Trojan. I'd honestly need to see more logs and know more about your current network topology. Is there any chance that you could run a packet capture while this is going on, it would provide a lot more information. Specifically after disconnecting and then reconnecting to your network. Also, is there any way that you could turn up the logging, from what you've posted there is barely enough for very detailed analysis.

All the home network is, is a wireless router hooked up directly to the modem. It's password protected.

I actually have wireshark downloaded for packet capturing, but I haven't used it. Lemme boot that up and get it working.

Unfortunately, there's no way to increase logging. I saved the log to a text file, this is what it contains (not much else than what I already posted). It only shows the most recent stuff it seems.

Code:

08/23/2012  17:27:23 sending OFFER to 192.168.2.3
08/23/2012  17:25:53 sending ACK to 192.168.2.60
08/23/2012  17:25:52 sending ACK to 192.168.2.18
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56675->> 208.81.191.110, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56523->> 208.81.191.113, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56645->> 64.212.100.99, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56673->> 64.212.100.102, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56669->> 68.142.93.133, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56686->> 208.81.191.111, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56657->> 173.194.69.102, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56661->> 93.184.220.39, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56247->> 31.13.77.58, 443 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56277->> 31.13.77.42, 443 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56624->> 208.81.191.110, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56594->> 173.194.69.95, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56583->> 173.194.69.139, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56588->> 81.31.99.13, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56596->> 192.221.106.126, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56226->> 69.171.247.37, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56600->> 204.9.163.163, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56562->> 96.30.8.143, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56603->> 199.93.52.126, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56607->> 204.160.107.126, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56617->> 93.184.220.79, 80 (from WAN Outbound)
08/23/2012  17:01:43 **TCP FIN Scan** 192.168.2.60, 56569->> 93.184.221.133, 80 (from WAN Outbound)
08/23/2012  17:01:43 **TCP FIN Scan** 192.168.2.60, 56573->> 69.63.189.70, 80 (from WAN Outbound)
08/23/2012  17:01:43 **TCP FIN Scan** 192.168.2.60, 56586->> 207.171.163.162, 80 (from WAN Outbound)
08/23/2012  16:55:37 DHCP Client: [WAN]Receive Ack from 172.19.41.16,Lease time=86400
08/23/2012  16:55:37 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:55:37 DHCP Client: [WAN]Send Request, Request IP=68.224.31.31
08/23/2012  16:55:37 DHCP Client: [WAN]Receive Offer from 172.19.41.16
08/23/2012  16:55:37 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:55:36 DHCP Client: [WAN]Send Discover
08/23/2012  16:55:34 DHCP Client: [WAN]Send Release
08/23/2012  16:53:53 **TCP FIN Scan** 192.168.2.60, 55956->> 173.194.69.18, 80 (from WAN Outbound)
08/23/2012  16:53:53 **TCP FIN Scan** 192.168.2.60, 55963->> 173.194.69.138, 80 (from WAN Outbound)
08/23/2012  16:53:53 **TCP FIN Scan** 192.168.2.60, 55965->> 173.194.69.100, 80 (from WAN Outbound)
08/23/2012  16:52:08 192.168.2.60 login success
08/23/2012  16:52:03 User from 192.168.2.60 timed out
08/23/2012  16:51:54 sending ACK to 192.168.2.60
08/23/2012  16:25:15 192.168.2.60 login success
08/23/2012  16:19:33 sending ACK to 192.168.2.2
08/23/2012  16:17:48 NTP Date/Time updated.
08/23/2012  16:17:25 sending ACK to 192.168.2.60
08/23/2012  16:17:23 DHCP Client: [WAN]Receive Ack from 172.19.41.16,Lease time=86400
08/23/2012  16:17:23 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:17:23 DHCP Client: [WAN]Send Request, Request IP=68.224.31.31
08/23/2012  16:17:23 DHCP Client: [WAN]Receive Offer from 172.19.41.16
08/23/2012  16:17:23 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:17:23 DHCP Client: [WAN]Send Discover
08/23/2012  16:17:21 DHCP Client: [WAN]Send Discover
08/23/2012  16:17:19 DHCP Client: [WAN]Send Discover
08/23/2012  16:17:17 DHCP Client: [WAN]Send Discover

Quote:

Also, is this activity currently ongoing, or does it occur at seemingly random times? If it's consistently ongoing, then there is most certainly a problem. This might sound stupid, but have you tried turning everything (entire network) off for a little while to see if the problem persists? Not something that I would normally prescribe, but in a small enough home network it might be useful to see where/when this activity is occurring. I would also run a rootkit/malware scanner to see if that pulls anything on your device.

It happens at seemingly random times, the last time it occured was at 17:02:04, I'll keep checking for when it starts again. I've tried powering down both the router and modem, which didn't do anything.


@prefx: Alright, I'll send you a pm in a bit.

[Choofers]

Ok, I have wireshark up and running. What specifically am I looking for?

[Choofers]

TCP FIN scan just popped up again on my router security log, now I'm getting packets that look like:

19544 954.368086000 192.168.2.60 64.212.100.116 TCP 54 60687 > https [FIN, ACK] Seq=292 Ack=184 Win=65516 Len=0

[PsYcHoZeRoSk8eR]

Currently at work, I'll have a look when I get home in the morning.

As for what I'm looking for, just grab everything, I'll cut it down as needed on my end. Just grab about a minut or so whenever it's going on. And if possible to have a capture going when it starts to see if there is anything there. I realize that if this is seemingly random, this probably won't happen, but this is ideally what I'm looking for.

Also, based on the new information from the thread, looking less like an infection/malware, but I won't rule it out yet.

[ELRayford]

Just Googled a few things and it doesn't seem to be much of a problem.

Outbounds are associated with your browsing. You should also verify which internal ip address is your computer and which is the ipad. (192.168.2.2 and .2.60)

The inbounds could be that someone on the outside is probing your system, usually hackers scanning all IP addresses for a vulnerable machine. If your router and firewall are set up ok, you can ignore it, as they probably got no reply from your system.

Give this post a read.

http://www.oliv3r.net/forums/showthr...285#post295285

If you run any peer to peer apps this could be the issue as well. that 50,000+ port range is normally used by torrent clients. Are you losing connection or bandwidth?

I would update your firmware on the router, update windows, verify firewall is working and then run malwarebytes full scan to be safe.

[Choofers]

So I had my mom bring over a router that I bought about a year ago, a Netgear N300. Set that up, and my issues went away. However, I will still be monitoring logs and packet capturing for the next day or so.

[ELRayford]

Quote:

Originally Posted by Choofers

So I had my mom bring over a router that I bought about a year ago, a Netgear N300. Set that up, and my issues went away. However, I will still be monitoring logs and packet capturing for the next day or so.

The netgear has the suspected ports closed on it or it doesn't flag those connections as fin/loop/floods.

[Calcium Deposit]

Cool I can see all the websites choofers has visited (those outgoing addresses which are seemingly random are websites, might want to edit those out if there's anything "sensitive")

You can tell they're websites because they are all HTTP (port 80)

amazon's storage thingy
meebo
facebook

[Choofers]

Amazon is from clicking on a link from skype. Meebo is the chatbar on gaiaonline. Facebook is facebook.

[Calcium Deposit]

I would honestly say that nothing is amiss, unless a specific log entry that hasn't caught my eye yet is concerning you

Unless of course your network speed was affected, but nothing in the logs posted would indicate why it would be


If it makes you feel safer I'm CompTIA A+ certified