08-23-2012, 05:22 PM | #1 |
FFR Player
Join Date: Dec 2008
Age: 33
Posts: 6,205
|
Belkin router showing UDP Flood, loop, TCP FIN Scans
I've done a bit of research on my own about this, apparently this is a form of DDoS attack. I've tried putting up a firewall, tweaking some settings on the router, but to no avail. I thought it was just my computer having the issue, but my brother's iPad is also showing up in the security logs.
Code:
08/23/2012 15:10:25 **UDP Flood to Host** 68.149.137.211, 36020->> 192.168.2.60, 26827 (from WAN Inbound) 08/23/2012 14:35:34 **UDP Loop** 109.200.206.189, 58473->> 68.224.31.31, 19 (from WAN Inbound) 08/23/2012 11:13:06 **TCP FIN Scan** 192.168.2.2, 56433->> 24.234.21.98, 80 (from WAN Outbound) 08/23/2012 11:13:06 **TCP FIN Scan** 192.168.2.2, 56399->> 24.234.21.82, 80 (from WAN Outbound) 08/23/2012 11:05:58 **TCP FIN Scan** 192.168.2.2, 56193->> 74.125.239.9, 80 (from WAN Outbound) 08/23/2012 11:05:58 **TCP FIN Scan** 192.168.2.2, 56090->> 50.16.242.182, 80 (from WAN Outbound) 08/23/2012 11:05:58 **TCP FIN Scan** 192.168.2.2, 56093->> 204.11.109.63, 80 (from WAN Outbound) 08/23/2012 11:05:58 **TCP FIN Scan** 192.168.2.2, 56107->> 74.125.239.4, 80 (from WAN Outbound) 08/23/2012 11:05:58 **TCP FIN Scan** 192.168.2.2, 56088->> 72.21.81.253, 80 (from WAN Outbound) 08/23/2012 10:56:02 **TCP FIN Scan** 192.168.2.2, 55859->> 184.169.77.33, 80 (from WAN Outbound) 08/23/2012 10:56:02 **TCP FIN Scan** 192.168.2.2, 55871->> 205.251.203.119, 80 (from WAN Outbound) 08/23/2012 10:56:02 **TCP FIN Scan** 192.168.2.2, 55875->> 205.251.203.154, 80 (from WAN Outbound) 08/23/2012 10:56:02 **TCP FIN Scan** 192.168.2.2, 55880->> 91.201.200.10, 80 (from WAN Outbound) 08/23/2012 10:55:14 **TCP FIN Scan** 192.168.2.2, 55834->> 23.21.166.65, 80 (from WAN Outbound) 08/23/2012 10:55:14 **TCP FIN Scan** 192.168.2.2, 55835->> 50.19.90.148, 80 (from WAN Outbound) 08/23/2012 10:55:14 **TCP FIN Scan** 192.168.2.2, 55841->> 205.251.203.144, 80 (from WAN Outbound) 08/23/2012 10:55:14 **TCP FIN Scan** 192.168.2.2, 55843->> 205.251.203.37, 80 (from WAN Outbound) 08/23/2012 10:55:14 **TCP FIN Scan** 192.168.2.2, 55845->> 2.17.159.144, 80 (from WAN Outbound) 08/23/2012 10:46:32 **TCP SYN,FIN Scan** 192.168.2.2, 55633->> 78.141.179.13, 12350 (from WAN Outbound) 08/23/2012 10:40:56 **TCP SYN,FIN Scan** 192.168.2.2, 55633->> 78.141.179.13, 12350 (from WAN Outbound)
__________________
|
08-23-2012, 07:10 PM | #2 |
Network Security Analyst
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Based on the little information that you have given, it could be the result of a DDoS Trojan. I'd honestly need to see more logs and know more about your current network topology. Is there any chance that you could run a packet capture while this is going on, it would provide a lot more information. Specifically after disconnecting and then reconnecting to your network. Also, is there any way that you could turn up the logging, from what you've posted there is barely enough for very detailed analysis.
Also, is this activity currently ongoing, or does it occur at seemingly random times? If it's consistently ongoing, then there is most certainly a problem. This might sound stupid, but have you tried turning everything (entire network) off for a little while to see if the problem persists? Not something that I would normally prescribe, but in a small enough home network it might be useful to see where/when this activity is occurring. I would also run a rootkit/malware scanner to see if that pulls anything on your device. TL:DR -If you can, I'd like to get more logs, and preferably a pcap of that activity. -Possibly related to malware, without more information I can't claim one way or another -Getting a new router seems like a stretch at this point, but it might not be a bad idea to flash it later if the problem persists -As of right now, I see no reason to do a clean install. Realistically, there is a chance that it would fix the problem, however without knowing what went wrong you could easily fall victim to the same problem in the future. I'd suggest holding off until you get some more information. |
08-23-2012, 07:11 PM | #3 |
FFR Player
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Def looks like a Ddos from the range differences, as well since those appear to be incoming and not outgoing it looks like you're being specifically targetted rather than being an outputter into a botnet as most trojans or malware do. If you'd like I'll look into getting you the info you need to set up mitigatory nodes. Also I do know what Im talking about as I used to be community manager over the rank #2 Maplestory Private server. If you're interested please PM me as I dont wanna be to public with the availability of my Anti-Ddos tech
Those are also some curiously weak ass incoming pings, I've dealt with upwards of 30,000 per second.
__________________
Someone make me a cool siggy? Second Place in D4 of Popsicle_3000's Christmas Spectacular GG Megamon |
08-23-2012, 07:44 PM | #4 | ||
FFR Player
Join Date: Dec 2008
Age: 33
Posts: 6,205
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Quote:
I actually have wireshark downloaded for packet capturing, but I haven't used it. Lemme boot that up and get it working. Unfortunately, there's no way to increase logging. I saved the log to a text file, this is what it contains (not much else than what I already posted). It only shows the most recent stuff it seems. Code:
08/23/2012 17:27:23 sending OFFER to 192.168.2.3 08/23/2012 17:25:53 sending ACK to 192.168.2.60 08/23/2012 17:25:52 sending ACK to 192.168.2.18 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56675->> 208.81.191.110, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56523->> 208.81.191.113, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56645->> 64.212.100.99, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56673->> 64.212.100.102, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56669->> 68.142.93.133, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56686->> 208.81.191.111, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56657->> 173.194.69.102, 80 (from WAN Outbound) 08/23/2012 17:02:04 **TCP FIN Scan** 192.168.2.60, 56661->> 93.184.220.39, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56247->> 31.13.77.58, 443 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56277->> 31.13.77.42, 443 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56624->> 208.81.191.110, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56594->> 173.194.69.95, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56583->> 173.194.69.139, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56588->> 81.31.99.13, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56596->> 192.221.106.126, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56226->> 69.171.247.37, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56600->> 204.9.163.163, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56562->> 96.30.8.143, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56603->> 199.93.52.126, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56607->> 204.160.107.126, 80 (from WAN Outbound) 08/23/2012 17:01:44 **TCP FIN Scan** 192.168.2.60, 56617->> 93.184.220.79, 80 (from WAN Outbound) 08/23/2012 17:01:43 **TCP FIN Scan** 192.168.2.60, 56569->> 93.184.221.133, 80 (from WAN Outbound) 08/23/2012 17:01:43 **TCP FIN Scan** 192.168.2.60, 56573->> 69.63.189.70, 80 (from WAN Outbound) 08/23/2012 17:01:43 **TCP FIN Scan** 192.168.2.60, 56586->> 207.171.163.162, 80 (from WAN Outbound) 08/23/2012 16:55:37 DHCP Client: [WAN]Receive Ack from 172.19.41.16,Lease time=86400 08/23/2012 16:55:37 DHCP Client: [WAN]Domain name = lv.cox.net 08/23/2012 16:55:37 DHCP Client: [WAN]Send Request, Request IP=68.224.31.31 08/23/2012 16:55:37 DHCP Client: [WAN]Receive Offer from 172.19.41.16 08/23/2012 16:55:37 DHCP Client: [WAN]Domain name = lv.cox.net 08/23/2012 16:55:36 DHCP Client: [WAN]Send Discover 08/23/2012 16:55:34 DHCP Client: [WAN]Send Release 08/23/2012 16:53:53 **TCP FIN Scan** 192.168.2.60, 55956->> 173.194.69.18, 80 (from WAN Outbound) 08/23/2012 16:53:53 **TCP FIN Scan** 192.168.2.60, 55963->> 173.194.69.138, 80 (from WAN Outbound) 08/23/2012 16:53:53 **TCP FIN Scan** 192.168.2.60, 55965->> 173.194.69.100, 80 (from WAN Outbound) 08/23/2012 16:52:08 192.168.2.60 login success 08/23/2012 16:52:03 User from 192.168.2.60 timed out 08/23/2012 16:51:54 sending ACK to 192.168.2.60 08/23/2012 16:25:15 192.168.2.60 login success 08/23/2012 16:19:33 sending ACK to 192.168.2.2 08/23/2012 16:17:48 NTP Date/Time updated. 08/23/2012 16:17:25 sending ACK to 192.168.2.60 08/23/2012 16:17:23 DHCP Client: [WAN]Receive Ack from 172.19.41.16,Lease time=86400 08/23/2012 16:17:23 DHCP Client: [WAN]Domain name = lv.cox.net 08/23/2012 16:17:23 DHCP Client: [WAN]Send Request, Request IP=68.224.31.31 08/23/2012 16:17:23 DHCP Client: [WAN]Receive Offer from 172.19.41.16 08/23/2012 16:17:23 DHCP Client: [WAN]Domain name = lv.cox.net 08/23/2012 16:17:23 DHCP Client: [WAN]Send Discover 08/23/2012 16:17:21 DHCP Client: [WAN]Send Discover 08/23/2012 16:17:19 DHCP Client: [WAN]Send Discover 08/23/2012 16:17:17 DHCP Client: [WAN]Send Discover Quote:
@prefx: Alright, I'll send you a pm in a bit.
__________________
|
||
08-23-2012, 07:47 PM | #5 |
FFR Player
Join Date: Dec 2008
Age: 33
Posts: 6,205
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Ok, I have wireshark up and running. What specifically am I looking for?
__________________
|
08-23-2012, 08:13 PM | #6 |
FFR Player
Join Date: Dec 2008
Age: 33
Posts: 6,205
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
TCP FIN scan just popped up again on my router security log, now I'm getting packets that look like:
19544 954.368086000 192.168.2.60 64.212.100.116 TCP 54 60687 > https [FIN, ACK] Seq=292 Ack=184 Win=65516 Len=0
__________________
|
08-23-2012, 09:47 PM | #7 |
Network Security Analyst
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Currently at work, I'll have a look when I get home in the morning.
As for what I'm looking for, just grab everything, I'll cut it down as needed on my end. Just grab about a minut or so whenever it's going on. And if possible to have a capture going when it starts to see if there is anything there. I realize that if this is seemingly random, this probably won't happen, but this is ideally what I'm looking for. Also, based on the new information from the thread, looking less like an infection/malware, but I won't rule it out yet. |
08-23-2012, 11:22 PM | #8 |
Custom User Title
Join Date: May 2004
Age: 39
Posts: 1,546
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Just Googled a few things and it doesn't seem to be much of a problem.
Outbounds are associated with your browsing. You should also verify which internal ip address is your computer and which is the ipad. (192.168.2.2 and .2.60) The inbounds could be that someone on the outside is probing your system, usually hackers scanning all IP addresses for a vulnerable machine. If your router and firewall are set up ok, you can ignore it, as they probably got no reply from your system. Give this post a read. http://www.oliv3r.net/forums/showthr...285#post295285 If you run any peer to peer apps this could be the issue as well. that 50,000+ port range is normally used by torrent clients. Are you losing connection or bandwidth? I would update your firmware on the router, update windows, verify firewall is working and then run malwarebytes full scan to be safe. |
08-24-2012, 12:09 AM | #9 |
FFR Player
Join Date: Dec 2008
Age: 33
Posts: 6,205
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
So I had my mom bring over a router that I bought about a year ago, a Netgear N300. Set that up, and my issues went away. However, I will still be monitoring logs and packet capturing for the next day or so.
__________________
|
08-24-2012, 01:35 PM | #10 |
Custom User Title
Join Date: May 2004
Age: 39
Posts: 1,546
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
The netgear has the suspected ports closed on it or it doesn't flag those connections as fin/loop/floods.
|
08-24-2012, 07:27 PM | #11 |
I am the liquor
Join Date: May 2007
Location: Where ever evil lurks
Age: 34
Posts: 706
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Cool I can see all the websites choofers has visited (those outgoing addresses which are seemingly random are websites, might want to edit those out if there's anything "sensitive")
You can tell they're websites because they are all HTTP (port 80) amazon's storage thingy meebo |
08-24-2012, 07:39 PM | #12 |
FFR Player
Join Date: Dec 2008
Age: 33
Posts: 6,205
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
Amazon is from clicking on a link from skype. Meebo is the chatbar on gaiaonline. Facebook is facebook.
__________________
|
08-24-2012, 07:46 PM | #13 |
I am the liquor
Join Date: May 2007
Location: Where ever evil lurks
Age: 34
Posts: 706
|
Re: Belkin router showing UDP Flood, loop, TCP FIN Scans
I would honestly say that nothing is amiss, unless a specific log entry that hasn't caught my eye yet is concerning you
Unless of course your network speed was affected, but nothing in the logs posted would indicate why it would be If it makes you feel safer I'm CompTIA A+ certified Last edited by Calcium Deposit; 08-24-2012 at 07:52 PM.. |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Display Modes | |
|
|