Attempted hacking????

[Immortality]

Hi guys,

Over the weekend there was some sort of DDos which greatly slowed down the internet speed over the telecom Xtra service.

I checked my router and the security log showed the following (small sample)

09/08/2014 09:05:08 **TCP FIN Scan** 107.6.106.180, 80->> 192.168.2.3, 59373 (from ATM1 Inbound)
09/08/2014 04:17:20 **SYN Flood to Host** 115.230.125.143, 10000->> 125.239.92.13, 1199 (from ATM1 Inbound)
09/07/2014 22:57:28 **Smurf** 213.110.194.255, 52297->> 192.168.2.3, 41396 (from ATM1 Inbound)

doing a quick search I'm led to believe this could possibly be some sort of attempted hack?

In particular I noticed a lot of the **smurf**..... entries but all with different IP addresses. Using the IP Whois website these seem to track back to the Russian federation..............


Can any of the Network guys assist?

I'm using an older Belkin router with the firewall and ping blocking features on if that makes any difference.

 

[Tsunamix]

107.6.106.180, 80
This is the port scan originator and it's coming from their web browser on port 80, ex USA. Didn't have a torrent downloader running did you ?
192.168.2.3, 59373
This is you and from the small sample it kind of looks like they were scanning all your ports looking for open connections.
125.239.92.13
This address is a socket on a telstra NZ server..
115.230.125.143
This is an unlisted chinese IP. The syn flood is where there is a flood of SYN-ACK (Synchronize-acknowledge) requests being sent to the Telstra server, and it's broadcasted that info on all Domains attached to the telstra network so they can ignore packets sent from that IP
213.110.194.255
This is computer named smurf in Russia.

Its most likely a combined DDOS / flood attack on Telstra as a cover for a port scan attack on telstras network. Most likely the yank IP is a BOt.

It was all probably bounced by your firewall, but then I'm assuming you have no unsecured ports.

 

[Immortality]

Yeah, that is what I had sort of worked out. My router kept crashing/ re-booting and I thought it might of had something to do with a DDOS that was effecting all of the Spark (telecom NZ) internet services.

125.239.92.13 is my router WAN IP. As far as I'm aware I don't have any un-secure ports.

I did have a torrent down loader running but shut it down early that day when the DDOS was active.

These are from earlier today

09/08/2014 13:59:55 **UDP Loop** 93.180.5.26, 46253->> 125.239.92.13, 19 (from ATM1 Inbound)
09/08/2014 11:13:44 **UDP Loop** 179.43.148.165, 36528->> 125.239.92.13, 19 (from ATM1 Inbound)
09/08/2014 09:45:29 **UDP Loop** 89.46.101.232, 42512->> 125.239.92.13, 19 (from ATM1 Inbound)

Today I did have a torrent down loader running.

 

[commodore665]

Bad start for the re-branded telecom

 

[HyperThinker]

If you listen to ANYONES router you will find anywhere between 100-1000 such or similar attempts a day.

If you worried about all of them it would be a full time job. I dont think theres any point concerning yourselves with these.

 

[Immortality]

Yeah, not overly worried.

You know when something serious is going on because things just get slow.

Around boxing day internet speeds were very poor. It was reported a few days later that a sustained DOS attack was happening against the NZ TAB.

 

[PaRaDoX]

Yeah, not overly worried.

You know when something serious is going on because things just get slow.

Around boxing day internet speeds were very poor. It was reported a few days later that a sustained DOS attack was happening against the NZ TAB.

If you have any device that can monitor traffic and display logs you discover a disgusting amount of access attempts, mostly originating from Russia & China

On one of our public ip's we observer on average 10 attempted RDP connections per minute attempting to brute force, using common usernames passwords such as admin / admin , test / test. I have personally seen attacks be successful due to terrible account naming.

as long as you have no port forwards you have nothing to worry about as far as random brute force attacks go, Also disable ICMP responds if your router supports it, TBH you should be more worried about cryptolockers as they make it right past %90 of AV's atm and vary every single time, by the time a pattern is created its morphed again as Antiviruses are reactive not proactive.

I work in this space i spend my days locking down networks and protecting against this crap.

 

[commodore665]

I'm with Clear.net , who is owned by Vodafone , had no problems at all , mind you I have a good anti-virus system as it is .

 

[Immortality]

I'm with Spark, that should say it all.

I've not had any issues as far as I know in terms of virus's. Just slow speeds. Most periods of extremely low speeds seems to correspond with known DDOS attacks so although the average use may not be involved the whole local area can get real slow due to all the traffic associated with the DDOS attack.

 

[shadetreemechanic]

They're all stock standard port scans. Every ADSL router out there will log these at some point throughout the day/week...basically its originating from hacked computers trying to look for open services on your end to probe if they're vulnerable.

This kind of thing does slow down your router and can act like a DoS and your router can crash like you said. BTW, If you're torrenting at the same time it can be worse especially if you increased the number of active connections each torrent has since that uses up router memory leaving it with less resources.

Best you can do is to make sure your PC or router is patched with the latest security updates and when it happens reset your router so it will grab another IP address (unless you somehow have a statically assigned IP)

Edit: some routers are better than others with this sort of thing, better firewall, better router CPU/RAM etc..also the IP range your ISP uses might be more targeted than usually.