Advice on router security alert?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi,

I'm based in the UK running Windows XP. My netgear router has sent me
the following "security alert" email:

UDP Packet - Source:67.159.44.180,4237 Destination:83.245.16.37,1025 -
[DOS]UDP Packet - Source:67.159.44.106,4237 Destination:
83.245.16.37,1025 - [DOS]UDP Packet - Source:67.159.44.180,4237
Destination:83.245.16.37,1025 - [DOS]UDP Packet - Source:
67.159.44.106,4237 Destination:83.245.16.37,1025 - [DOS]UDP Packet -
Source:67.159.44.180,4237 Destination:83.245.16.37,1025 - [DOS]UDP
Packet - Source:67.159.44.106,4237 Destination:83.245.16.37,1025 -
[DOS]UDP Packet - Source:212.58.227.104,21922 Destination:
83.245.16.37,6970 - [DOS]


I've looked up the IP addresses and found the following:

===============================
Search ARIN WHOIS for: 67.159.44.106

OrgName:    FDC Servers.net, LLC
OrgID:      FDCSE
Address:    141 West Jackson Blvd, Suite 1135
City:       Chicago
StateProv:  IL
PostalCode: 60604
Country:    US

======================================
Search ARIN WHOIS for: 212.58.227.104

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL
====================================

So what does this mean??





Re: Advice on router security alert?
martin_pentreath@hotmail.com wrote:
Quoted text here. Click to load it

It means that a host at BBC, a host presumably owned by a Mr. McElvana,
and a third host sent a couple UDP packets to your netgear router (to
ports that seem to be closed). And that your netgear router thinks that
it might be a Denial-of-Service attack, for whatever reason.

With the given information that's all we can say.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Advice on router security alert?
On Fri, 7 Dec 2007, in the Usenet newsgroup comp.security.firewalls, in article
martin_pentreath@hotmail.com wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen.  Find a real news server.

Quoted text here. Click to load it

Missing timestamps, so it's hard to say.  However the list was produced
in this post, it makes it hard to read, but that's OK because there is
virtually nothing interesting. There are six repeats of a UDP packet
from some unidentified servers that may be in Chicago, destined for an
ephemeral port often used by windoze for messaging. The fact that the
first six alternate between two source addresses but use the same source
port is interesting.  UDP itself is stateless, so the source address
could easily be spoofed (normal in messenger spam).   The seventh packet
is from a different host - perhaps rmclip4.rbsov.bbc.co.uk as the lookup
implies. Pretty useless information, don't you think?

Quoted text here. Click to load it

I've no idea what "tool" you attempted to use, but it's nearly
worthless. It appears to be querying the ARIN whois server, which is
a _step_ in the right direction, but there is no followup to the leads.
"FCC Servers.net" has a referral server, but it returns nothing useful.
Likewise, a hostname lookup shows rather clueless results.

   67.159.44.179   alwayz.wazted.com.ar
   67.159.44.180   is.lost.in.the.kingdom-of-anime.org
   67.159.44.181   will.tradesex.net

Looking up other hosts (67.159.44.105 through 67.159.44.107, and
67.159.44.170) returns only the in-addr.arpa name which implies that
fdcservers.net doesn't want you to know the actual name, or that they
are to st00pid to be running a computer - your call.

Doing a search for the name 'fdcservers.net' in the Usenet newsgroups
news.admin.net-abuse.*  turns up lots of hits in 2003-2005, but not
much of interest to me.  You _are_ using a search engine to post - did
you try using it for it's intended purpose of searching the web?

Quoted text here. Click to load it

Totally useless tool.  See http://www.iana.org/assignments/ipv4-address-space
for hints.  There are five "Regional Internet Registry" - AFRINIC which
handles Africa, APNIC which handles Asia and the Pacific, LACNIC which
handles Central and South America, RIPE for Europe, and ARIN for North
America and crumbs. Asking the wrong server will result in a hint (as
here) to ask the right one.  Here, the range 212.0.0.0 - 213.255.255.255
is delegated to RIPE (although there are some residual AFRINIC
registrations from when RIPE was still doing registry for Africa).

        Old guy

Site Timeline