Do these recent Netgear DoS attack messages concern you

Do these recent Netgear DoS attack messages concern you [DoS attack: FIN Scan] attack packets in last 20 sec from ip [96.17.148.8], Monday, Aug 11,2014 05:28:45 [DoS attack: Smurf] attack packets in last 20 sec from ip [113.88.232.255], Sunday, Aug 10,2014 11:22:14

I am not in the habit of looking at my Netgear router log files but I just happened to look and saw those two activities.

Does that mean the router protected me and they didn't get in? How did they get past the firewall?

Reply to
Elechi Amadi
Loading thread data ...

I also see very many of these types: [LAN access from remote] from 209.170.124.118:3075 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:43:44 [LAN access from remote] from 108.45.144.8:3074 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:40:50 [LAN access from remote] from 99.36.167.174:3074 to 192.168.1.3:3074, Tuesday, Aug 12,2014 01:40:50

Is a LAN access an actual remote log in? Or is it just an "attempt" that failed?

(There are dozens of these, from many IP addresses.)

209.170.124.118:3075 108.45.144.8:3074 99.36.167.174:3074 121.106.129.32:3074 178.84.70.34:3074 173.56.240.84:3074 97.117.184.95:3074 70.67.255.19:3074 76.114.14.244:3074 76.14.219.149:3074 68.224.145.151:3074 64.92.6.136:3074 69.62.177.107:3074 68.227.12.157:55042 108.0.102.210:3074 67.174.243.80:3074 24.5.215.179:3074 67.61.57.78:3074 76.164.101.12:3074 98.112.100.125:3074 209.170.124.118:3075 209.170.124.118:3075

Are these actual breaches of security?

Reply to
Elechi Amadi

You are confusing too many things.

To "log in", you must "log in" into something. While one could conceivably log into a LAN, mass IT equipment does not normally have that capability (as in, they would have nowhere to "log in" into a LAN).

"LAN access" means that someone is able to send packets into the LAN (read: send them to hosts on the LAN) and receive packets from the LAN.

According to the logs you posted, on several/numerous occasions, your router "patched" an outside host to a host on the inside. Whether this is a problem or not depends on whether that particular host (192.168.1.3) is supposed to be taking inbound connections. Is it?

A breach means that an attacker managed to get past the perimeter. The above logs show that a connection (presumably initiated from the outside) was established on several/many occasions. Again, whether this is a problem or not depends on whether this is supposed to happen. What is

192.168.1.3? Is it an XBox? Playstation? A PC running a torrent program? A smartphone running the Skype app? One of those "plug servers", like a Raspberry Pi or a Sheeva? Is it a media server? A file server? A web server designed to take in traffic from the outside? There are many options.

As for a little more color on what is happening, look at the ports they are trying to connect to:

$grep '[[:space:]]3074/' /etc/services xbox 3074/tcp # Xbox game port xbox 3074/udp # Xbox game port

Someone is (presumably) looking for XBoxen. Maybe they just want to play?

Reply to
Aleksandar Kuktin

It's a Windows XP laptop. It's not "supposed" to be doing anything. So, I'm not sure what the router "patched", but, whatever it did, it shouldn't have done.

Is this a problem with Netgear? Should I have gotten a different router that doesn't patch?

Reply to
Elechi Amadi

Actually, I just looked and that IP address is no longer on my system. So, I don't really know "what" it was.

Reply to
Elechi Amadi

Elechi Amadi wrote, on Tue, 12 Aug 2014 14:41:36 -0500:

Seems to me your computer is unwittingly part of a botnet. At this point, the only thing you *can* do is wipe out the operating system.

And flash the router to make sure they're not infecting your router firmware.

Reply to
Helmer Bengtsson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.