You haven't given us any clue as to whether these packets are
inbound (blocked and logged) or outbound (allowed and logged).
But since 81.79.70.215 is a UK DSL address, I'll assume that that
is you.
Since the traffic is UDP packets, there's no guarantee that the
source address is valid. But the consistent source port number of
the packets from 61.156.42.117 suggests that these packets come from
the same source, whereas those with different source addresses also
have different source ports -- stuff that spoofs the source address
usually doesn't randomize the source port.
So this looks very much like a distributed Denial of Service (DoS)
attack against one IP address. If this is a static address, then
you appear to have pissed somebody off; if this is a dynamic address,
then perhaps some user who it was previously allocated to made some
enemies who have no way of knowing that you are not he.
Most DoS attacks work by consuming some resource, making it unavailable
for legitimate use. A frequent target resource is bandwidth. By the
time these packets have made it down the wire to your firewall, they've
used all the bandwidth on your DSL connection that they can, and so the
damage is done. The only possibility of blocking the attack is from
within your ISP's network, before your DSL line is reached.
So you need to report this to your ISP and ask for their help. They
may or may not be willing to take any action.
David Gillett
> -----Original Message-----
> From: john (at) johnmachell.wanadoo.co (dot) uk [email concealed]
> [mailto:john (at) johnmachell.wanadoo.co (dot) uk [email concealed]]
> Sent: Tuesday, May 02, 2006 4:48 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Networking and DOS attacks
>
> I am very new to networking. I have a Netgear ADSL
> modem/router with a firewall that is set to allow all
> outgoing traffic and block all incoming and to send me a
> security log each day. Please could someone to tell me what
> the log means (see below) and whether I should be concerned
> or not as, since the DOS and UDP messages started appearing I
> seem to get lots of disconnections from my ISP. Cheers, John
>
> Thu, 1970-01-01 01:00:16 - Initialize LCP.
> Thu, 1970-01-01 01:00:16 - LCP is allowed to come up.
> Thu, 1970-01-01 01:00:20 - CHAP authentication success Thu,
> 1970-01-01 01:00:35 - Send out NTP request to
> time-g.netgear.com Tue, 2006-05-02 08:57:03 - Receive NTP
> Reply from time-g.netgear.com Tue, 2006-05-02 08:56:28 -
> Router start up Tue, 2006-05-02 09:22:01 - UDP Packet -
> Source:199.2.51.139,50244 Destination:81.79.70.215,1029 -
> [DOS] Tue, 2006-05-02 09:28:58 - UDP Packet -
> Source:222.208.168.130,49057 Destination:81.79.70.215,1033 -
> [DOS] Tue, 2006-05-02 09:28:59 - UDP Packet -
> Source:150.64.232.13,30794 Destination:81.79.70.215,1026 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,1032 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,1033 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,4081 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,2 - [DOS]
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records
> un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE
> with no obligation. See why so many companies trust Spy
> Sweeper Enterprise to eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------
> ------------
>
inbound (blocked and logged) or outbound (allowed and logged).
But since 81.79.70.215 is a UK DSL address, I'll assume that that
is you.
Since the traffic is UDP packets, there's no guarantee that the
source address is valid. But the consistent source port number of
the packets from 61.156.42.117 suggests that these packets come from
the same source, whereas those with different source addresses also
have different source ports -- stuff that spoofs the source address
usually doesn't randomize the source port.
So this looks very much like a distributed Denial of Service (DoS)
attack against one IP address. If this is a static address, then
you appear to have pissed somebody off; if this is a dynamic address,
then perhaps some user who it was previously allocated to made some
enemies who have no way of knowing that you are not he.
Most DoS attacks work by consuming some resource, making it unavailable
for legitimate use. A frequent target resource is bandwidth. By the
time these packets have made it down the wire to your firewall, they've
used all the bandwidth on your DSL connection that they can, and so the
damage is done. The only possibility of blocking the attack is from
within your ISP's network, before your DSL line is reached.
So you need to report this to your ISP and ask for their help. They
may or may not be willing to take any action.
David Gillett
> -----Original Message-----
> From: john (at) johnmachell.wanadoo.co (dot) uk [email concealed]
> [mailto:john (at) johnmachell.wanadoo.co (dot) uk [email concealed]]
> Sent: Tuesday, May 02, 2006 4:48 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Networking and DOS attacks
>
> I am very new to networking. I have a Netgear ADSL
> modem/router with a firewall that is set to allow all
> outgoing traffic and block all incoming and to send me a
> security log each day. Please could someone to tell me what
> the log means (see below) and whether I should be concerned
> or not as, since the DOS and UDP messages started appearing I
> seem to get lots of disconnections from my ISP. Cheers, John
>
> Thu, 1970-01-01 01:00:16 - Initialize LCP.
> Thu, 1970-01-01 01:00:16 - LCP is allowed to come up.
> Thu, 1970-01-01 01:00:20 - CHAP authentication success Thu,
> 1970-01-01 01:00:35 - Send out NTP request to
> time-g.netgear.com Tue, 2006-05-02 08:57:03 - Receive NTP
> Reply from time-g.netgear.com Tue, 2006-05-02 08:56:28 -
> Router start up Tue, 2006-05-02 09:22:01 - UDP Packet -
> Source:199.2.51.139,50244 Destination:81.79.70.215,1029 -
> [DOS] Tue, 2006-05-02 09:28:58 - UDP Packet -
> Source:222.208.168.130,49057 Destination:81.79.70.215,1033 -
> [DOS] Tue, 2006-05-02 09:28:59 - UDP Packet -
> Source:150.64.232.13,30794 Destination:81.79.70.215,1026 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,1032 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,1033 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,4081 -
> [DOS] Tue, 2006-05-02 09:52:41 - UDP Packet -
> Source:61.156.42.117,38734 Destination:81.79.70.215,2 - [DOS]
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records
> un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE
> with no obligation. See why so many companies trust Spy
> Sweeper Enterprise to eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------
> ------------
>
[ reply ]