My router sends me the log whenever it fills up. Normally that takes some weeks. Starting some time around noon I started getting the logs every 20 mins, meaning a lot of log was being made, so and I investigated. It looks like this (my IP changed to *s):
QuoteApr/16/2009 21:53:35
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:27
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:27
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:27
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:21
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:15
...
...
Should I care? I am virus free.
Does this shed any light?
Port 11 (http://www.auditmypc.com/port/udp-port-11.asp)
Your router is denying so this is good. Thoughts anyone?
Hopefully it's just a random attack that your router is dealing with i.e. it's quietly dropping the packets. As far as any attacker is concerned your IP address doesn't exist so it should stop in a while. Why your IP address is being hit is probably just random bad luck.
I would turn logging of that rule off and forget about it. It's all incoming not outgoing so it's not a virus or trojan etc
Quote from: smilodon;272951Hopefully it's just a random attack that your router is dealing with i.e. it's quietly dropping the packets. As far as any attacker is concerned your IP address doesn't exist so it should stop in a while. Why your IP address is being hit is probably just random bad luck.
I would turn logging of that rule off and forget about it. It's all incoming not outgoing so it's not a virus or trojan etc
I just checked my log this morning and the hammering has stopped sometime around this morning. So it lasted a good 20 hours. I tried at whois lookup on the IP but got nothing. Yeah, I had also disabled ping responses so I should appear quite non-existent, at least I hope.
Report it to the ISP (tele2):
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=130.227.247.97&do_search=Search
Quote from: BlueBall;272974Report it to the ISP (tele2):
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=130.227.247.97&do_search=Search
Done. Cheers BB :)
And the hammering is back... waiting for Tele2 :g:
Quote from: Jabbs;272947Does this shed any light?
Port 11 (http://www.auditmypc.com/port/udp-port-11.asp)
Your router is denying so this is good. Thoughts anyone?
ICMP doesn't use ports, so that's not really valid as the logs are claiming this is ICMP traffic. The :11 *could* mean the type of ICMP signal it is, but as type 11 is TTL exceeded I cant think why you'd be getting it unless you sent any data out to a nonexistent IP first (and generally you'd want to let stuff like TTL Exceeded back in anyways). Someone could be spoofing your IP as a source and trying to reach a nonexistant IP, but what would be the point?
Quote from: Carr0t;273022ICMP doesn't use ports, so that's not really valid as the logs are claiming this is ICMP traffic. The :11 *could* mean the type of ICMP signal it is, but as type 11 is TTL exceeded I cant think why you'd be getting it unless you sent any data out to a nonexistent IP first (and generally you'd want to let stuff like TTL Exceeded back in anyways). Someone could be spoofing your IP as a source and trying to reach a nonexistant IP, but what would be the point?
The only scenario I can think up, to match that, would be from the fact that my WAN IP differs from the IP given to my router. I know that I am part of a LAN tied to this building complex. I don't know the TTL of the IPs here and I have no idea how long I have had this IP. That said - what app would hammer away for days? :g:
Argh :frusty:.
I keep mailing them, and tried calling them (the ISP of this guy) but they just say:
"we have many such cases. We will deal with them. We don't have time to get back to you. You just wait and see if something gets better, possibly because we have done something"
This morning the dude started again. Caused my router to restart twice now.
Idea - could this be a spotify issue? I know spot shares song data p2p-style to reduce bandwidth load?
Alternatively - can I force a new IP from my ISP? Somehow circumvent the TTL and then get a new one... or will I end up with the same one being leased to me? :g:Can I see somewhere what my TTL is? the ISP is a small one, that makes a living from delivering to building complexes - so not a nation-wide big one... to clarify: I am part of a LAN of a kind, I think, assigned to this building
If it's causing your router to reset then try turning logging off for that protocol as it may be filling the log up which is causing the issue.
tbh, I don't have logging on for blocked requests at all on any firewalls as there is so much white noise out there now it's not worth it. I only want to know about possible protocol attacks that occur so have logging set accordingly. Sure makes my life easier as I'm not being inundated with superfluous emails every few seconds!
Quote from: Gandalf;275703If it's causing your router to reset then try turning logging off for that protocol as it may be filling the log up which is causing the issue.
tbh, I don't have logging on for blocked requests at all on any firewalls as there is so much white noise out there now it's not worth it. I only want to know about possible protocol attacks that occur so have logging set accordingly. Sure makes my life easier as I'm not being inundated with superfluous emails every few seconds!
Thanks.
Well, just if you happen to have a qualified guess: It is a low spec router (D-link DI-624+). I have the following log options
System activity
Debug info
Attacks
Dropped packets
Notice
NO mention of what they include anywhere. I have all on, except debug info. I guess what you are referring to could be system activity? :g:Should I care about dropped packets? And notice?
Turn off dropped packets. That should be the one.
Notification is usually things such as dsl connection info, clock updates, etc.
Quote from: Gandalf;275706Turn off dropped packets. That should be the one.
Notification is usually things such as dsl connection info, clock updates, etc.
Done. Cheers again mate.
Just a quick point. TTL is not the time to live of your IP address. That is the DHCP lease time. TTL is the maximum number of routers (i.e. different networks) your data can pass through between source (you) and destination. So a TTL of 1 means it will get to your home router and stop. A TTL of 2 means it'll probably stop somewhere close in your ISPs network etc etc.