My router is getting hammered. Should i care?

delanvital · April 16, 2009, 10:10:17 PM

My router sends me the log whenever it fills up. Normally that takes some weeks. Starting some time around noon I started getting the logs every 20 mins, meaning a lot of log was being made, so and I investigated. It looks like this (my IP changed to *s):

QuoteApr/16/2009 21:53:35
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:27
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:27
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:27
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:21
Drop ICMP packet from WAN src:130.227.247.97:11 dst:*.*.*.*:0 Rule: Default deny
Apr/16/2009 21:53:15
...
...

Should I care? I am virus free.

Jabbs · April 16, 2009, 11:12:25 PM

Does this shed any light?

Port 11

Your router is denying so this is good. Thoughts anyone?

smilodon · April 16, 2009, 11:30:13 PM

Hopefully it's just a random attack that your router is dealing with i.e. it's quietly dropping the packets. As far as any attacker is concerned your IP address doesn't exist so it should stop in a while. Why your IP address is being hit is probably just random bad luck.

I would turn logging of that rule off and forget about it. It's all incoming not outgoing so it's not a virus or trojan etc

delanvital · April 17, 2009, 10:10:32 AM

Quote from: smilodon;272951Hopefully it's just a random attack that your router is dealing with i.e. it's quietly dropping the packets. As far as any attacker is concerned your IP address doesn't exist so it should stop in a while. Why your IP address is being hit is probably just random bad luck.

I would turn logging of that rule off and forget about it. It's all incoming not outgoing so it's not a virus or trojan etc

I just checked my log this morning and the hammering has stopped sometime around this morning. So it lasted a good 20 hours. I tried at whois lookup on the IP but got nothing. Yeah, I had also disabled ping responses so I should appear quite non-existent, at least I hope.

Anonymous · April 17, 2009, 11:07:38 AM

Report it to the ISP (tele2):

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=130.227.247.97&do_search=Search

delanvital · April 17, 2009, 12:26:30 PM

Quote from: BlueBall;272974Report it to the ISP (tele2):

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=130.227.247.97&do_search=Search

Done. Cheers BB

delanvital · April 17, 2009, 02:22:27 PM

And the hammering is back... waiting for Tele2 :g:

Carr0t · April 17, 2009, 04:24:49 PM

Quote from: Jabbs;272947Does this shed any light?

Port 11

Your router is denying so this is good. Thoughts anyone?

ICMP doesn't use ports, so that's not really valid as the logs are claiming this is ICMP traffic. The :11 *could* mean the type of ICMP signal it is, but as type 11 is TTL exceeded I cant think why you'd be getting it unless you sent any data out to a nonexistent IP first (and generally you'd want to let stuff like TTL Exceeded back in anyways). Someone could be spoofing your IP as a source and trying to reach a nonexistant IP, but what would be the point?

delanvital · April 17, 2009, 05:22:06 PM

Quote from: Carr0t;273022ICMP doesn't use ports, so that's not really valid as the logs are claiming this is ICMP traffic. The :11 *could* mean the type of ICMP signal it is, but as type 11 is TTL exceeded I cant think why you'd be getting it unless you sent any data out to a nonexistent IP first (and generally you'd want to let stuff like TTL Exceeded back in anyways). Someone could be spoofing your IP as a source and trying to reach a nonexistant IP, but what would be the point?

The only scenario I can think up, to match that, would be from the fact that my WAN IP differs from the IP given to my router. I know that I am part of a LAN tied to this building complex. I don't know the TTL of the IPs here and I have no idea how long I have had this IP. That said - what app would hammer away for days? :g:

delanvital · May 11, 2009, 12:32:41 PM

Argh :frusty:.

I keep mailing them, and tried calling them (the ISP of this guy) but they just say:

"we have many such cases. We will deal with them. We don't have time to get back to you. You just wait and see if something gets better, possibly because we have done something"

This morning the dude started again. Caused my router to restart twice now.

Idea - could this be a spotify issue? I know spot shares song data p2p-style to reduce bandwidth load?

Alternatively - can I force a new IP from my ISP? Somehow circumvent the TTL and then get a new one... or will I end up with the same one being leased to me? :g:Can I see somewhere what my TTL is? the ISP is a small one, that makes a living from delivering to building complexes - so not a nation-wide big one... to clarify: I am part of a LAN of a kind, I think, assigned to this building

Gandalf · May 11, 2009, 01:02:53 PM

If it's causing your router to reset then try turning logging off for that protocol as it may be filling the log up which is causing the issue.

tbh, I don't have logging on for blocked requests at all on any firewalls as there is so much white noise out there now it's not worth it. I only want to know about possible protocol attacks that occur so have logging set accordingly. Sure makes my life easier as I'm not being inundated with superfluous emails every few seconds!

delanvital · May 11, 2009, 01:08:00 PM

Quote from: Gandalf;275703If it's causing your router to reset then try turning logging off for that protocol as it may be filling the log up which is causing the issue.

tbh, I don't have logging on for blocked requests at all on any firewalls as there is so much white noise out there now it's not worth it. I only want to know about possible protocol attacks that occur so have logging set accordingly. Sure makes my life easier as I'm not being inundated with superfluous emails every few seconds!

Thanks.

Well, just if you happen to have a qualified guess: It is a low spec router (D-link DI-624+). I have the following log options

System activity
Debug info
Attacks
Dropped packets
Notice

NO mention of what they include anywhere. I have all on, except debug info. I guess what you are referring to could be system activity? :g:Should I care about dropped packets? And notice?

Gandalf · May 11, 2009, 01:13:03 PM

Turn off dropped packets. That should be the one.

Notification is usually things such as dsl connection info, clock updates, etc.

delanvital · May 11, 2009, 01:15:41 PM

Quote from: Gandalf;275706Turn off dropped packets. That should be the one.

Notification is usually things such as dsl connection info, clock updates, etc.

Done. Cheers again mate.

Carr0t · May 14, 2009, 04:56:28 PM

Just a quick point. TTL is not the time to live of your IP address. That is the DHCP lease time. TTL is the maximum number of routers (i.e. different networks) your data can pass through between source (you) and destination. So a TTL of 1 means it will get to your home router and stop. A TTL of 2 means it'll probably stop somewhere close in your ISPs network etc etc.