PC Pals Forum

Technical Help & Discussion => Self Building, Upgrading & General Hardware Help => Topic started by: Baz on January 02, 2010, 20:08

Title: router logs
Post by: Baz on January 02, 2010, 20:08: have been getting a lot of logs about DOS attacks from the router.I have been well informed by Rik that its ok and the router is doing its job but it seems strange to me as I never used to get any,honest.After i get the reports sent by email i try to look in the router settings and it wont log in.

The only thing i can think of is its something to do with my son playing on line on his PS3 but he has done this for ages and we never got any bother.Why and how are these getting in to the router

Any ideas
Title: Re: router logs
Post by: Simon on January 02, 2010, 21:07: I would never dispute the word of the all-knowing one on routers and ADSL, Baz. ;) I do believe the router firewall is just doing it's job, but I guess there comes a point where one has to ask if it's being asked to work too hard for any reason. Can you post some of the logs, without revealing any personal info, so that we can have a look for you?
Title: Re: router logs
Post by: Baz on January 03, 2010, 08:51: dont get me wrong Simon,theres no way too that I would or am disputing what Ive been told hope Rik or you dont think I am,just trying to find out why its happening all of a sudden.

latest logs from yesterday.I have some from 28dec, others i have deleted

Sat, 2010-01-02 22:00:44 - UDP Packet - Source:174.27.18.1,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:05:44 - Administrator login successful - IP:*************
Sat, 2010-01-02 22:05:44 - UDP Packet - Source:86.162.95.144,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:10:44 - Administrator login successful - IP:*************
Sat, 2010-01-02 22:10:44 - UDP Packet - Source:77.229.97.224,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:15:44 - UDP Packet - Source:82.237.102.228,3074 Destination:*************- [DOS]
Sat, 2010-01-02 22:20:44 - UDP Packet - Source:207.134.184.29,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:44 - UDP Packet - Source:88.17.189.60,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:98.192.207.244,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:75.159.216.203,3078 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:84.123.179.199,13101 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:82.13.160.190,19103 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:174.117.235.109,61537 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:87.220.30.133,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:173.55.164.67,3074 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:81.100.83.233,55013 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - UDP Packet - Source:90.23.73.156,3081 Destination:************* - [DOS]
Sat, 2010-01-02 22:25:45 - Send E-mail Success!
Sun, 2010-01-03 01:40:48 - Send out NTP request to 158.43.192.66
Sun, 2010-01-03 01:40:48 - Receive NTP Reply from 158.43.192.66
Title: Re: router logs
Post by: Rik on January 03, 2010, 10:03: Someone has probably visited a site where the IP address has been picked up, Baz. As we have static IPs, once they become known, we get attacks. The router log just shows the firewall at work.
Title: Re: router logs
Post by: sam on January 03, 2010, 10:08: or has someone just started using torrents?
Title: Re: router logs
Post by: Baz on January 03, 2010, 10:40: torrents as in what Sam.dont know enough about them :dunno:
Title: Re: router logs
Post by: Baz on January 03, 2010, 10:44: Quote from: Rik on January 03, 2010, 10:03
Someone has probably visited a site where the IP address has been picked up, Baz. As we have static IPs, once they become known, we get attacks. The router log just shows the firewall at work.

do you get the same IP address every time. if you reboot will you get a different one
Title: Re: router logs
Post by: Simon on January 03, 2010, 11:00: With IDNet, you keep the same IP address, Baz.
Title: Re: router logs
Post by: Baz on January 03, 2010, 11:39: thanks Simon
Title: Re: router logs
Post by: sam on January 04, 2010, 09:46: Quote from: Baz on January 03, 2010, 10:40
torrents as in what Sam.dont know enough about them :dunno:

says it all, just wondered if you or anyone else in your house was using them - could cause increased traffic like that.
Title: Re: router logs
Post by: Simon on January 04, 2010, 10:13: Also, P2P applications like Limewire can cause it. :)
Title: Re: router logs
Post by: Baz on January 04, 2010, 20:31: Quote from: sam on January 04, 2010, 09:46
says it all, just wondered if you or anyone else in your house was using them - could cause increased traffic like that.

well like I say Sam, as in what.I really dont know anything about torrents thats why I asked, then I could ask the rest of the family if they have used them
Title: Re: router logs
Post by: Simon on January 04, 2010, 22:29: I think Sam was saying that if you don't know anything about torrents, it's unlikely that you would be using them, Baz, but basically, torrents are just another way to engage in file sharing on the internet, a bit like traditional P2P such as LimeWire, only with torrents, the files are 'split', and you are downloading from (and uploading to) many multiples of users at any one time, which, technically, makes the downloading faster. There are various BitTorrent 'clients' (programs), and possibly the most common is 'uTorrent', so if anyone has that on their PC, it's likely that they are engaging in torrent activity.

Despite most torrent activity being illegal, it could be argued that it's safer than traditional P2P, as you have more control over what files are being shared from your computer - usually, you are simultaneously uploading a copy of the file you are downloading at the time.
Title: Re: router logs
Post by: topquark on January 05, 2010, 10:38: It would be useful to know what the destination port number was (not the IP address) if it's shown. In your source information it's shown after the comma in the source IP address info. As already said, doesn't look like anything to worry about, probably just someone thinks you're running a website (port 80) that they want to hinder access to (very sad!).

You could always do a port scan and check that you have no ports open, there are plenty of sites on the web you can use to do that.

Edit: If you are worried that someone may be getting in (unlikely) you can always use something like: http://www.snort.org/ on your PC('s).
Title: Re: router logs
Post by: Baz on January 05, 2010, 17:59: the destination port number you ask about is the same in all the logs do you mean its the one after the comma too in the destination address.is it ok to post it here.
Title: Re: router logs
Post by: Simon on January 05, 2010, 18:03: I don't think disclosing a port number would compromise your security, Baz. :)
Title: Re: router logs
Post by: Rik on January 05, 2010, 18:18: It should just be a port number Baz, eg 80, but don't post the IP address, ie the 91.XXX.XXX.XXX.
Title: Re: router logs
Post by: Baz on January 05, 2010, 19:40: the number was 3074
Title: Re: router logs
Post by: Simon on January 05, 2010, 21:25: Think you'll find that's Xbox LIVE, Baz.

http://support.microsoft.com/kb/908874
Title: Re: router logs
Post by: sam on January 06, 2010, 14:44: yep does look like xbox live.
Title: Re: router logs
Post by: Baz on January 06, 2010, 15:53: is that strange as we dont have an XBox or is something just looking
Title: Re: router logs
Post by: Rik on January 06, 2010, 16:00: Probably just probing, Baz.
Title: Re: router logs
Post by: topquark on January 06, 2010, 21:08: Yep, just something looking. Kinda curious that the router picks that up as a DOS attack though .... that suggests it's happening rather frequently. Still, it looks innocent enough!