Hey guys,

I've been absolutely hammered by DoS attacks (RST Scan, IMAP Scan, FIN Scan, and ACK Scan have been the most common ones I've seen) over the past 3 weeks and I don't know what's left to do. HALP!

Almost daily I'm getting 99.99% packet loss courtesy of these attacks. They are flooding in at about 10 per second. And they are leaving between 10-1000 viruses, trojans, worms, etc on my computer each time, which I have to use about 12 different programs just to detect and remove them all.

I was on a static IP, but since these attacks I've swapped over to dynamic, and I refresh my IP consistently, but they still keep coming. So I assume it's not the fact they have my static IP address.

So next I figured it was something on my computers allowing them to keep targeting, but I've done fresh reformats twice. But of course they still keep coming, so I assume it's not something on my computers.

I've talked with shaw and they say nothing can be done on their end.

I've limited my internet use to try to narrow down which program/programs are the culprit of these attacks, but there is seeming to be no correlation.

As far as my home network goes, I'm not sure how I can make my simple home network more secure. I have a Netgear WNDR3700 router, with 2 computers directly wired, and on wireless 2 phones and a tablet, how-ever my wi-fi has been completely disabled since this started happening. Both computers are running firewalls, anti-virus, anti-spyware, and anti-malware programs.

Any ideas?

To narrow it down, I'd unplug router and modem, boot a laptop from a live CD (Knoppix, BackTrack, PC-BSD...) and plug it directly into the modem. When your modem syncs back up with Shaw, you should have a new IP and no attacks coming in. Add each piece of the puzzle until it starts back up.

It's possible that your router is infected with some naughty firmware or something simpler like DNS redirection. Is your Shaw modem something dumb like the SB5100, or does it have a built-in router?

If the attacks are still coming with the new IP/bootcd/no router setup, perhaps you're not the only/intended target? Do you have any packet captures of these attacks? Are the logfiles perhaps just showing you dropped traffic and this "DoS attack" is not really the cause of your slowdowns? Do you have a managed switch with mirror port or a dumb hub that you could use to monitor traffic?

Edit: DoS attacks don't just "leave" viruses and trojans on computers. You have bigger issues...

have you checked the 2 computers and see if they are infected.

even if you say that they have firewall, AV and anti-malware installed they might have been compromised.
leave those 2 pc idle, check system manager and see if there's any process that is using high amount of CPU or Memory

This sounds more like random, sweeping probes than a targeted attack. Are you ACTUALLY losing connectivity/service from this or does your router just have a log full of "DoS attack: RST scan, dropped traffic"?

If the latter, your router is doing its job and you're experiencing exactly what everybody else on the internet does.

EDIT: Did you edit in that 2nd paragraph or did I just manage to miss it after a couple reads, haha?

Ten probes per second is a little beyond normal background scans noise but shouldn't really cripple the connection or router. It's possible that everything is infected and by "formatting" he's just playing whack-a-mole, or not actually erasing the drive just "reinstalling", or putting WinXPsp0 back on everything one at a time...

aCbfMkh940Q

that router is a good one, nice and fast, it has built in port scanning protection and a bunch of other stuff, is that all on? i would just change your ip then, format and reinstall everything on your computers before you start with your new ip...

Originally posted by toor
It's possible that your router is infected with some naughty firmware or something simpler like DNS redirection.

This.

Hard reset the router by holding in the reset button for 30 seconds while the router is on. The reset is a tiny button on the bottom or back of the router. It will restore the router to factory condition, but it will not restore the firmware. That's ok though, as most (if not all) router infections aren't from the firmware.

Originally posted by toor
To narrow it down, I'd unplug router and modem, boot a laptop from a live CD (Knoppix, BackTrack, PC-BSD...) and plug it directly into the modem. When your modem syncs back up with Shaw, you should have a new IP and no attacks coming in. Add each piece of the puzzle until it starts back up.

It's possible that your router is infected with some naughty firmware or something simpler like DNS redirection. Is your Shaw modem something dumb like the SB5100, or does it have a built-in router?

If the attacks are still coming with the new IP/bootcd/no router setup, perhaps you're not the only/intended target? Do you have any packet captures of these attacks? Are the logfiles perhaps just showing you dropped traffic and this "DoS attack" is not really the cause of your slowdowns? Do you have a managed switch with mirror port or a dumb hub that you could use to monitor traffic?

Edit: DoS attacks don't just "leave" viruses and trojans on computers. You have bigger issues...
I don't own a laptop, but I did just that with a clean formatted PC, plugging it directly into the shaw modem itself. The modem is one of those newer DocSIS 3.0 ones with the built in router, which I have the wifi router itself disabled. So it should be just a straightforward basic modem as I use the netgear router. I saw no obvious problems, but of course, with the shaw modem itself I didn't have too much able to monitor exactly what was going on as I use my router to see what is going on usually. Do you have a recommendation for a network trafficking monitor program?

I noticed the attacks as soon as I plugged my router in, so I thought that my router was to blame, I flashed the firmware and re-installed it just to be safe.

I have no packet captures, and the router log files are just stating that I have DoS attacks which normally I wouldn't question because as Mibz pointed out, that's pretty much normal internet traffic nowadays. It's the intensity of DoS attacks in the router logs, spiking upwards of 10 per second that is causing me worry, along with the extreme packet loss that coincides with the exact time the brunt of the dos attacks are happening. And sorry, I don't have a switch or dumb hub, it's just a basic home network setup.

The fact that after the DoS attacks have been extreme I'm left with all that extra garbage leads me to believe that they are using the DoS attacks just to gain access. I'm not even sure if that makes sense.




Originally posted by taemo
have you checked the 2 computers and see if they are infected.

even if you say that they have firewall, AV and anti-malware installed they might have been compromised.
leave those 2 pc idle, check system manager and see if there's any process that is using high amount of CPU or Memory

So next I figured it was something on my computers allowing them to keep targeting, but I've done fresh reformats twice. But of course they still keep coming, so I assume it's not something on my computers.




Originally posted by Mibz
This sounds more like random, sweeping probes than a targeted attack. Are you ACTUALLY losing connectivity/service from this or does your router just have a log full of "DoS attack: RST scan, dropped traffic"?

If the latter, your router is doing its job and you're experiencing exactly what everybody else on the internet does.

My router has always had DoS attack logs, which is perfectly normal, but as of the past few weeks, the intensity of them has increased to where it's rendering my internet connection unusable. And as I mentioned before I'm being left with viruses/trojans/etc which leads me to believe that the DoS attacks are just an entry point.





Originally posted by toor
Ten probes per second is a little beyond normal background scans noise but shouldn't really cripple the connection or router. It's possible that everything is infected and by "formatting" he's just playing whack-a-mole, or not actually erasing the drive just "reinstalling", or putting WinXPsp0 back on everything one at a time...

Well the drive is being fully erased, I can assure you of that. And then I'm installing programs one at a time, and checking for attacks.

Originally posted by bart
that router is a good one, nice and fast, it has built in port scanning protection and a bunch of other stuff, is that all on? i would just change your ip then, format and reinstall everything on your computers before you start with your new ip...

Yep, everything is on. and the IP address has been changed every few hours. I've been anal about this since this stuff started happening. On a new IP, with a freshly formatted computer, I'm still getting attacks.


Originally posted by Seth1968


This.

Hard reset the router by holding in the reset button for 30 seconds while the router is on. The reset is a tiny button on the bottom or back of the router. It will restore the router to factory condition, but it will not restore the firmware. That's ok though, as most (if not all) router infections aren't from the firmware.

I've flashed the firmware and re-installed it.

Originally posted by DeeK


Yep, everything is on. and the IP address has been changed every few hours. I've been anal about this since this stuff started happening. On a new IP, with a freshly formatted computer, I'm still getting attacks.



I've flashed the firmware and re-installed it.

I may be wrong on this, but I don't think flashing the firmware will alter the DNS settings, and if the router is infected, it's likely through the DNS.

BTW- When you say you formatted the computer, what exact method did you use?

One thing that I failed to mention earlier, prior to the flashing of the firmware. I noticed that port 443 had been forwarded on 192.168.1.22 with the label "Dism". I don't even have a device on .22. Yet the log keeps showing this being accessed even with my wifi completely disabled.

I've since changed the login/password for the router just to cover the bases.

Originally posted by Seth1968


I may be wrong on this, but I don't think flashing the firmware will alter the DNS settings, and if the router is infected, it's likely through the DNS.

BTW- When you say you formatted the computer, what exact method did you use?

Using an old Dos bootdisk:
"C:\>Format c:"

Just to be safe I delete the partition as well, and then recreate it.

Then re-install windows.

Good call on deleting the partition.

You said that it was putting infections on the computer.

How did you determine there were infections on the computer?

Originally posted by Seth1968
Good call on deleting the partition.

You said that it was putting infections on the computer.

How did you determine there were infections on the computer?

Using the windows resource manager I noted some unknown processes, followed by scans using a bunch of different programs, like AVG, Anti-Malware, Kaspersky & Kaspersky TDSSkiller for the rootkits. They all detect something different. Also noting a ton of harmful registry keys being created on my system by using CCleaner.

And of course I'm running each item through google doing a bit of research on it to see if it's a false positive before I completely remove it.

Originally posted by DeeK


Using the windows resource manager I noted some unknown processes, followed by scans using a bunch of different programs, like AVG, Anti-Malware, Kaspersky & Kaspersky TDSSkiller for the rootkits. They all detect something different. Also noting a ton of harmful registry keys being created on my system by using CCleaner.
.

That's what I was getting at. None of that means the computer is necessarily infected. I suspect that you're confusing real infections with false positives, and benign leftovers.

In addition, the registry keys that registry "cleaners" find are not infections. Those are general orphaned keys that cause no harm, and despite what you may have read, have little impact on system performance.

Unless there is a specific need to do so, no reputable computer tech (including myself lol) would recommend using a registry cleaner. They are basically snake oil programs that can (and often) cause damage.

https://www.wireshark.org/download.html for monitoring network traffic, but be aware that even on a "fresh" connection there will be plenty of noise. Not just random background scans but ARP, NetBIOS trash, DNS, Windows Updates, etc so don't get too excited unless you actually see something relevant.

Anyway it sounds like you may have some kind of infestation. The unfamiliar port 443 forward (possibly for "Deployment Image Servicing and Management") on the router is troublesome. Flashing the firmware and restoring to factory defaults should suffice. Of course, the firmware could be intercepted on an infected machine/router or modified on the fly by the existing firmware, but that's a pretty advanced level of paranoia, heh. I'm not familiar with the Shaw modem/router combo so not sure of the chances that it's infected, but I do know it can be put into "bridge" mode so you don't have a double-router/NAT situation.

So we've basically narrowed it down to something between "false positive" and "the NSA is in your house", nnnnnice! :D

Originally posted by toor
So we've basically narrowed it down to something between "false positive" and "the NSA is in your house", nnnnnice! :D

Or a BIOS infection. lol

Originally posted by Seth1968


That's what I was getting at. None of that means the computer is necessarily infected. I suspect that you're confusing real infections with false positives, and benign leftovers.

In addition, the registry keys that registry "cleaners" find are not infections. Those are general orphaned keys that cause no harm, and despite what you may have read, have little impact on system performance.

Unless there is a specific need to do so, no reputable computer tech (including myself lol) would recommend using a registry cleaner. They are basically snake oil programs that can (and often) cause damage.

I agree that most of this stuff is potentially false positives, but not all of it.

And yes normally I would agree with you that the registry cleaners clean out tons of crap that causes no harm. However in this case, I can clean my computer so that nothing is left in the cleaner repeatedly, and then with no changes done by me to the software on my system, and after a series of these attacks suddenly hundreds of new keys are being created.

And yes, being a computer tech myself (but not a network tech by any means) I hate to use registry cleaners, but when I'm trying to narrow down a problem I'll use any technique to see potential harmful information, then decide whether or not it is actually harmful or not.

Originally posted by toor
So we've basically narrowed it down to something between "false positive" and "the NSA is in your house", nnnnnice! :D

Yep, I'm at a complete loss, I've never seen anything quite like this. I'm bout to side with your youtube suggestion.

I am so aroused right now...

Originally posted by Seth1968


Or a BIOS infection. lol

One step ahead of you, flashed the bios too :rofl:

Originally posted by DeeK
One step ahead of you, flashed the bios too :rofl:

Where did you get them? Verify the hashes with the manufacturer? Where did you get the flashing utility? TRUST NO ONE!

Seriously though, post some logs/screenshots/error messages so we have something to do on.

Originally posted by toor


Where did you get them? Verify the hashes with the manufacturer? Where did you get the flashing utility? TRUST NO ONE!

Seriously though, post some logs/screenshots/error messages so we have something to do on.

I got them directly from the manufacturer's website.

And I'll post them when I get them. It's been quiet so far (a little too quiet....) I'm just going over everything I've covered so far, hoping that if I put my head together with other techs, we might have figured out something that I missed, or haven't done.

Originally posted by DeeK
I got them directly from the manufacturer's website.

Downloaded through your infected router onto your infected computer? :P

Originally posted by DeeK


One step ahead of you, flashed the bios too :rofl:

Damn. Then maybe it is the NSA?

So, it's concluded it's not a bios infection, and you've formatted the drive. That doesn't leave anything other than the router.

Originally posted by toor


Downloaded through your infected router onto your infected computer? :P

Or infected torrent install media?

Originally posted by toor


Downloaded through your infected router onto your infected computer? :P

YES!

But after I flashed the router and formatted the computer. lol. I don't have any other way to do it.

Risk level: Challenge accepted


Originally posted by Seth1968


Damn. Then maybe it is the NSA?

So, it's concluded it's not a bios infection, and you've formatted the drive. That doesn't leave anything other than the router.

well if we can't narrow this down, I'll kick the router over the DD-WRT and try entirely new firmware? I guess that's an option. And failing that, I'll buy a new router.

So you're sure the install disk is "clean"?

I just asked in case you got it from a Torrent that may be infected.

Originally posted by Seth1968
So you're sure the install disk is "clean"?

I just asked in case you got it from a Torrent that may be infected.

The windows install disk? yes, it's a genuine microsoft windows 7 OEM disk.

And for the record, I rarely use torrent sites and when I do everything is thoroughly scanned. Usually just to download the latest episode of a show that I've missed cause I'm too ghetto for PVR. :(

Also FYI, at first I thought I was just being overly paranoid and anal. But after your suggestions guys, I'm almost literally ROFL.

Oooo... Still quiet by comparisson, but just now:

[DoS Attack: RST Scan] from source: 5.109.74.191, port 62685, Friday, October 04,2013 08:34:28
[DoS Attack: RST Scan] from source: 5.109.74.191, port 62683, Friday, October 04,2013 08:34:28
[DoS Attack: RST Scan] from source: 5.109.74.191, port 62685, Friday, October 04,2013 08:34:09
[DoS Attack: RST Scan] from source: 5.109.74.191, port 62683, Friday, October 04,2013 08:34:09

Originally posted by DeeK

Also FYI, at first I thought I was just being overly paranoid and anal. But after your suggestions guys, I'm almost literally ROFL.

Damn straight. Ya' gotta cover every possibility no matter how slim, although the chances of an infection being in an operating system torrent are slim to none.

5.109.74.191 WTH?

I'm thinking the source is extraterrestrial.

5.109.74.19 = Saudi Arabia, so yes, Extraterrestrial.

I normally get a DoS attack here or there with a random IP, but 4 in a row from the same one is in line with what I've been dealing with, even though this was quiet and small by comparison.

These DoS attacks have bounced off 152 countries and counting so far. ALWAYS off the big telecom hub or largest university of the country.

Originally posted by DeeK
5.109.74.19 = Saudi Arabia, so yes, Extraterrestrial.


North Saudi Arabia

Omg IT IS the NSA :rofl:

Originally posted by Seth1968


North Saudi Arabia

Omg IT IS the NSA :rofl:

Oh fiddlesticks. :rofl:

Should I be concerned about unmanned drones? I don't know if my network can block a drone attack.

Those aren't DoS attacks, just routine portscan. If you're not brown and bearded, you probably have nothing to worry about, maybe.

If you are "formatting" and "deleting partitions" using an old dos boot disk, you're likely not performing the task completely.

Your hard drive's MBR could also be compromised, leaving the infected sectors untouched by anything you could possibly have performed until now.

Originally posted by e31
If you are "formatting" and "deleting partitions" using an old dos boot disk, you're likely not performing the task completely.

Your hard drive's MBR could also be compromised, leaving the infected sectors untouched by anything you could possibly have performed until now.

In this case I disagree, good old dos did a far more thorough job than windows format ever does. especially with the mutli partitions that windows now runs.

Just out of curiosity, where are you testing for your packet loss? From the PC to the gateway (router)? Or the PC to somewhere in the internet like 8.8.8.8.

Also, limit your variables. Turn off everything else except the one PC. Use a cable, not wireless.

As far as the internet scans go? That happens. Lots. I finally turned off the logging for that crap because it was just filling up all the time. My SFTP server gets attacked by scripts probably 5 times a day.. which is why I have scripts that auto-ban them immediately. Means nothing... just noise.

Originally posted by codetrap
Just out of curiosity, where are you testing for your packet loss? From the PC to the gateway (router)? Or the PC to somewhere in the internet like 8.8.8.8.

Also, limit your variables. Turn off everything else except the one PC. Use a cable, not wireless.

As far as the internet scans go? That happens. Lots. I finally turned off the logging for that crap because it was just filling up all the time. My SFTP server gets attacked by scripts probably 5 times a day.. which is why I have scripts that auto-ban them immediately. Means nothing... just noise.

So for everyone that didn't read the first post (not just codetrap) although thanks for the help.

To reiterate:
The packet loss is coming from any and all servers I connect myself to, therefore it is my network being prevented from working properly.

I have just a single computer connected via wired connection, with a fresh install.

Yes, I know that dos scans are a normal part of being connected to the internet, and my problem is that my network shuts down when I get a ridiculous number of them every second. Also, the same location sending multiple dos attacks to my network in a short time frame is also suspicious, as it is no longer just a port scan, but repeated access attempts.

Again, Thanks.

On a side note, now that I am back in town (I was gone for the weekend) I have narrowed it down to likely a hacked skype account (as skype is easy to hack, and my girlfriend's skype passwords and msn passwords have been changed by someone else) that left something in my network that allows them to trace somehow. I don't know how considering the router has been flashed, the bios has been flashed and the hard drives have been reformatted, so I'm at a loss there.

Router logs from this morning, this is a fair amount compared to the norm:

[DoS Attack: RST Scan] from source: 85.164.108.237, port 26063, Wednesday, October 09,2013 11:13:20
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 10:49:14
[DHCP IP: 192.168.1.2] to MAC address 20:64:32:c4:76:70, Wednesday, October 09,2013 10:48:51
[WLAN access rejected: incorrect security] from MAC address 20:64:32:c4:76:70, Wednesday, October 09,2013 10:46:28
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 10:38:46
[DoS Attack: RST Scan] from source: 85.164.108.237, port 17017, Wednesday, October 09,2013 10:30:34
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 10:28:26
[DoS Attack: RST Scan] from source: 27.32.234.172, port 57929, Wednesday, October 09,2013 10:28:12
[DoS Attack: RST Scan] from source: 50.159.69.38, port 58468, Wednesday, October 09,2013 10:24:00
[DoS Attack: RST Scan] from source: 85.164.108.237, port 15230, Wednesday, October 09,2013 10:22:31
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 10:17:54
[LAN access from remote] from 72.188.207.225:36487 to 192.168.1.7:45622, Wednesday, October 09,2013 10:15:39
[DoS Attack: RST Scan] from source: 178.140.155.175, port 16060, Wednesday, October 09,2013 10:14:01
[DoS Attack: RST Scan] from source: 186.205.196.75, port 53048, Wednesday, October 09,2013 10:13:54
[DoS Attack: RST Scan] from source: 182.185.230.157, port 24076, Wednesday, October 09,2013 10:10:15
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 10:07:30
[DoS Attack: RST Scan] from source: 186.205.196.75, port 52151, Wednesday, October 09,2013 10:07:02
[DoS Attack: RST Scan] from source: 190.190.53.184, port 62044, Wednesday, October 09,2013 10:06:41
[DoS Attack: RST Scan] from source: 79.166.97.8, port 49325, Wednesday, October 09,2013 10:06:22
[DoS Attack: RST Scan] from source: 88.89.178.174, port 17015, Wednesday, October 09,2013 10:06:20
[DoS Attack: RST Scan] from source: 182.185.230.157, port 23480, Wednesday, October 09,2013 10:05:28
[DoS Attack: RST Scan] from source: 139.194.215.146, port 62743, Wednesday, October 09,2013 10:04:59
[DoS Attack: RST Scan] from source: 182.185.230.157, port 23194, Wednesday, October 09,2013 10:03:44
[DoS Attack: RST Scan] from source: 190.190.53.184, port 61798, Wednesday, October 09,2013 10:02:09
[DoS Attack: RST Scan] from source: 190.190.53.184, port 61652, Wednesday, October 09,2013 10:00:25
[DoS Attack: RST Scan] from source: 85.164.108.237, port 10260, Wednesday, October 09,2013 09:59:48
[DoS Attack: RST Scan] from source: 86.130.214.134, port 44996, Wednesday, October 09,2013 09:59:21
[DoS Attack: RST Scan] from source: 83.109.89.152, port 10883, Wednesday, October 09,2013 09:58:44
[DoS Attack: RST Scan] from source: 86.130.214.134, port 44764, Wednesday, October 09,2013 09:58:43
[DoS Attack: RST Scan] from source: 83.109.89.152, port 10883, Wednesday, October 09,2013 09:58:41
[DoS Attack: RST Scan] from source: 88.89.178.174, port 15114, Wednesday, October 09,2013 09:55:57
[DoS Attack: RST Scan] from source: 75.182.91.118, port 51897, Wednesday, October 09,2013 09:55:38
[DoS Attack: RST Scan] from source: 85.164.108.237, port 29257, Wednesday, October 09,2013 09:55:09
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 09:55:07
[DoS Attack: RST Scan] from source: 88.88.236.162, port 17628, Wednesday, October 09,2013 09:54:01
[DoS Attack: RST Scan] from source: 91.74.119.150, port 51532, Wednesday, October 09,2013 09:53:49
[DoS Attack: RST Scan] from source: 85.164.108.237, port 28948, Wednesday, October 09,2013 09:53:31
[DoS Attack: RST Scan] from source: 178.140.155.175, port 11348, Wednesday, October 09,2013 09:52:26
[DoS Attack: RST Scan] from source: 46.109.19.51, port 59231, Wednesday, October 09,2013 09:52:08
[DoS Attack: RST Scan] from source: 31.25.18.180, port 45849, Wednesday, October 09,2013 09:51:48
[DoS Attack: RST Scan] from source: 88.89.178.174, port 14574, Wednesday, October 09,2013 09:51:12
[DoS Attack: RST Scan] from source: 75.182.91.118, port 50968, Wednesday, October 09,2013 09:50:53
[DoS Attack: RST Scan] from source: 79.166.97.8, port 63966, Wednesday, October 09,2013 09:50:30
[DoS Attack: RST Scan] from source: 81.218.179.9, port 30095, Wednesday, October 09,2013 09:50:22
[DoS Attack: RST Scan] from source: 195.240.199.39, port 24744, Wednesday, October 09,2013 09:49:41
[DoS Attack: RST Scan] from source: 84.215.20.133, port 12542, Wednesday, October 09,2013 09:49:20
[DoS Attack: RST Scan] from source: 123.200.2.34, port 51503, Wednesday, October 09,2013 09:49:18
[DoS Attack: RST Scan] from source: 75.182.91.118, port 50619, Wednesday, October 09,2013 09:49:07
[DHCP IP: 192.168.1.2] to MAC address 20:64:32:c4:76:70, Wednesday, October 09,2013 09:48:29
[DoS Attack: RST Scan] from source: 83.87.255.46, port 51312, Wednesday, October 09,2013 09:47:34
[DoS Attack: RST Scan] from source: 91.74.119.150, port 50692, Wednesday, October 09,2013 09:46:41
[WLAN access rejected: incorrect security] from MAC address 20:64:32:c4:76:70, Wednesday, October 09,2013 09:46:28
[DoS Attack: RST Scan] from source: 88.88.236.162, port 15787, Wednesday, October 09,2013 09:46:19
[DHCP IP: 192.168.1.100] to MAC address 48:5b:39:23:b1:a3, Wednesday, October 09,2013 09:45:59
[DoS Attack: RST Scan] from source: 81.218.179.9, port 28667, Wednesday, October 09,2013 09:45:40
[DoS Attack: RST Scan] from source: 79.166.97.8, port 63497, Wednesday, October 09,2013 09:45:08
[DoS Attack: RST Scan] from source: 91.74.119.150, port 50497, Wednesday, October 09,2013 09:45:01
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 09:44:31
[DoS Attack: RST Scan] from source: 81.218.179.9, port 28123, Wednesday, October 09,2013 09:44:14
[DoS Attack: RST Scan] from source: 79.166.97.8, port 63317, Wednesday, October 09,2013 09:43:18
[DoS Attack: RST Scan] from source: 88.89.178.174, port 12939, Wednesday, October 09,2013 09:42:04
[DoS Attack: RST Scan] from source: 83.87.255.46, port 50745, Wednesday, October 09,2013 09:41:09
[DoS Attack: RST Scan] from source: 46.109.19.51, port 58243, Wednesday, October 09,2013 09:40:08
[DoS Attack: RST Scan] from source: 83.87.255.46, port 50599, Wednesday, October 09,2013 09:39:29
[DoS Attack: RST Scan] from source: 85.164.108.237, port 25883, Wednesday, October 09,2013 09:39:09
[DoS Attack: RST Scan] from source: 85.245.176.157, port 10628, Wednesday, October 09,2013 09:38:50
[DoS Attack: RST Scan] from source: 86.130.214.134, port 42379, Wednesday, October 09,2013 09:38:24
[DoS Attack: RST Scan] from source: 178.140.155.175, port 28281, Wednesday, October 09,2013 09:38:10
[DoS Attack: RST Scan] from source: 82.169.103.238, port 15854, Wednesday, October 09,2013 09:37:28
[DoS Attack: RST Scan] from source: 80.213.127.158, port 22067, Wednesday, October 09,2013 09:36:47
[DHCP IP: 192.168.1.2] to MAC address 20:64:32:c4:76:70, Wednesday, October 09,2013 09:36:26
[DoS Attack: RST Scan] from source: 81.218.179.9, port 24693, Wednesday, October 09,2013 09:36:12
[DoS Attack: RST Scan] from source: 195.240.199.39, port 21909, Wednesday, October 09,2013 09:36:05
[DoS Attack: RST Scan] from source: 180.181.122.63, port 63576, Wednesday, October 09,2013 09:35:30
[DoS Attack: RST Scan] from source: 86.130.214.134, port 41883, Wednesday, October 09,2013 09:34:25
[LAN access from remote] from 178.78.100.92:54764 to 192.168.1.7:45622, Wednesday, October 09,2013 09:34:14
[DoS Attack: RST Scan] from source: 195.240.199.39, port 21447, Wednesday, October 09,2013 09:33:48
[DoS Attack: RST Scan] from source: 86.130.214.134, port 41563, Wednesday, October 09,2013 09:33:39
[DoS Attack: RST Scan] from source: 178.140.155.175, port 27196, Wednesday, October 09,2013 09:33:10
[DoS Attack: RST Scan] from source: 85.164.108.237, port 24623, Wednesday, October 09,2013 09:32:27
[DoS Attack: RST Scan] from source: 85.165.53.49, port 18754, Wednesday, October 09,2013 09:32:18
[DoS Attack: RST Scan] from source: 85.245.176.157, port 29255, Wednesday, October 09,2013 09:32:10
[DoS Attack: RST Scan] from source: 178.140.155.175, port 26793, Wednesday, October 09,2013 09:31:18
[DoS Attack: RST Scan] from source: 31.25.18.180, port 52732, Wednesday, October 09,2013 09:31:12
[DoS Attack: RST Scan] from source: 82.169.103.238, port 14073, Wednesday, October 09,2013 09:30:37
[DoS Attack: RST Scan] from source: 80.213.127.158, port 21571, Wednesday, October 09,2013 09:30:02
[DoS Attack: RST Scan] from source: 85.164.108.237, port 24098, Wednesday, October 09,2013 09:29:31
[DoS Attack: RST Scan] from source: 213.114.121.174, port 22278, Wednesday, October 09,2013 09:29:16
[DoS Attack: RST Scan] from source: 31.25.18.180, port 58867, Wednesday, October 09,2013 09:29:05

Is there anything at 192.168.1.7 and does it have something listening on port 45622? Have you disabled UPnP on the router and changed the admin password?

Originally posted by toor
Is there anything at 192.168.1.7 and does it have something listening on port 45622? Have you disabled UPnP on the router and changed the admin password?

There was nothing on 192.168.1.7, I changed the router password the day before. I've since changed it again. there was also something accessing 192.168.1.2, I have wifi off, only one computer is wired (192.168.1.100). How can something be accessing my router that is NOT wired directly to my router if my wifi is disabled?!

Mind Blown. :dunno:

I've also disabled UPnP temporarily.

I'm used to getting 50+ DoS Attack scans per day, that's not a big deal, but 50 per hour is really stepping it up and this wasn't even a severe attack, my network didn't even hiccup compared to the ones that have been shutting down my network entirely.

Originally posted by DeeK

I've been absolutely hammered by DoS attacks (RST Scan, IMAP Scan, FIN Scan, and ACK Scan have been the most common ones I've seen) over the past 3 weeks and I don't know what's left to do. HALP!

Almost daily I'm getting 99.99% packet loss courtesy of these attacks. They are flooding in at about 10 per second. And they are leaving between 10-1000 viruses, trojans, worms, etc on my computer each time, which I have to use about 12 different programs just to detect and remove them all.


Nothing about this makes sense. You're completely fine. If it's an external DoS attack that is bad enough to disrupt your traffic, you can't do anything. It has nothing to do with any kind of infection inside your network. A scan cant leave any viruses. And there is nothing "easy to hack" about skype, other than stealing someone's password makes anything easy to "hack". It's not an issue with skype itself.

It's probably not even an attack, but a P2P application with too many peers and a shitty router that can't handle the connections.

Edit: It's entirely possible that there is some other, unrelated infection, but it doesn't make sense that the scans themselves are leaving malware.

Exactly my point, none of this makes any sense! :banghead:

I will be changing the router within a few months, this WNDR3700 was great at the time, but I'm starting to dislike it more and more. And the new policies, and customer service that netgear has added over the past couple years have pushed me away from ever buying a netgear product again.