5

I'm wondering if these attacks are something to worry about, or just my router being a router.

[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:12:13
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:11:51
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:11:29
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:11:05
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:10:32
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:09:57
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:09:15
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:08:46
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:07:31
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:06:52
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:06:23
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:05:42
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:04:43
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:04:02
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:03:38
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:02:55
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:02:24
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:01:10
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:00:47
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230], Friday, May 06,2016 21:00:20
[Time synchronized with NTP server] Friday, May 06,2016 19:39:13
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 19:39:28
[DoS attack: STORM] attack packets in last 20 sec from ip [24.150.13.71], Friday, May 06,2016 18:29:19
[DoS attack: STORM] attack packets in last 20 sec from ip [24.150.13.71], Friday, May 06,2016 18:28:59

Genereally I don't give it too much thought, but this is also been a bit shifty.

[Time synchronized with NTP server] Friday, May 06,2016 05:49:10
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 05:49:10
[Time synchronized with NTP server] Friday, May 06,2016 05:34:01
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 05:34:01
[Time synchronized with NTP server] Friday, May 06,2016 05:18:51
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 05:18:51
[Time synchronized with NTP server] Friday, May 06,2016 05:03:43
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 05:03:43
[Time synchronized with NTP server] Friday, May 06,2016 04:48:41
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 04:48:41
[Time synchronized with NTP server] Friday, May 06,2016 04:33:37
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 04:33:37
[Time synchronized with NTP server] Friday, May 06,2016 04:18:36
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 04:18:36
[Time synchronized with NTP server] Friday, May 06,2016 04:03:35
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 04:03:36
[Time synchronized with NTP server] Friday, May 06,2016 03:48:34
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 03:48:34
[Time synchronized with NTP server] Friday, May 06,2016 03:33:34
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 03:33:34
[Time synchronized with NTP server] Friday, May 06,2016 03:18:31
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 03:18:31
[Time synchronized with NTP server] Friday, May 06,2016 03:03:28
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 03:03:28
[Time synchronized with NTP server] Friday, May 06,2016 02:48:25
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 02:48:26
[Time synchronized with NTP server] Friday, May 06,2016 02:33:24
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 02:33:24
[Time synchronized with NTP server] Friday, May 06,2016 02:18:23
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 02:18:24
[Time synchronized with NTP server] Friday, May 06,2016 02:03:23
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 02:03:23
[Time synchronized with NTP server] Friday, May 06,2016 01:48:21
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 01:48:22
[Time synchronized with NTP server] Friday, May 06,2016 01:33:20
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 01:33:20
[Time synchronized with NTP server] Friday, May 06,2016 01:18:18
[Internet connected] IP address: xx.xx.xx.x, Friday, May 06,2016 01:18:19
[Time synchronized with NTP server] Friday, May 06,2016 01:03:17

I did turn off the auto clock from my laptop, I'm the only user on this network. The whole thing just seems a bit bizarre. Any insight would be greatly appreciated.

Policks
  • 51
  • 1
  • 1
    Where are you located? the IP 60.221.254.230 resolves to a china location. Depending on your location this would generally be assumed as a legitimate attack. If possible can you renew your IP from your Service provider? It might be worth asking your ISP to also look into it for you. They could should see the same traffic as you coming into your router. – Jeff Meigs May 07 '16 at 16:48
  • 1
    Lot's of reasons for an attack. Without knowing the attacker it would be to hard to determine. Turn off your router, wait a few minutes and plug it back in. If your Service Provider is using DHCP, it should renew your IP address and unless some sort of dynamic DNS agent is involved it would be to hard to determine your new address. – Jeff Meigs May 07 '16 at 18:03
  • 1
    Generally I would say that the traffic is just bugged or something of that nature and is not a legit attack. But since the IP is originating from China my thoughts quickly turn to malicious intent just for the sole purpose that you not need need any connection from china. – Jeff Meigs May 07 '16 at 18:06
  • @JeffMeigs you have the better part of an answer in your comments. It may be impossible to answer the question with certainty and giving next steps may be the best thing possible. – Neil Smithline May 07 '16 at 22:34
  • why are you querying a time server every 15 minutes? ACK storm has nothing to do with ntp... ACK=TCP ntp=UDP – dfc May 08 '16 at 05:15
  • Thanks so much for responding. I got in touch with my ISP and they were useless, passed me off to Netgear who was also useless. I restarted my router but it's all the same. I have a tech savvy ex in town, is there any way to protect/investigate this further? Not sure if worth noting; currently seeing an unidentified device with no ip address under attached devices. I only see its MAC address. Wifi is pw protected. – Policks May 09 '16 at 08:27

1 Answers1

1

The "DoS attack: STORM] attack packets in last 20 sec from ip [24.150.13.71]" is from your ISP (Cogeco Cable, Burlington, Ontario, Canada (CA). The "[DoS attack: ACK Scan] attack packets in last 20 sec from ip [60.221.254.230]", is a scan or "Foot printing" from China. As Far as the NTP; you might need to look up the IP of the NTP server to ensure it is a valid one. I used http://www.speedguide.net to resolve the IP and geo-locate. There are some vulnerabilities in some of the implementations of NTP but I wouldn't jump to that because your system may be set to update every 15min and I am unable to verify the NTP IP as it was not provided. If you would like to learn more about the IP traffic on your system may I suggest a packet stiffer like Wire shark. It will give you more detail on the traffic to and from your system. All said and done it looks like you got port scanned from china. The ISP of China Unicom Shanxi, City: Taiyuan, Region: Shanxi, Country: China. That happens all of the time.

Boink
  • 11
  • 1