2

I seem to have a serious problem of being attacked and after looking up the attack source, 99% come from China, then Korea, Hong Kong etc. Here is a fraction of the report from my Router, which is a Cisco WRVS4400N router.

1   2014-01-06 14:53:32 CHAT GoogleTalk login attempt -2    173.194.73.125
2   2014-01-06 14:52:44 Possible DoS HGOD SynKiller Flooding    59.53.68.179
3   2014-01-06 14:45:17 CHAT GoogleTalk login attempt -2    74.125.137.125
4   2014-01-06 14:37:02 CHAT GoogleTalk login attempt -2    74.125.139.125
5   2014-01-06 14:36:31 Possible DoS HGOD SynKiller Flooding    202.109.143.95
6   2014-01-06 14:36:31 Possible DoS HGOD SynKiller Flooding    202.109.143.95
7   2014-01-06 13:49:46 CHAT QQ&TM Login attempt via TCP -1 74.125.134.138
8   2014-01-06 13:48:29 Possible DoS HGOD SynKiller Flooding    61.147.113.83
9   2014-01-06 13:09:48 Possible DoS HGOD SynKiller Flooding    184.164.71.144
10  2014-01-06 12:55:32 OVER_PING_LENGTH    192.168.17.100
11  2014-01-06 12:55:32 OVER_PING_LENGTH    192.168.17.100
12  2014-01-06 12:55:31 OVER_PING_LENGTH    192.168.17.100
13  2014-01-06 12:55:31 OVER_PING_LENGTH    192.168.17.100
14  2014-01-06 12:55:30 OVER_PING_LENGTH    192.168.17.100
15  2014-01-06 12:55:30 OVER_PING_LENGTH    192.168.17.100
16  2014-01-06 12:55:29 OVER_PING_LENGTH    192.168.17.100

And this is the graphic of when the attacks take place and how much data is transferred from my PC out there

enter image description here

Can anyone help me understand if blocking the ping response can alleviate this problem. It appears to me that they are breaking through everything I have set up in the router to prevent these hackers from accessing my PCs.

Or if anyone has alternative advice, it is welcome.

DK

DeKoss
  • 131
  • 1
  • 1
  • 3
  • 1
    The warning about `ping` abnormal length are coming from your internal network. Your logs don't show any relationship between any ping problem and China, Korea or Hong-Kong. Could you please include the logs which are corresponding with the title of this question? – dan Jan 06 '14 at 22:08
  • Is it safe to assume that '192.168.17.100' is really in local network? DDoS attacks that are coming from WAN source, which employ local address spoofing won't put this address in the logs? I don't know if a vuln described in [here](http://tools.ietf.org/html/rfc2827) is already a thing of the past or not? – Kitet Feb 16 '14 at 18:06

3 Answers3

1

Even if you could, disabling ping requests would do nothing... for real, it's just for testing purposes.

Apparently you're being somehow DDose'd... i would suggest reading here.

The only 100% effective recommendation is for you (if you don't have a static IP) reset your router and check if the IP changed, (it should if you have a dynamic IP.) if yes, you're safe, unless the attackers have other ways to get your IP... if it didn't change, or you have a static IP, you should call your ISP and request them to change your IP address because you're being DDose'd.

Edit: In answer to your comment on @Ajaxasaur answer (i can't comment :/) you could install a firewall on your computer like COMODO firewall (i believe it's free) and check all connections made from your computer, inbound and outbound.

Community
  • 1
SomeNickName
  • 219
  • 1
  • 8
0

According to the Cisco documentation for your router enable the "Block WAN Request" from your basic firewall settings.

Blocking ping will not solve (all) your issues. What you want to insure is that you dont have any externally facing services on your network. From what you posted this is what you should also be looking at.

4 2014-01-06 14:37:02 CHAT GoogleTalk login attempt -2 74.125.139.125

5 2014-01-06 14:36:31 Possible DoS HGOD SynKiller Flooding 202.109.143.95

6 2014-01-06 14:36:31 Possible DoS HGOD SynKiller Flooding 202.109.143.95

7 2014-01-06 13:49:46 CHAT QQ&TM Login attempt via TCP -1 74.125.134.138

8 2014-01-06 13:48:29 Possible DoS HGOD SynKiller Flooding 61.147.113.83

Lines 5,6, and 8 show that you are being DoS'd via a SYN flood which would lead me to believe you may have a service running.

Lines 4 and 7 suggest a chat server is running or you're just being flooded with various attacks for no reason.

In addition to making sure you have no front facing services you may want to make sure that this is all inbound traffic and not outbound from your potentially infected machine.

Community
  • 1
Ajaxasaur
  • 466
  • 2
  • 7
  • How can I attempt to discover the type of service which may be running or the inbound versus outbound. any way to track that down. Please a few tips would be very helpful... – DeKoss Jan 06 '14 at 21:01
  • You can see what services youre running using this online tool. https://www.grc.com/x/ne.dll?bh0bkyd2 From there you'll see what ports you have open and possibly accepting incoming connections. The comment about the internal vs external connection is that I cannot be sure the log you posted is for incoming connections. You'll have to verify that yourself. – Ajaxasaur Jan 06 '14 at 21:13
  • Went to do a test of grc.com and it would appear that I did set everything correctly. They were not able to get past my router at all. Maybe that IPS report is not telling me that I have been broken into. It is probably saying that someone tried, but was not successful. If so, then great. – DeKoss Jan 08 '14 at 01:35
0

You have given us log extracts showing some unwelcome attention from the internet - and ask how to block pings - but the pings are not coming from the internet - they're coming from a private network (192.168.x.x) which your router should be ignoring is it's outside.

symcbean
  • 18,278
  • 39
  • 73
  • I do not understand this line "2014-01-06 12:55:32 OVER_PING_LENGTH 192.168.17.100". It is my Vonage adapter. What does that mean? Is someone using my phone to ping my PC? Please help me grasp this??? – DeKoss Jan 07 '14 at 19:29