1

I first noticed this yesterday in my logs - while I was configuring the router settings, so I don't know how long it's been going on. What should I do? I reconfigured my router with more secure settings, changed my password and it's still happening. So now i'm directly connected.

I was asleep at this time, the "authentication success" bit worries me, my logs are full of ACK flood attacks and packet scans.

Mar 15 15:37:34 Port Scan Attack Detect (ip=31.13.74.1) Packet Dropped
Mar 15 15:37:34 Per-source ACK Flood Attack Detect (ip=184.84.243.224) Packet Dropped
Mar 15 15:35:34 Whole System ACK Flood Attack from WAN Rule:Default deny
Mar 15 15:34:34 Per-source ACK Flood Attack Detect (ip=31.13.74.1) Packet Dropped
Mar 15 15:34:34 Whole System ACK Flood Attack from WAN Rule:Default deny
Mar 15 15:33:34 Per-source ACK Flood Attack Detect (ip=69.16.175.10) Packet Dropped
Mar 15 15:32:54 DHCP lease IP 192.x.x.x to John 0c-xx-xx-xx-xx-xx
Mar 15 15:32:53 Authentication Success 0c-xx-xx-xx-xx-xx
Mar 15 15:32:53 Authenticating...... 0c-8b-xx-xx-xx-xx
Mar 15 13:12:13 DHCP lease IP 192.x.x.x to NP-13C254012390 cc-6d-xx-xx-xx-xx
Mar 15 12:36:13 DHCP request success 192.x.x.x

I'd really appreciate any help.

Calisto
  • 67
  • 2
  • 2
  • 7
  • Have you tried blocking the IP address? – Marc Woodyard Mar 15 '15 at 21:39
  • 1
    Note that most of these "attacks" are simply minor occurrences presented in the most alarming language possible. – Mark Mar 16 '15 at 05:05
  • Ok, is it a minor occurrence that it's happening every day? As soon as I logged on today it started. They're also using UDP and ICMP flood attacks now aswell. I don't know about blocking the IP, the IPs are almost always different. – Calisto Mar 17 '15 at 16:42

1 Answers1

2

The Internet is a wild place; there are tons (as in, hundreds of thousands or even millions) of script-kiddie bots constantly scanning every single IP address looking for open ports they can connect to or unsecured servers they can exploit. This is most likely likely the kind of activity that you're seeing.

Fortunately, the vast majority of consumer routers can easily defend themselves against this stuff because they ship with a firewall that, by default, will block all incoming connections and only allow outgoing connections. It looks like yours does too, based on the WAN Rule:Default deny which shows up in the snippet you posted.

So basically, there's probably not much you can or need to do about it. But in general, to keep your router secure you should:

  • Verify that your router does not have any incoming ports open (which you can do using the GRC Shield's Up website "All Service Ports" scan)
  • Keep your router's firmware up to date by checking the manufacturer's website for updates
  • Make sure you change the default administration interface password to something more secure
  • If it's a wireless router, make sure the wireless is secured with WPA2-PSK and a strong key; also make sure WPS is disabled
  • If there is an option to enable remote administration, disable it.

As for the "Authentication Success" messages in your log, could it just be you logging in to the administrative interface to check the log?

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • Thanks. I changed the settings like you recommended, that Shields Up site is great. Ever since I changed the settings, the attacker has been using different methods of attacking my router. Not only is he using 'ACK' flood attacks, but UDP, and ICMP flood attacks as well now. My wireless connection even wen't out for a few minutes during the attacks, tho i'm unsure if the attacks were the direct cause of it. – Calisto Mar 17 '15 at 04:52
  • I might have to contact my ISP.. – Calisto Mar 17 '15 at 04:59