DDOS attack on my network?

2

For the past 4 weeks, I have noticed that my router and modem lights blink continuously:

Router and modem lights blink continuously

The router is a Linksys WRT160NL running DD-WRT v24-sp2 (07/20/12) std and the modem is a Cisco DPC3825. The modem is capable of routing as well but I turned that off so it is in bridge mode.

I also have two linux servers in my network. One is running Asterisk and the other is a web server.

Initially, the asterisk server was in the DMZ, but I took it out because of the suspicious traffic. Instead, I forwarded a bunch of ports to the Asterisk server and port 80 to the web server. After this, I started noticing a bunch of errors in the web server logs:

192.168.1.1 - - [05/Mar/2013:12:49:10 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:49:11 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:49:11 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:49:12 -0500] "GET /wpad.dat HTTP/1.1" 499 0 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:23 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:33 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:38 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:40 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:42 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"
192.168.1.1 - - [05/Mar/2013:12:50:44 -0500] "GET /wpad.dat HTTP/1.1" 504 183 "-" "-"

Note: 192.168.1.1 is my router's IP in this case (not the real one, but you get the idea).

To verify my suspicion, I turned off port forwarding to the web server (port 80), and the error logs stopped. So, I concluded the traffic was coming from outside my network.

EDIT: I disconnected EVERYTHING except the modem and router, and yet the lights are still blinking. They only stop if I disconnect the cable from router to modem.

Any ideas how I can determine the source of the traffic and hopefully stop it?

EDIT2: I managed to enable firewall logs and got thousands of dropped packets from the same IP:

2013-03-05T15:21:30-05:00 my.local.domain.com kernel: [1403284.570000] DROP IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=68.71.197.69 DST=xx.xx.xx.xx LEN=200 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=12882 DPT=4032 LEN=180

Alfero Chingono

Posted 2013-03-05T18:44:25.677

Reputation: 275

1You should be able to look at the logs of the router and see what's coming in and hitting the box. If it's a single ip, you can blackhole it at your router. – rfelsburg – 2013-03-05T18:56:40.310

Unfortunately, all the log entries have the IP of my router. Some DDWRT misconfiguration perhaps? – Alfero Chingono – 2013-03-05T19:03:06.370

I just tested with my mobile phone (over 3G) and an external IP appeared in the log. hmmm. – Alfero Chingono – 2013-03-05T19:05:56.913

Check the outermost router. If you are, then hmm, I'm not sure. – rfelsburg – 2013-03-05T19:08:12.543

Please tell me this is in your home environment (in which case I will migrate it to SuperUser for you) -- If you're using that Linksys "router" in a production business environment you need to start thinking about replacements... – voretaq7 – 2013-03-05T19:12:50.023

1wait...wpad.dat is to due with proxy autoconfig...is there any devices that might be inadvertantly set to try and recover this file? – tombull89 – 2013-03-05T19:15:52.310

@voretaq7 Yes, home environment. – Alfero Chingono – 2013-03-05T19:16:37.807

@tombull89 Not that I know of. Interesting part is that this stopped when I turned off port forwarding. – Alfero Chingono – 2013-03-05T19:20:47.823

Answers

0

With the help of this article and this article, I managed to enable firewall logs and got thousands of dropped packets from the same IP:

2013-03-05T15:21:30-05:00 my.local.domain.com kernel: [1403284.570000] DROP IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=68.71.197.69 DST=xx.xx.xx.xx LEN=200 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=12882 DPT=4032 LEN=180

EDIT Upon further investigation, it appears the wpad log messages were unrelated to the blinking lights. I turned on port forwarding to the web server back on and the messages never reappeared.

I then looked up the IP address which gave me the name of the hosting company as Fusepoint Managed Services. Next, I called the company and reported the issue. The service representative was very helpful and verified the IP was indeed in their network. She promised to call me back when the issue is resolved.

Hope that helps someone else out there.

Thanks @voretaq7

Alfero Chingono

Posted 2013-03-05T18:44:25.677

Reputation: 275

4

Such attempts are entirely normal unfortunately, it's just the net's background noise and there is no real way to stop it in a general way. You just have to make sure that the things you make available to the outside is secured. Tools like fail2ban can help to prevent broad attempts to attack a lot of different URLS (or SSH connection attempts etc.).

Sven

Posted 2013-03-05T18:44:25.677

Reputation: 1 591

3

A request for /wpad.dat is definitely not your usual background noise.

– Michael Hampton – 2013-03-05T19:16:06.767

2

As others have mentioned, the outermost router can tell you who is traversing it to hit your web server (I'm not sure how this particular Linksys device works but it shouldn't be mucking with the source address of requests. If it is it's not doing "standard" NAT -- in any case it would have to maintain a mapping table, especially if it's playing proxy).

Since the problem goes away when you turn off port forwarding I can think of two possibilities:

  1. Someone on your cable network is blindly groping around for wpad.dat.
    This could be malicious, or they could just have a brain-damaged device in their environment. Your router is just passing the request along (though I don't see why it would change the source IP).

  2. Your router is trying to grab wpad.dat from your web server.
    I can't fathom a reason for this though -- I would consider that serious brokenness in the Linksys firmware. To be on the safe side though, check around for proxy settings in your router and make sure they're off/disabled.

Don't expect this to cure the continuous blinking of your modem lights though --- that IS the normal background noise of the internet (there will always be traffic bouncing around on your modem, especially if you have a web server running and people poke at it).
As long as you resolve the mystery you're currently facing (and nothing else unusual shows up in the logs) the background noise can generally be ignored.

voretaq7

Posted 2013-03-05T18:44:25.677

Reputation: 2 051

Thanks... the router is running DDWRT firmware not stock Linksys firmware. – Alfero Chingono – 2013-03-05T19:29:43.003

@adaptive Perhaps someone with more DDWRT experience can comment on whether it does something "special" with respect to WPAD. (Or alternatively - tell you where to look in the logs for its NAT/Proxy traffic) – voretaq7 – 2013-03-05T19:51:04.377

Asked: 2013-03-05T18:44:25.677

Viewed: 2 292 times

Active: 2013-03-05T21:44:52.167