BleepingComputer.com: Dos Attack

I have been having Port scans and Dos attacks that will interrupt My internet connection. It usually happens between a specified time.

[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.1.2], Saturday, Aug 06,2011 12:20:14
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.1.2],

Attacks happen during the evening but we work third shift so the internet isnt being used.. But on the weekends is when we are on.. and the attacks are happening as I am posting this message.

Here is a Link from when Patndoris was assisting me
http://www.bleepingcomputer.com/forums/topic408391.html
Fearing it was malware.

IF I Unplug the router i can see the IP address its coming from.
I have saved the info to my computer.
is It possible just to block their Mac address and these attacks will disappear?


Make and model of computer
Self built Intel Using Windows 7

How the computer is connected (wireless or wired)
Netgear wireless router with wpa alphanumeric encrypted password

Make and model of Router
Netgear N300 wireless WNR2000 v2

Approximate Distance From the router the PC is if its a wireless connection
less than a foot

What type of internet you have (Dsl, Cable, T-1,etc
Cable



MiniToolBox by Farbar
Ran by James (administrator) on 06-08-2011 at 18:23:37
Windows 7 Ultimate Service Pack 1 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Nephel
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller #2
Physical Address. . . . . . . . . : 00-22-15-68-3A-97
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b56d:8628:fb81:6b7c%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, August 06, 2011 4:20:38 PM
Lease Expires . . . . . . . . . . : Sunday, August 07, 2011 4:20:38 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 352330261
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-0B-CA-99-00-22-15-68-3A-97
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-22-15-68-3A-96
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.93.99
74.125.93.103
74.125.93.105
74.125.93.147
74.125.93.104
74.125.93.106


Pinging google.com [74.125.93.99] with 32 bytes of data:
Reply from 74.125.93.99: bytes=32 time=37ms TTL=49
Reply from 74.125.93.99: bytes=32 time=37ms TTL=49

Ping statistics for 74.125.93.99:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 37ms, Maximum = 37ms, Average = 37ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65


Pinging yahoo.com [69.147.125.65] with 32 bytes of data:
Reply from 69.147.125.65: bytes=32 time=31ms TTL=51
Reply from 69.147.125.65: bytes=32 time=30ms TTL=51

Ping statistics for 69.147.125.65:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 30ms, Maximum = 31ms, Average = 30ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
===========================================================================
Interface List
12...00 22 15 68 3a 97 ......Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller #2
11...00 22 15 68 3a 96 ......Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.9 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.9 276
192.168.1.9 255.255.255.255 On-link 192.168.1.9 276
192.168.1.255 255.255.255.255 On-link 192.168.1.9 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.9 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.9 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 276 fe80::/64 On-link
12 276 fe80::b56d:8628:fb81:6b7c/128
On-link
1 306 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/03/2011 07:05:30 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (07/31/2011 07:47:35 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/31/2011 07:00:06 PM) (Source: Windows Backup) (User: )
Description: The backup did not complete because of an error writing to the backup location F:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (07/26/2011 08:18:00 PM) (Source: Windows Backup) (User: )
Description: The backup did not complete because of an error writing to the backup location F:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (07/23/2011 02:06:54 PM) (Source: Application Error) (User: )
Description: Faulting application name: CivilizationV_DX11.exe, version: 1.0.1.348, time stamp: 0x4e144f4e
Faulting module name: KERNELBASE.dll, version: 6.1.7601.17625, time stamp: 0x4de8781e
Exception code: 0x0000087a
Fault offset: 0x0000b9bc
Faulting process id: 0x123c
Faulting application start time: 0xCivilizationV_DX11.exe0
Faulting application path: CivilizationV_DX11.exe1
Faulting module path: CivilizationV_DX11.exe2
Report Id: CivilizationV_DX11.exe3

Error: (07/23/2011 01:05:44 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/22/2011 03:08:16 PM) (Source: Application Error) (User: )
Description: Faulting application name: steam.exe, version: 1.0.968.628, time stamp: 0x4cda0db5
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc0000005
Fault offset: 0x00038da9
Faulting process id: 0x364
Faulting application start time: 0xsteam.exe0
Faulting application path: steam.exe1
Faulting module path: steam.exe2
Report Id: steam.exe3

Error: (07/17/2011 07:00:07 PM) (Source: Windows Backup) (User: )
Description: The backup did not complete because of an error writing to the backup location F:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (07/16/2011 06:32:31 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (07/15/2011 10:39:40 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.


System errors:
=============
Error: (08/06/2011 05:52:37 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 05:52:34 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 04:23:06 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 04:21:17 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 04:21:11 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 04:21:10 PM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 04:20:39 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (08/06/2011 02:48:41 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 02:46:43 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422

Error: (08/06/2011 02:46:41 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80070422


Microsoft Office Sessions:
=========================
Error: (08/03/2011 07:05:30 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe

Error: (07/31/2011 07:47:35 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\spybot - search & destroy\DelZip179.dllc:\program files (x86)\spybot - search & destroy\DelZip179.dll8

Error: (07/31/2011 07:00:06 PM) (Source: Windows Backup)(User: )
Description: F:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (07/26/2011 08:18:00 PM) (Source: Windows Backup)(User: )
Description: F:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (07/23/2011 02:06:54 PM) (Source: Application Error)(User: )
Description: CivilizationV_DX11.exe1.0.1.3484e144f4eKERNELBASE.dll6.1.7601.176254de8781e0000087a0000b9bc123c01cc495eb11deea6c:\program files (x86)\steam\steamapps\common\sid meier's civilization v\CivilizationV_DX11.exeC:\Windows\syswow64\KERNELBASE.dll8bc6962a-b556-11e0-9ee6-002215683a97

Error: (07/23/2011 01:05:44 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\spybot - search & destroy\DelZip179.dllc:\program files (x86)\spybot - search & destroy\DelZip179.dll8

Error: (07/22/2011 03:08:16 PM) (Source: Application Error)(User: )
Description: steam.exe1.0.968.6284cda0db5ntdll.dll6.1.7601.175144ce7ba58c000000500038da936401cc48a2281e1811C:\Program Files (x86)\Steam\steam.exeC:\Windows\SysWOW64\ntdll.dllf3faa326-b495-11e0-8f6c-002215683a97

Error: (07/17/2011 07:00:07 PM) (Source: Windows Backup)(User: )
Description: F:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (07/16/2011 06:32:31 PM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\spybot - search & destroy\DelZip179.dllc:\program files (x86)\spybot - search & destroy\DelZip179.dll8

Error: (07/15/2011 10:39:40 AM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\spybot - search & destroy\DelZip179.dllc:\program files (x86)\spybot - search & destroy\DelZip179.dll8


========================= Memory info: ===================================

Percentage of memory in use: 38%
Total physical RAM: 4095.12 MB
Available physical RAM: 2515.05 MB
Total Pagefile: 12093.31 MB
Available Pagefile: 10344.21 MB
Total Virtual: 4095.88 MB
Available Virtual: 3962.95 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:139.73 GB) (Free:14.8 GB) NTFS

========================= Users: ========================================

User accounts for \\NEPHEL

Administrator Guest James
UpdatusUser


== End of log ==

This post has been edited by Nephel: 06 August 2011 - 05:51 PM

I will be referring to page numbers in this PDF manual for reference. Lets start by changing your network address to 192.168.2.100 and turn off DHCP. Next statically assign the IP Addresses 192.168.2.101, 192.168.2.102, 192.168.2.103 (This will only allow your two computers and the PS3 on the network) Refer to 4-2 for instructions on changing your LAN TCP/IP settings. You will need to change the network settings on each computer and on the PS3. To keep this as short as possible refer to these instructions to change your windows 7 IP address and These for your PS3 you will need to choose which ip address to use on each device.. Next change your SSID reconnect all your devices and save the network then turn off SSID broadcast. Refer to 1-12. Next we want to enable MAC filtering with all the devices connected turn on MAC filtering and click ADD Wireless device. This will show you a list of currently connected MAC addresses. Refer to 2-19 - 2-20. Your mac Address can be cloned and may be already, this is just more protection to help stop the attacks.Finally Change the router password. See if this stops the attacks.

I adjusted some settings to what you referred to the beginning of the week.. and also using a dns server. There were no more attacks as of me changing these settings the beginning of the week..

However Just to be Safe I did exactly as you wanted in your Post... Only dif is I am using my DNS ip address. So far no attacks on weekends where I would normally be bogged down for a good 6 hours.

Glad to hear, I hope this keeps whomever out of your network for good.

Yes Me as well

Thank you so very much for your time in assisting me with this... I do thank you very much.

Kind Regards
Nephel

Well The Attacks are back


[DoS attack: ACK Scan] attack packets in last 20 sec from ip [***.***.***.***], Sunday, Aug 21,2011 16:07:03

This post has been edited by Nephel: 21 August 2011 - 10:42 PM

Complicated issues. I know a software named Colasoft Capsa which has a special module-Dos attach module, seems very easy to find out Dos or DDos attacks in network. It is based on packet level so it is out of my knowledge, but hope it can help u:-)

I am not totally sure this attack is coming from outside your network. The IP addresses that are shown in the attack are they addresses on your network? Are you using any Torrent, file sharing, server, software?

I have asked my networking professor for some advice. To determine if the traffic is generated by your computers or if your wireless has been compromised before you leave for work turn off the computers and disable the wireless (by turning it off in the router set-up menu). If the attacks continue then they are coming from the internet and you should contact your ISP and let them know whats going on. I will continue to research solutions and please let me know what you find, and if anything changes.

[DoS attack: ACK Scan] attack packets in last 20 sec from ip [74.125.113.103], Thursday, Aug 25,2011 21:22:01
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [74.125.225.68], Thursday, Aug 25,2011 21:22:01
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [74.125.225.95], Thursday, Aug 25,2011 21:21:57
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [206.16.119.5], Thursday, Aug 25,2011 20:46:18
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [206.16.119.5], Thursday, Aug 25,2011 15:27:13
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [209.85.225.132], Wednesday, Aug 24,2011 20:40:12


[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.2.101], Saturday, Aug 27,2011 00:08:29
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.2.101], Saturday, Aug 27,2011 00:08:01
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.2.101], Saturday, Aug 27,2011 00:07:41
[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.2.101], Saturday, Aug 27,2011 00:07:41
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.2.101], Saturday, Aug 27,2011 00:07:39

I am assigned .101 and my computer was not on when these attacks came on saturday.

I have contacted MY isp and explained my situation.. and they referred me to my Router Manufacturer.. Heh... Then explained that I disconnected from router and have same issues.. that someone is blocking service to network through their modem... and their reply was they have no software to block or monitor or to help with situation..

To be honest I am Really close to switching ISP's. My only worry is that somehow If this person has been accessing or probing my network if they cloned muh mac address of PC if they would be able to find me if I moved to another ISP.


*edit* No torrent or file sharing program now.. But in the Past I have used them but stopped and are no longer on Computer.
* there was a time when attacks disappeared for a week... And thinking back.. I might have had the wireless off (Not entirely sure) However the attacks only occur around 4pm-10pm est and we generally do not go online until after 11pm except on weekends. Yesterday My Girlfriend had a Half day and came home.. so this is reason we picked up the attacks during the week.
The wireless was on as I see when she connected to the wireless then the attacks occured. However I switched out routers with a Lynksys before I posted in the forums for assistance.. and it is not a wireless connection and I was still getting the attacks.. But have not switched back to it since.
Hope that made sense
*/edit*

This post has been edited by Nephel: 27 August 2011 - 05:04 AM