Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DoS attack


  • Please log in to reply
13 replies to this topic

#1 Dohram

Dohram

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 14 November 2016 - 05:16 PM

I have been under steady DoS attack for about 3 months, ive tried running every program I can think of , ive ipconfig/release etc , ive left my modem unplugged long enough to get a new public address. everything I have tried fails. Not sure if im super infected or what.



BC AdBot (Login to Remove)

 


#2 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:09:20 AM

Posted 14 November 2016 - 06:16 PM

How do you know you are under a DoS attack?

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#3 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 14 November 2016 - 06:18 PM

I have a netgear c6300, and my net has been dropping everyday multiple times a day , So I went to the logs and its shows DoS attack , from many different ips and a ton of t3 ranging errors



#4 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:20 AM

Posted 14 November 2016 - 06:24 PM

I have a netgear c6300, and my net has been dropping everyday multiple times a day , So I went to the logs and its shows DoS attack , from many different ips and a ton of t3 ranging errors

Then it is not a DoS attack, if it was you would see the same IP over and over again. 

 

sounds like you are infected.

 

Those T3 errors are RNG-REQ (Range Request) 


Edited by Viper_Security, 14 November 2016 - 06:26 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#5 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 14 November 2016 - 06:58 PM

not if they are spoofing there ip , and its an ICMP DoS attack according to my modem.

 

Description Count Last Occurrence Target Source [DoS attack] ICMP Flood from 212.179.84.2 1 Monday, 14 Nov 2016 14:08:12   212.179.84.2 [DoS attack] ICMP Flood from 60.8.224.242 1 Monday, 14 Nov 2016 11:58:10   60.8.224.242 [DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:52235 DPT:23 1 Monday, 14 Nov 2016 10:02:15   114.34.144.139 [DoS attack] ICMP Flood from 179.61.255.85 1 Monday, 14 Nov 2016 09:52:53   179.61.255.85 [DoS attack] ICMP Flood from 78.243.191.75 2 Monday, 14 Nov 2016 09:34:00   78.243.191.75 [DoS attack] ICMP Flood from 80.25.91.76 1 Monday, 14 Nov 2016 05:40:05   80.25.91.76 [DoS attack] ICMP Flood from 116.10.195.221 1 Monday, 14 Nov 2016 00:22:24   116.10.195.221

 


Edited by Dohram, 14 November 2016 - 06:59 PM.


#6 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:20 AM

Posted 14 November 2016 - 07:09 PM

Yes, even if they were "Spoofing" their IP, you would see it over and over again, then stop athen over and over again, etc. 

 

212.179..... is Isreal. 

 

60.8..... is China

 

114.34.....is Taiwan

 

78.243....is France

 

116.61.... is China again

 

80.25...is Madrid

 

116.10 is china. 

 

 

from a quick Whois, these are all web masters. 

 

Run Rkill and make sure there are no HOSTS.

 

 

and if no hosts, ill kindly let iangcarrol take over.


    IT Auditor & Security Professional

hQBT2G3.png


#7 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 14 November 2016 - 07:33 PM

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/14/2016 07:31:38 PM in x64 mode.
Windows Version: Windows 10 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * agp440 [Missing ImagePath]
 * WMPNetworkSvc [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 11/14/2016 07:33:07 PM
Execution time: 0 hours(s), 1 minute(s), and 28 seconds(s)


#8 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:20 AM

Posted 14 November 2016 - 07:37 PM

Ah okay, that's fine. I leave it too iangcarrol. :) 


    IT Auditor & Security Professional

hQBT2G3.png


#9 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 14 November 2016 - 07:44 PM

Cheers mate thanks for your efforts.



#10 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:09:20 AM

Posted 16 November 2016 - 01:30 AM

Provided you disabled Windows Defender yourself (and have another AV), nothing looks abnormal in that log, not that RKill would find everything. If your router's logs are your only symptom, I'll guess you're fine, but if you want you can run Hitman Pro and let me know if anything is flagged when running that. This section doesn't let me run other, non-automated tools for malware detection.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#11 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 16 November 2016 - 03:10 AM

Its not just my logs , its that I get dc'd 10 + times a day and everytime i get dc'd there is a log in  my router that says DoS and multiple critical failures.



#12 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 16 November 2016 - 08:28 AM

[DoS attack] ICMP Flood from 66.61.166.20                         3 Tuesday, 15 Nov 2016 23:24:58   66.61.166.20

[DoS attack] ICMP Flood from 23.65.125.150                       3 Tuesday, 15 Nov 2016 19:47:53   23.65.125.150

[DoS attack] ICMP Flood from 207.226.141.42                     1 Tuesday, 15 Nov 2016 19:36:11   207.226.141.42

[DoS attack] ICMP Flood from 24.143.206.240                     2 Tuesday, 15 Nov 2016 18:35:54   24.143.206.240

[DoS attack] ICMP Flood from 24.143.205.84                       1 Tuesday, 15 Nov 2016 18:33:51   24.143.205.84

[DoS attack] ICMP Flood from 113.107.189.3                       1 Tuesday, 15 Nov 2016 15:21:06   113.107.189.3

[DoS attack] ICMP Flood from 24.143.205.84                       3 Tuesday, 15 Nov 2016 13:48:01   24.143.205.84

[DoS attack] ICMP Flood from 200.159.255.29                     4 Tuesday, 15 Nov 2016 13:40:32   200.159.255.29

[DoS attack] ICMP Flood from 24.143.205.182                     2 Tuesday, 15 Nov 2016 09:35:00   24.143.205.182

[DoS attack] ICMP Flood from 66.61.166.20                         1 Tuesday, 15 Nov 2016 09:33:01   66.61.166.20

[DoS attack] ICMP Flood from 190.98.205.162                     1 Tuesday, 15 Nov 2016 08:04:28   190.98.205.162

[DoS attack] ICMP Flood from 46.234.125.89                       1 Tuesday, 15 Nov 2016 06:49:09   46.234.125.89

[DoS attack] ICMP Flood from 66.61.170.55                         1 Tuesday, 15 Nov 2016 02:22:58   66.61.170.55

[DoS attack] ICMP Flood from 24.143.206.118                     1 Tuesday, 15 Nov 2016 02:21:57   24.143.206.118

 

this was just today and you can see I got 24 of them


Edited by Dohram, 16 November 2016 - 08:31 AM.


#13 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:09:20 AM

Posted 17 November 2016 - 09:00 PM

I'm a bit blind here because I don't know what your router classifies an ICMP flood as, but I'm going to guess that you are not really under an actual DoS attack, because there would be no point in attacking you (and an ICMP flood seems like an odd choice). Have you asked your ISP if they are aware of any issues with your modem/connection?

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#14 Dohram

Dohram
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Palm Bay, Florida
  • Local time:08:20 AM

Posted 17 November 2016 - 09:02 PM

Yeah they just want to blame the router , But this is the 2nd router I have gotten. Ill try to contact the manufacturer and see what they think , thank you for your help. I just wanted to make sure I did have some kind of malware causing it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users