Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Crytiqal]

Hey everyone,

I have an issue with my router that is best explained by showing you some log entries:

Code: [Select]

[INFO] Sat Feb 07 14:17:35 2004 Dropped packet from 192.168.0.190 to 186.251.121.98 (IP protocol 17) as unable to create new session
[INFO] Sat Feb 07 14:17:34 2004 Above message repeated 92 times
[INFO] Sat Feb 07 14:17:34 2004 DNS relay ALG rejected packet from 192.168.0.194:61406 to 88.159.1.201:53
[INFO] Sat Feb 07 14:17:34 2004 Dropped packet from 192.168.0.194 to 88.159.1.201 (IP protocol 17) as unable to create new session
[INFO] Sat Feb 07 14:17:34 2004 Dropped packet from 192.168.0.190 to 186.251.121.98 (IP protocol 17) as unable to create new session
[INFO] Sat Feb 07 14:17:33 2004 Above message repeated 90 times
[INFO] Sat Feb 07 14:17:33 2004 DNS relay ALG rejected packet from 192.168.0.194:61406 to 88.159.1.200:53
[INFO] Sat Feb 07 14:17:33 2004 Dropped packet from 192.168.0.194 to 88.159.1.200 (IP protocol 17) as unable to create new session
[INFO] Sat Feb 07 14:17:33 2004 Dropped packet from 192.168.0.190 to 186.251.121.98 (IP protocol 17) as unable to create new session
[INFO] Sat Feb 07 14:17:27 2004 Above message repeated 593 times

This happends every now and then like 5 times a day or something. The 192.168.0.190 is a local machine and it seems it tries to connect to some random ip. It is a different IP every time this hickup occurs (for at least the 3 times I tracked it down).
I have to say that I ran a email relay server prior to this which was relaying external email (which caused me to send out 67.000 emails a day before I noticed and took the necessary actions) but since then (I shut down the email server completly and closed port 25 and 110 again) I still have these major hickups which send traffic over my wireless network at rates of 50Mbps!  and even my LAN connection can't take it.

Am I part of a botnet or something? Or are these attacks invoked from outside?

Please help me with this!

IF I am part of a botnet, would formatting the harddrive and reinstalling the server get rid of it?

Thanks in advance,
Crytiqal

[FurryNutz]

Saw this once with my buddy's DSL service. We couldn't figure it out until we found most of the problem. Turns out the DSL and Phones lines were not filtered and setup well from the telephone pole to the house. We also found out that his DSL line was beyond speed limits from the DSL Hub. After getting the DSL Tech to come out and look at everything. They finally got him re-wired and connected properly to the house and with a clean signal.

Seem that this protocol 17 and the IP address your seeing is a feedback and interference from another DSL line possibly.


What ISP Service do you have? DSL or cable?

I would make sure the cable lines for either service are new and setup well. Filters should be used for DSL. Keep the splitters to a minimum or none at all for the Cable line going to the modem. Make sure LAN cables are good running from the ISP Modem to the router. I recommend the shortest length possible. I use a 1 footer here.

Is your ISP modem a stand alone modem or does it have a router built in? It's preferred to bridge these built in modems to the your 855 router.

[Crytiqal]

To resurrect this thread, the issue is back again.

I reinstalled everything like I said in my previous post and I thought I was rid of it, but now it's back again.

FYI: I have a fiberoptics connection.

This time, I first was under attack by INCOMING connections. Those would put my upload and download up till 80Mbps more or less. Now only the UPLOAD gets so high and drops my connection.
I still receive the incoming connections aswell, they try to connect on port 27960 and 27962, really fast.

Any suggestions are welcome.

[FurryNutz]

Saw this once with my buddy's DSL service. We couldn't figure it out until we found most of the problem. Turns out the DSL and Phones lines were not filtered and setup well from the telephone pole to the house. We also found out that his DSL line was beyond speed limits from the DSL Hub. After getting the DSL Tech to come out and look at everything. They finally got him re-wired and connected properly to the house and with a clean signal.

Seem that this protocol 17 and the IP address your seeing is a feedback and interference from another DSL line possibly.


What ISP Service do you have? DSL or cable?

I would make sure the cable lines for either service are new and setup well. Filters should be used for DSL. Keep the splitters to a minimum or none at all for the Cable line going to the modem. Make sure LAN cables are good running from the ISP Modem to the router. I recommend the shortest length possible. I use a 1 footer here.

Is your ISP modem a stand alone modem or does it have a router built in? It's preferred to bridge these built in modems to the your 855 router.

[Crytiqal]

Thanks FurryNutz for quoting something that doesn't relate to my problem.

[FurryNutz]

Reason for quoting is that I had asked for some information. We need some detailed information so we can better help you and provide better feedback. Help us help you.

[Crytiqal]

I found out that during these spikes my httpd.exe (apache) is taking up the resources for outbound traffic. I checked the ip, and it corresponded to the ip in the router log.
I double checked during another spike, my httpd.exe was hogging the resources again to a different IP this time, and sure enough, it was the same new IP as in the server log.

To my knowledge, I think my server has been compromised by a botnet and is now used for ddos attacks.

My modem doesn't have a built in router. Connection is fiberoptics.
Latest firmware: 1.23WW

I also get incoming "attacks" altho not so severe on ports 27960 and 27962, but they were more serious a few days before my outbound traffic started spiking.
Is it possible that during this attack on ports 27960 and 27962 the router couldn't coup and something might have gone through the firewall? And then infecting the server?

What measurements should I take to stop this from happening (again?).

1) Disconnect the server from the internet
2) Reinstall the server
3) Change router pw
4) If possible, change the static IP?

Thanks in advance,
Crytiqal

[FurryNutz]

Your server should probably have some sort of resident Malware and 3rd party Firewall isntalled. Definately Anti Virus program for sure. If you can find the where the originating IP address of the offending bot or malware comes from, could put that in the routers blocking list to add additional protection. I would start with resident Malware and firewall on the server. You'll need to setup rules in the SW firewall to ensure that only those get access. Been told that Comodo Sw is pretty good. Let us know how it goes.