Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Axlan]

Hello all, I'm new to those forums!

I've been wondering something for a few days now, I recently checked the logs of my router as I was playing around with some settings, and I noticed that I have awfully a lot of IP addresses and other things that appear to be blocked, is this normal?

I spoke to someone before and was told I would get ddosed by them, but I don't know if this is the result? By ddosing I'm sure your internet would crash due to the traffic you would receive (as I've read on Google etc..), but my internet just freezes for a good matter of seconds, at times I get major disconnected from games, but my Skype never seem to drop connection.

I contacted my ISP yesterday and they just suggested changing my MAC Address around in my Router, so I did that and got a new IP address, those logs continued to flood in. Later on the day, I got a new Modem from my ISP to get a whole new MAC Address on the Modem itself, but those just keep storming in..

For example I get a bunch of this in my log:
** Blocked incoming TCP connection request from ...
** Blocked incoming TCP packet from ... to ... as SYN:ACK received but there is no active connection
** Blocked incoming TCP packet from ... to ... as FIN:ACK received but there is no active connection
** Blocked incoming TCP packet from ... to ... as FIN:PSH:ACK received but there is no active connection
** Blocked incoming TCP packet from ... to ... as RST:ACK received but there is no active connection
** Blocked outgoing ICMP packet (ICMP type 3 ) from ... as there is no UDP session active between ... and ...
** Blocked outgoing ICMP packet (ICMP type 8 ) from ...
** Blocked incoming UDP packet from ...
** Blocked TCP packet from ... to ... as control None in not valid
** And different kind of

I get those basically every 1-5 minute.. seconds even. And at times this causes my internet to freeze for a good 3 seconds, it's a bit annoying if you're playing games and then just get disconnected, but you're still on the game lagging out. (Others see you running in the same place over and over, World of Warcraft for example..).

I'm using the D-Link Systems DIR-655 with
Hardware Version: A3
Current Firmware Version : 1.31EU

I have also been reading through the forum a bit, and I've disabled the UPnP support. My WAN Ping is disabled by default so I'm not turning on that. I'm NOT using any Bittorent sytem or program or anything. Some people have recommended disabling SPI on other forums but I don't feel that it's a safe thing to do.

I also changed my NAT Endpoinnt Filtering from:
** UDP Endpoint Filtering: Port And Address Restricted
** TCP Endpoint Filtering: Port and Address Restricted (was Address Restricted before only).

Happy for any kind of help, suggestions or thoughts.

Thanks.

- Quckly modified as some emoticons appeared in the text.

[FurryNutz]

Link>Welcome!
Use domaintools.com to find out where the IP addresses are coming from? Are the IP addresses going to an device IP address on your LAN side network?

There will be some block entries and this is normal and a function of the logs reporting that the router is doing it jobs of blocking and reporting what is going on.

Has a Factory Reset been performed?

What ISP Service do you have? Cable or DSL?
What ISP Modem Mfr. and model # do you have?
Check ISP MTU requirements, Cable is usually 1500, DSL is around 1492 down to 1472. Call the ISP and ask. Link>Checking MTU Values

Some things to try: - Log into the routers web page at 192.168.0.1. Use IE, Opera or FF to manage the router.
Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual or under Setup/PARENTAL CONTROL/Set to>None: Static IP or Obtain Automatically From ISP.
Enable Use Unicasting (compatibility for some ISP DHCP Servers) under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
Ensure devices are set to auto obtain an IP address.
If IPv6 is an option on the router, select Local Connection Only or Disable IPv6 options under Setup/IPv6.
What are the NAT settings currently set for under Advanced/Firewall?
Enable uPnP and Multi-cast Streaming under Advanced/Networking. 
Turn off WISH, and WPS under Advanced.
WAN Port Speed set to Auto or specific speed? Some newer ISP modems support 1000Mb so manually setting to Gb speeds can be supported by the router. Advanced/Advanced Networking/WAN Port Speed
Set current Time Zone, Date and Time. Use an NTP server feature. Tools/Time.
 
Link>Wireless Installation Considerations
Ensure the default (dlink) SSID name is changed. Can be anything and not something thats already in use by any neighboring WiFi routers. Under Setup/Wireless/Manual.
What wireless modes are you using?
Try single mode G or N or mixed G and N?
Channel Width set for Auto 20/40Mhz or try 20Mhz only.
Try setting a manual channel to a open or unused channel. 1, 6 or 11. 11 for single mode N if the channel is clear.
What security mode are you using? Preferred security is WPA-Personal. WPA2/AES Only. Some WiFi adapters don't support AES, so you might want to try TPIK only or Auto.
What wireless devices do you have connected?
Any cordless house phones?
Any other WiFi routers in the area? Link> Use InSSIDer to find out. How many?
Try turning off Short GI, WLAN Partition,and Extra Wireless Protection if you have it. Under Advanced/Advanced Wireless.
Enable WMM Enable Under Advanced/Advanced Wireless.

Firmware for all Rev A models can be found here.
http://www.dlink.com/uk/en/support/product/dir-655-wireless-n-gigabit-router?revision=deu_reva

If you choose to do a FW update, please follow this:
FW Update Process

[Axlan]

Hello FurryNutz,

Thanks for your response.

A factory Reset was performed yesterday when I got my new modem. Because I felt it could be more safe to do that, incase the router stored any data from the old modem.

I've used several IP look up services on the blocked attempts I've been getting, and most of them are from companies that you can hire/buy a webserver/gameserver or whatever from. Also a lot of blocked from China/Asia. Most of the IP's don't have any kind of ISP/Organization when I look them up, so I don't know what gives.

I had one SYN-attack(?).. yesterday that caught my very attention, it was some boat cruising site, made me think if someone is trying to set me up somehow. According to http://whatismyipaddress.com they were using an Dial-Up.

Also when I was on Skype yesterday, me and my girlfriends call dropped, and we heard robotic voices. We could have sworn that there were at least 3 male voices, and one female talking. But it was hard making out what they said. Of course, it could have been an internet connection issue from her, as mine worked fine. It was just.. a bit creepy.

It actually made me think that someone attempted to make their way into our Skype connection and talk with us, but.. yeah. Paranoia?

I did e-mail one of those ones I found at a live-support chat, and asked why they keep sending me packets as I have never been to their site or even heard about them before, I have yet to receive an email response from them, which I hightly doubt.

I use the ISP in my town called "KK-TV" also Cable. And I'm using the Cisco modem model EPC3010, I had my Motorola modem replaced with this one as they suggested me changing modem to help avoid ddos attacks and what not.

# What are the NAT settings currently set for under Advanced/Firewall?
- UDP Endpoint Filtering: Port And Address Restricted.
- TCP Endpoint Filtering: Port and Address Restricted (was Address Restricted before only).
- Enable anti-spoof checking I also enabled.

# Any cordless house phones?
- There are none, except mobile phones.

# Any other WiFi routers in the area?
- There are some from the neighbors and they're all password protected.

# WAN Port Speed set to Auto or specific speed?
- It's set to Auto 10/100/1000Mbps

# Set current Time Zone, Date and Time. Use an NTP server feature. Tools/Time.
- Done and done, the time was inaccurate to my PC when I first applied the NTP server, but it seems to have updated now, it's still a little ahead of my PC clock, but that's not a problem I guess? (dlinks ntp 1)

I have no problem with the Wireless setup or useage, it's working flawlessly.

I have never really paid any attention to those Linksys Logs. But ever since I looked into them and saw all those IPs and ICMP / SYN:ACK FIN:ACK SYN:Etc.. things blocked, it have somewhat annoyed me, or made me very curious. They could have been there the entire time?, and now it's getting my curious-level a little bit higher.

Do you know if those SYN-.. things are normal? According to Google I found: http://en.wikipedia.org/wiki/SYN_flood - which says it's a flooding service. So I'm not quite sure if someone's targetting me or not.

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic

Thanks again.

- Quick update: Am I allowed to post some IP addresses and information here, if you would like to have a look at them? I didn't want to make another post in this thread about it so I decided to update this one.
-- Another update, after I disabled WISH and put the Time to sync with the Routers NTP time those 'attacks' or what we should call them have gone down it seems. Perhaps too early to tell, perhaps I jinxed it. *Crosses fingers*