New
#1
Multiple DDoS attacks prevention?
I've been receiving DDoS attacks for the past few months from different IP addresses, from different ISPs, from different countries. After finding this post: Multiple DoS Attacks
I Tried phoning up my ISP, they said they can't and wont do anything apart from provide my internet, which they're doing. My ISP has a division where I can post log information, but they'll only accept IP's from their IP pool, I managed to find that one of the IP's luckily was and filed a report. But I wont get a reply if any action is taken, and as the attacks are still coming I'm guessing they've done little or nothing. Eventually my ISP said that I should call my local authorities as it's an illegal activity. Currently waiting for a call back from my local authorities to see if they can help, but in the mean time my ISP also said to try on forums.
Some basic information about my setup.
ISP:Virgin Media(UK)
Package:8Mbps unlimited home broadband(capped to 2Mbps due to a SNR reset, which caused me to check my router log and is when I found my router logging attacks a week after the reset)
Router: Netgear DGN1000(running virgin's firmware)
Router Settings: MAC filtering, WPA2-PSK, Ping disabled on WAN, Using Comodo's DNS servers, dynamic IP
Antivirus etc: Avast! Free, Malwarebytes, Comodo Firewall, Microsoft Security Essentials(All of these apart from MSE are installed on all 3 of my PC's, MSE is only installed on one of them, also using Comodo's Port Stealth feature)
Here's part of a log showing attacks(my IP's changed since this and I omitted the other stuff the router was logging, but can add this if needed):
This attack was bigger than usual, I'll usually only get around 5-10 attacks logged by my router during the course of a day. I used to notice and sometimes still do, that whenever a machine is turned on that accesses my network then an attack will occur straight away. But it mostly seems to be at random times. I read in the post mentioned above that it could just be my router logging portscans as DoS attacks, but I'm sure it isn't as whenever I notice a serious drop in speed, usually to about 15kbps. Then i'll log into my router and see that it's logged DDoS attacks. I've also noticed that malwarebytes will occasionally detect outgoing connections from different ports usually via Skype, but i've seen it block outgoing connections for chrome and avast too. So I think I'm being portscanned too(well aware that most people are portscanned daily for legitimate reasons). But here's a MWB log of it:Code:[DoS attack]from source:123.7.87.215, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=112 ID=58666 PROTO=UDP SPT=1052 DPT=11416 - Mon, 2012-04-02 00:11:34 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=107 ID=17722 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:35 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=107 ID=17723 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:35 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=17824 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:36 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=17826 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:36 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=17935 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:39 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=17936 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:39 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=17937 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:39 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=17938 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:39 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=13917 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:40 [DoS attack]from source:58.99.255.232, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=44 ID=23081 DF PROTO=UDP SPT=13699 DPT=11416 - Mon, 2012-04-02 00:11:40 [DoS attack]from source:223.16.45.42, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=48 ID=23723 PROTO=UDP SPT=1323 DPT=11416 - Mon, 2012-04-02 00:11:40 [DoS attack]from source:123.7.87.215, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=112 ID=59047 PROTO=UDP SPT=1052 DPT=11416 - Mon, 2012-04-02 00:11:41 [DoS attack]from source:123.7.87.215, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=112 ID=59048 PROTO=UDP SPT=1052 DPT=11416 - Mon, 2012-04-02 00:11:41 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=3879 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:42 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18177 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:44 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18178 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:44 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18179 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:44 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=13941 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:44 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=13942 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:44 [DoS attack]from source:58.241.241.5, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=49 ID=12128 PROTO=UDP SPT=5127 DPT=11416 - Mon, 2012-04-02 00:11:45 [DoS attack]from source:24.116.58.221, destination source:192.168.0.8 LEN=130 TOS=0x18 PREC=0x40 TTL=47 ID=11717 PROTO=UDP SPT=59505 DPT=52184 - Mon, 2012-04-02 00:11:45 [DoS attack]from source:86.160.50.52, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=48 ID=58231 PROTO=UDP SPT=58307 DPT=11416 - Mon, 2012-04-02 00:11:45 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18242 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:45 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18245 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:46 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18246 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:46 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=4148 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:46 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=4149 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:46 [DoS attack]from source:86.160.50.52, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=48 ID=58233 PROTO=UDP SPT=58307 DPT=11416 - Mon, 2012-04-02 00:11:47 [DoS attack]from source:221.193.240.49, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=47 ID=20922 PROTO=UDP SPT=10128 DPT=11416 - Mon, 2012-04-02 00:11:47 [DoS attack]from source:221.193.240.49, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=47 ID=20921 PROTO=UDP SPT=10128 DPT=11416 - Mon, 2012-04-02 00:11:47 [DoS attack]from source:123.7.87.215, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=112 ID=59268 PROTO=UDP SPT=1052 DPT=11416 - Mon, 2012-04-02 00:11:47 [DoS attack]from source:123.7.87.215, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=112 ID=59269 PROTO=UDP SPT=1052 DPT=11416 - Mon, 2012-04-02 00:11:47 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18321 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18322 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18323 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18324 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=13973 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=13974 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:223.16.45.42, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=48 ID=23739 PROTO=UDP SPT=1323 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=4311 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=4312 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:48 [DoS attack]from source:134.117.250.21, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=107 ID=18447 PROTO=UDP SPT=59780 DPT=11416 - Mon, 2012-04-02 00:11:50 [DoS attack]from source:58.99.255.232, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=44 ID=23107 DF PROTO=UDP SPT=13699 DPT=11416 - Mon, 2012-04-02 00:11:50 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=14004 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:50 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x60 TTL=51 ID=14005 PROTO=UDP SPT=59319 DPT=11416 - Mon, 2012-04-02 00:11:50 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=4436 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:50 [DoS attack]from source:124.95.137.142, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=4438 PROTO=UDP SPT=5384 DPT=11416 - Mon, 2012-04-02 00:11:50 [DHCP IP: (192.168.0.3)] to MAC address 90:84:0D:0B:75:1C - Mon, 2012-04-02 00:19:59 [WLAN access allowed] from MAC: 0c:ee:e6:a8:56:80 - Mon, 2012-04-02 00:22:43 [DHCP IP: (192.168.0.2)] to MAC address 0C:EE:E6:A8:56:80 - Mon, 2012-04-02 00:22:52 [WLAN access allowed] from MAC: c8:33:4b:49:00:aa - Mon, 2012-04-02 00:24:30 [DHCP IP: (192.168.0.8)] to MAC address C8:33:4B:49:00:AA - Mon, 2012-04-02 00:24:31 [DoS attack]from source:222.242.196.230, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=110 ID=25834 PROTO=UDP SPT=2633 DPT=11416 - Mon, 2012-04-02 00:29:35 [DoS attack]from source:86.9.130.75, destination source:82.31.30.202 LEN=56 TOS=0x18 PREC=0x60 TTL=57 ID=28005 PROTO=UDP SPT=8081 DPT=11416 - Mon, 2012-04-02 00:29:35 [DoS attack]from source:86.9.130.75, destination source:82.31.30.202 LEN=56 TOS=0x18 PREC=0x60 TTL=57 ID=28225 PROTO=UDP SPT=8081 DPT=11416 - Mon, 2012-04-02 00:29:35 [DHCP IP: (192.168.0.6)] to MAC address 1C:C1:DE:60:D8:31 - Mon, 2012-04-02 00:32:33 [DHCP IP: (192.168.0.10)] to MAC address 00:17:C4:3B:11:C4 - Mon, 2012-04-02 00:38:16 [DoS attack]from source:222.242.196.230, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=110 ID=55191 PROTO=UDP SPT=2633 DPT=11416 - Mon, 2012-04-02 00:45:28 [DoS attack]from source:115.21.112.216, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=110 ID=16096 PROTO=UDP SPT=1219 DPT=11416 - Mon, 2012-04-02 00:47:39 [DoS attack]from source:58.253.218.86, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=7382 PROTO=UDP SPT=13915 DPT=11416 - Mon, 2012-04-02 00:47:39 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=9605 PROTO=UDP SPT=59907 DPT=11416 - Mon, 2012-04-02 00:47:41 [DoS attack]from source:62.92.55.56, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=51 ID=9606 PROTO=UDP SPT=59907 DPT=11416 - Mon, 2012-04-02 00:47:41 [DoS attack]from source:222.242.196.230, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=110 ID=5877 PROTO=UDP SPT=2633 DPT=11416 - Mon, 2012-04-02 00:47:41 [DoS attack]from source:222.242.196.230, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=110 ID=5879 PROTO=UDP SPT=2633 DPT=11416 - Mon, 2012-04-02 00:47:41 [DoS attack]from source:58.253.218.86, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=7412 PROTO=UDP SPT=13915 DPT=11416 - Mon, 2012-04-02 00:47:41 [DoS attack]from source:58.253.218.86, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=7431 PROTO=UDP SPT=13915 DPT=11416 - Mon, 2012-04-02 00:47:43 [DoS attack]from source:58.253.218.86, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=7508 PROTO=UDP SPT=13915 DPT=11416 - Mon, 2012-04-02 00:47:49 [DoS attack]from source:58.253.218.86, destination source:82.31.30.202 LEN=45 TOS=0x18 PREC=0x40 TTL=40 ID=7507 PROTO=UDP SPT=13915 DPT=11416 - Mon, 2012-04-02 00:47:49
Code:2012/04/02 23:20:41 +0100 USER-PC User IP-BLOCK 83.128.119.119 (Type: outgoing, Port: 53059, Process: avastsvc.exe) 2012/04/02 23:20:41 +0100 USER-PC User IP-BLOCK 83.128.119.119 (Type: outgoing, Port: 53060, Process: skype.exe) 2012/04/02 23:20:41 +0100 USER-PC User IP-BLOCK 83.128.119.119 (Type: outgoing, Port: 53061, Process: skype.exe) 2012/04/02 23:20:41 +0100 USER-PC User IP-BLOCK 83.128.119.119 (Type: outgoing, Port: 53062, Process: skype.exe)Sorry for the long post, but I thought I'd try and give you as much information as possible. Any help would be very welcome, as I've been putting up with it for a good few months now and I've been adding the attacking IP's to my router's incoming firewall rule to block.Code:2012/04/01 05:11:23 +0100 USER-PC User IP-BLOCK 94.242.214.86 (Type: outgoing, Port: 50540, Process: avastsvc.exe) 2012/04/01 05:11:23 +0100 USER-PC User IP-BLOCK 94.242.214.86 (Type: outgoing, Port: 50544, Process: avastsvc.exe) 2012/04/01 05:11:23 +0100 USER-PC User IP-BLOCK 94.242.214.86 (Type: outgoing, Port: 50545, Process: avastsvc.exe) 2012/04/01 05:40:50 +0100 USER-PC User IP-BLOCK 109.163.230.202 (Type: outgoing, Port: 52427, Process: avastsvc.exe) 2012/04/01 05:40:53 +0100 USER-PC User IP-BLOCK 109.163.230.202 (Type: outgoing, Port: 52434, Process: avastsvc.exe) 2012/04/01 05:49:04 +0100 USER-PC User IP-BLOCK 195.16.88.120 (Type: outgoing, Port: 52921, Process: avastsvc.exe) 2012/04/01 05:49:05 +0100 USER-PC User IP-BLOCK 195.16.88.120 (Type: outgoing, Port: 52922, Process: avastsvc.exe) 2012/04/01 05:49:05 +0100 USER-PC User IP-BLOCK 195.16.88.120 (Type: outgoing, Port: 52928, Process: avastsvc.exe) 2012/04/01 05:49:05 +0100 USER-PC User IP-BLOCK 195.16.88.120 (Type: outgoing, Port: 52929, Process: avastsvc.exe) 2012/04/01 05:56:14 +0100 USER-PC User IP-BLOCK 109.163.230.114 (Type: outgoing, Port: 53368, Process: avastsvc.exe) 2012/04/01 05:56:14 +0100 USER-PC User IP-BLOCK 109.163.230.114 (Type: outgoing, Port: 53369, Process: avastsvc.exe)
Last edited by Lorlan; 04 Apr 2012 at 18:25. Reason: Added methods of prevention that I've tried.