Repair guides and support for wired or wireless devices that provide internet connectivity.

183 Questions View all

HELP! I believe that our router and network hub are being attacked.

Okay, I really need lots of help with this. Recently our broadband has been cutting out and we loose phone and internet to our computers on our network. We still get access to our router but nothing loads or connects. We use AT&T Uverse for out isp and we have a 3801HGV router. The problem happens randomly and until recently, I didn't know why it was happening. I have been on the line with the AT&T tech support and I have had 2 technicians come to our house. In the past 3 months I have had 2 routers replaced. The internet will cut out randomly and we wont be able to get it back for anywhere from 5 minutes to 4 hours. I connected to my router and accessed the logs only to find out that every time it goes out there are thousands of unknown inbound sessions stopped. They are all from the same group of ip addresses each time. It looks like this:

INF 2012-11-10T21:24:29-06:00 fw,fwmon src=37.221.160.59 dst=(our home ip) ipprot=17 sport=36245 dport=2294 Unknown inbound session stopped

It does that 1000s of times ever second. I then looked up this ip and found that this one is coming from Romania, and the other ones come out of Singapore and Russia. I then proceeded to find that the reason we loose broadband connection is our router firewall disconnecting us in an attempt to stop the connections. This has been happening for about 1 1/2 weeks and during that time members of our wireless network have had fraudulent charges to their credit cards as well as stolen information, such as phone and email addresses. I really want to stop this from happening. We have disconnected our router and all our computers from the interned but, as a result, we cannot use our phone line, as well as several other functions that we need. I have to type this on my iPhone. I really need this to stop. It is not only us, I checked a few of my neighbors router logs and they all have the same ip addresses doing the same thing, even if they have Comcast. This is driving me crazy. Any help I can get I will take, this is a serious issue.

Answered! View the answer I have this problem too

Is this a good question?

Score 0
Add a comment
Deck the Halls
With tools and Fix Kits

5 Answers

Chosen Solution

Sounds like some one is trolling fixed IP addresses looking for a weak firewall (router). Not much you can do here as they're attacking something that is exposed from the internet side (static IP address). Make sure to use a complex password on the Router and reset it weekly for the time being (with a new password as well).

While limiting your exposure within your network or WiFi AP's is a good idea it won't help you here.

One possible cause here could have been someone internally hitting an internet site that monitored the IP address and that is how your IP address was found as static. It's best not to allow users internally use this static address for outbound sessions so it is less likely to be discovered.

As you also need user access to the internet you could try setting up a second Router which does not have an assigned address (DHCP assigned from your ISP) Letting your users access it outward and limit the inbound connections to a single host internally and control what is on this exposed bastion host.

For now I would see if you can get a new IP address make sure you don't have a DNS record for it and host as much as you can on a service provider web server than trying to do it your self.

Was this answer helpful?

Score 4

Comments:

from Owen Cunneely: On my network is a website server that hosts a website and a mail server, both of which are also firewall protected. None of this strange activity has affected anything inside the network and nothing has gotten through the router firewall. If it does manage to get through, there is still the xserve's firewall and then each computer's encryption and firewall.

by

Glad to here nothing has gotten thru. What I was proposing to do for the long haul is to create a spilt connection to the internet (Think it like two one way streets going in different directions). In this case your static IP connection would be for inbound sessions from the internet that pass muster (ID'd & Authenticated by you) via one router. The other router is strictly for outbound sessions from your users and this router uses a DHCP assigned address from your ISP it will change (if setup correctly) per session. As it is only for outbound sessions no session can enter from the internet. Using a second wired connection would also improve throughput if you find you are hitting the limit of the connection bandwidth.

by

Is your web server open for anyone to see? (listed in DNS) if so you may want to setup a mirrored server on your ISP's web services then let them take the hit when the traffic load is high (good or bad traffic). Review a good DNS & BIND book on how to do this. Here is my two must have books: "DNS and BIND, 5th Edition" http://shop.oreilly.com/product/97805961... and "DNS & Bind Cookbook" http://shop.oreilly.com/product/97805960...

by

I was thinking about doing something similar to this. I have an extra router that I might experiment doing this with. I might even purchase an extra line from AT&T to run a separate connection for the web server and mail server to keep the public ip separate from our private computers and keep other things from interfering. I have been DDOSed before by some angry site members but our router directs that to the xserve which can easily handle it. The only reason why I started to get concerned was because the xserve couldn't handle it. Thank you for the help, I have a few things to try now.

by

Add a comment

One other thing you can do is use a white list to block an IP address or a range of IP addresses. Here's an example on one routers manual White listing

Was this answer helpful?

Score 1
Add a comment

Sounds like you needs to take these steps.

Reset you router to default setting then set the password to a new one from the default. Make sure your wireless is encrypted to let only those who know the password on. If you have a set number of computers on the wireless network setup Mac filtering

Was this answer helpful?

Score 0
Add a comment

to understand your problem, some more information would be helpful:

- do you use a static or a dynamic IP address?

- how do you point to your IP (which DNS service are you using)?

- which services are running behind your router (Domain server, Mail server, hosting services,...)?

Edit: I just did a quick checkup on the 2Wire thing you call router.... never heard of this piece of electronics before but google is my friend.

My advice: get that thing OFFLINE and continue using it as an AP for something you don't really need or just scrap it. This "thing" is absolutely insufficient to act as stand-alone router, it would rather drop packages than rejecting connections, for this and 100 other reasons automated attackers are able to punch holes into the firewall from time to time and just won't stop trying all over again and again because they never get fully blocked.

Recommendation: If your company or lets say your network is VERY small, you should at least invest 50-80 bucks for hardware, which is able to:

- support a semi-basic but efficient firewall

- can handle a routing table large enough to manage your traffic

- suits your personal needs and desires

Typically for similar solutions I personally prefer to use devices running embedded LINUX and run them on custom firmware like DD-WRT. You can check out their website, they also have a huge router database which can help you with your hardware decision. For some devices you might prefer the genuine firmware but if they are listed there you can be sure that they will deliver the performance you need.

Was this answer helpful?

Score 0

Comments:

I am not really worried about them getting through. I do have a firewall setup and each of our computers has its own firewall and is FileVault encrypted. The router also runs ann connections through an xserve that is running a firewall. The credit card thing turned out to be a mistake with the company that coincidentally happened at the same time this did. The router, according to AT&T, is actually set to disconnect broadband to protect itself from the attack. I called AT&T and they said that they have noticed this problem and it has actually been affecting the whole area. They are sending a tech out tomorrow to clear up the lines and to put the area hub back online (it was shutdown by the pinging). Turns out this is not some angry person DDOSing me, but a bot somewhere DDOSing the whole area. Guess I will have to see what happens next.

On my network is a website server that hosts a website and a mail server, both of which are also firewall protected. None of this strange activity has affected anything inside the network and nothing has gotten through the router firewall. If it does manage to get through, there is still the xserve's firewall and then each computer's encryption and firewall.

by

Add a comment

Did you ever find an answer? It's happening to me and no one can help me. I mean no one.

Was this answer helpful?

Score 0

Comments:

The answer is to turn off your router or disconnect or turn off your computer when you're not home. What people can't see they can't access your systems.

by

Add a comment

Add your answer

Owen Cunneely will be eternally grateful.
View Statistics:

Past 24 Hours: 2

Past 7 Days: 28

Past 30 Days: 185

All Time: 7,137