1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

router logs DoS attack from a local PC....

Discussion in 'Networking & Security' started by duke666, Sep 20, 2013.

  1. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    Hi Guys,

    I recently purchased a new PC for the network and since then I keep losing connection to the broadband. Since I have had it the network periodically slows right down, then disappears and after a few minutes comes back. A quick look into the EE Bright Box router log shows lots (and I mean lots) of attacks that appear to coincide with this:

    The IP is the new PC. I have searched for this issue but I cannot find a definitive solution. I do know that simply unplugging or disabling the network card in the machine resolves the issue for the other devices.


    Any help greatly appreciated...
  2. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    14,757 (3.93/day)
    Thanks Received:
    11,468
    bittorrent?
  3. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    2,719 (1.74/day)
    Thanks Received:
    573
    Are you running any backup software??
  4. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    I don't believe so, and I had to Google 'bittorrent' to find out what it is.

    The PC in question is a low power ITX machine running Windows 8. The only software I have on it is weather related. I use it to collect weather data and FTP to weather sites. Nothing else.
  5. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    14,757 (3.93/day)
    Thanks Received:
    11,468
    maybe some virus/Trojan on that machine?
  6. Ikaruga

    Ikaruga

    Joined:
    Feb 18, 2011
    Messages:
    868 (0.68/day)
    Thanks Received:
    182
    Could be many things, but here are my three best guesses:

    • Virus, Malware, etc
    • An issue with the DNS (try to flush the dns cache)
    • The PC in question has the same IP address as the router (check/modify the DHCP settings and/or do the the configuration manually)

    edit: perhaps copy+paste ipconfig /all here?
  7. jboydgolfer

    jboydgolfer

    Joined:
    Oct 17, 2012
    Messages:
    532 (0.79/day)
    Thanks Received:
    82
    Location:
    Amherst , MA
    i ALSO found a log on My router for a Smurf D-DOS Today.

    [DoS attack: Smurf] attack packets in last 20 sec from ip xxxxxxxxxxxxxxxxxxxx Friday, Sep 20,2013 05:03:20

    as long as the router is picking it up, it SHOULD have been identified , and dealt with accordingly.

    MAYBE a re-install?? if it IS an option that is.
  8. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    Ok, I should have said more in my first post. I have completed a scan using Norton 360, nothing found.
    I have just tried flushing the DNS cache but no better.
    I the IP on the PC is 192.168.1.48 and the router is 192.168.1.1 The other devices all have differing Ip's too.

    Here is the IP config from the PC causing the problems. Hope it helps.

  9. Ikaruga

    Ikaruga

    Joined:
    Feb 18, 2011
    Messages:
    868 (0.68/day)
    Thanks Received:
    182
    - Disable netbios ipv6 and dhcpv6, you don't need those in your local environment, do you?
    - Do you really need your own DNS server running?
    - Disable VPN connection (just til testing/troubleshooting is over) (btw, is that tunnelbear)
    - Router assigns *.48 to the PC, disable that rule for a test, and try a different IP and also Google's DNS on the PC at the same time (8.8.8.8 and 8.8.4.4)

    let's see if anything changes.
  10. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    OK, this is all a bit alien to me so please excuse me. Here's what I've done (or think I have done). In 'network connections/Ethernet status/properties' I have unticked 'TCP IPv6' and changed 192.168.1.48 to 192.168.1.105 (not sure how I did that...). I have also disabled the VPN. The 'ipconfig below says that 'NetBios' is disabled but the property's box on the PC says that it is enabled-slightly confusing and I could not see where to enable/disable this or the DNS server. Perhaps you could guide me to this please? As advised somewhere else, I have also disabled 'Microsoft network adapter multiplexor protocol'.

    :confused:

  11. Ikaruga

    Ikaruga

    Joined:
    Feb 18, 2011
    Messages:
    868 (0.68/day)
    Thanks Received:
    182
    Well you did not say that you don't really know what you are doing. It's not a problem of course, but it changes things a little.

    It's not even clear if the PC or the router is the problem at this time, so I suggested that you disable some unnecessary things which are usually known to cause many problems, sorry if those were too complicated.

    • You could reset some network related stuffz on the PC as a next step. Open an elevated command prompt (run as administrator), and enter the followings on the PC:
      netsh int ip reset reset.log
      netsh int ipv6 reset
      netsh winsock reset
      netsh branchcache reset
      netsh advfirewall reset
      (note: You can export your current firewall rules in the "group policy" before the reset if it's needed for some reason)

    • Btw, Would it be a problem to reset the router to the default settings if the things we are trying will not help? There is a menu point for that called "factory settings" (and also a little hole on the back if you prefer that one).. the Administrator username in the router after the reset would be admin and the password is probably on a sticker at the bottom of the router (special settings needed to go online with your ISP might be also necessary)
      This is not needed now (not yet), but perhaps the source of the problem is at the router and not the PC in question, so we may come to that eventually.

    ps.: Do you have a second network card you could test in that PC and a different cable to rule out some hardware issues on the PC side?
    Last edited: Sep 21, 2013
  12. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    Hi Ikaragu,
    My apologies - but learning quickly.

    OK, the router has been reset several times over the past few weeks but no difference. However, after following your original guide to disable 'TCP IPv6' , change the IP and disable the VPN, I did a little 'Googleing' and found a lot of people having similar problems caused by the near constant 'ping' from the 'home network and 'SSDP Discovery service'. So, before I retired last night I followed 'this guide'. This morning, checking the router log, no attacks and the broadband speed is solid @ 39/10. The ony problem is now I have broken my own golden rule of changing one thing at a time and do not know the solution. Ever inquisitive, later I shall re-enable 'SSDP' and later the 'home network' and so on.

    Do either of these items sound a possible cause to you?
    Ikaruga says thanks.
  13. Ikaruga

    Ikaruga

    Joined:
    Feb 18, 2011
    Messages:
    868 (0.68/day)
    Thanks Received:
    182
    No, but I have to admit I do not have very extensive experience with SSDP. I did met several similar issues with local DNS and DHCP server and also with some SPI firewalls, but UPnP/SSDP is something I never really liked or preferred to use.

    I'm glad you have found a solution after all, well done. Perhaps you could contact the router manufacturer and see if they have a FW update or a solution of some kind with the problem you have.
  14. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    As an update and may be some more advice......

    Earlier this morning I re-enabled 'SSDP Discovery Service' and rebooted. Network had been fine for about 8 hours, even with the occasional 'DoS attack' logged. Nothing like the quantity before. So, a few minutes ago I set up the 'VPN (home group)', network and the broadband crawled to a stop nearly instantly. I disabled/left the home group and rebooted and all good again. So, I conclude that it is the Windows 8 home group connection causing the problem. The other PC's on the network are all Windows 7 and are all connected in the home group trouble free.

    I guess the questions are 1/why? 2/how can I transfer files/documents from this Windows 8 PC to others easily?
  15. Ikaruga

    Ikaruga

    Joined:
    Feb 18, 2011
    Messages:
    868 (0.68/day)
    Thanks Received:
    182
    Simple network tunnelings definitely shouldn't cause DOS attack like symptoms in a router, it's a malfunction or a faulty device. The only thing I can think of is that you could try to loosen the strictness of the firewall a bit (like disable intrusion detection for example), but contacting the manufacturer would be the best choice, because it's a hardware of software problem with the router, and "normal" routers do not behave like this.

    Good luck.
  16. shovenose

    shovenose

    Joined:
    Jan 11, 2013
    Messages:
    797 (1.35/day)
    Thanks Received:
    132
    Consumer routers can be very finicky unfortunately. You might never figure if out. If you have another router you could use to test and see if the problem persists that would be cool.
  17. duke666 New Member

    Joined:
    Aug 17, 2013
    Messages:
    16 (0.04/day)
    Thanks Received:
    1
    I do not believe that to be the case with the router in question. As previously stated, none of my Win7 machines cause this problem with the router, only the Win8 machines.

    And, I can assure you, that the 'DoS like' attacks not only slow the network down but actually prevent all network activity at their most frequent.

    I did a clean install of Win8 on a PC today, nothing else. That causes the same problem until 'SSDP' is stopped and set to manual.

    I simply use 'public' folder sharing now on the Win8 machines with 'SSDP' stopped.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page