• We've upgraded our forums. Please post any issues/requests in this thread.

router logs DoS attack from a local PC....

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#1
Hi Guys,

I recently purchased a new PC for the network and since then I keep losing connection to the broadband. Since I have had it the network periodically slows right down, then disappears and after a few minutes comes back. A quick look into the EE Bright Box router log shows lots (and I mean lots) of attacks that appear to coincide with this:

Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
The IP is the new PC. I have searched for this issue but I cannot find a definitive solution. I do know that simply unplugging or disabling the network card in the machine resolves the issue for the other devices.


Any help greatly appreciated...
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
17,073 (3.44/day)
Likes
17,990
Processor Core i7-4790K
Memory 16 GB
Video Card(s) GTX 1080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 7
#2
bittorrent?
 
Joined
May 13, 2010
Messages
4,423 (1.59/day)
Likes
1,603
System Name RemixedBeast
Processor Intel i5 3570K @ 3.4Ghz
Motherboard ASRock Z77 Pro3
Cooling Coolermaster Hyper 212 Evo
Memory 16GB Corsair XMS3
Video Card(s) EVGA Nvidia GTX 650 Ti SSC 1GB
Storage 1.5TB Seagate/128GB Samsung 840
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + LG Flatron 19in Widescreen 1440x900
Case Antec Three Hundred Two
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 620w Antec High Current Gamer HCG-620M
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Windows Server 2012 x64 Standard
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite, Ligowave NFT-3AC
#3
Are you running any backup software??
 

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#4
I don't believe so, and I had to Google 'bittorrent' to find out what it is.

The PC in question is a low power ITX machine running Windows 8. The only software I have on it is weather related. I use it to collect weather data and FTP to weather sites. Nothing else.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
17,073 (3.44/day)
Likes
17,990
Processor Core i7-4790K
Memory 16 GB
Video Card(s) GTX 1080
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 7
#5
maybe some virus/Trojan on that machine?
 
Joined
Feb 18, 2011
Messages
1,240 (0.50/day)
Likes
503
#6
Could be many things, but here are my three best guesses:

  • Virus, Malware, etc
  • An issue with the DNS (try to flush the dns cache)
  • The PC in question has the same IP address as the router (check/modify the DHCP settings and/or do the the configuration manually)

edit: perhaps copy+paste ipconfig /all here?
 
Joined
Oct 17, 2012
Messages
6,869 (3.64/day)
Likes
9,036
Location
Massachusetts
Processor i7 4790
Motherboard Asrock Z97 Extreme 4
Cooling Corsair H-110i GTX
Memory 16 Gb kingston Hyper X
Video Card(s) Nvidia Reference GTX 970 x2
Storage C:\Samsung 850EVO 500Gb & Samsung 850 evo 250Gb
Display(s) Dell Ultra Sharp Widescreen 24" 1200P
Case Phanteks Enthoo Pro M Acrylic
Audio Device(s) Realtech Edition X1789,Ver2.78
Power Supply EVGA 220-G2-0650-Y1
Mouse Logitech G502 spectrum
Keyboard AZIO MRGB Kaith Blue
Software Win 10 Professional 64 bit
Benchmark Scores Congrats USA!! on the Travel Ban.....
#7
i ALSO found a log on My router for a Smurf D-DOS Today.

[DoS attack: Smurf] attack packets in last 20 sec from ip xxxxxxxxxxxxxxxxxxxx Friday, Sep 20,2013 05:03:20

as long as the router is picking it up, it SHOULD have been identified , and dealt with accordingly.

MAYBE a re-install?? if it IS an option that is.
 

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#8
Could be many things, but here are my three best guesses:

  • Virus, Malware, etc
  • An issue with the DNS (try to flush the dns cache)
  • The PC in question has the same IP address as the router (check/modify the DHCP settings and/or do the the configuration manually)

edit: perhaps copy+paste ipconfig /all here?
Ok, I should have said more in my first post. I have completed a scan using Norton 360, nothing found.
I have just tried flushing the DNS cache but no better.
I the IP on the PC is 192.168.1.48 and the router is 192.168.1.1 The other devices all have differing Ip's too.

Here is the IP config from the PC causing the problems. Hope it helps.

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Mark>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Nightingale1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : default

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 60-A4-4C-B1-AE-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d6a:1ae1:54d0:a78b%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.48(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 20 September 2013 14:32:14
Lease Expires . . . . . . . . . . : 22 September 2013 16:16:23
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 241214540
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-A9-9F-04-60-A4-4C-B1-AE-9C

DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.default:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:1c3a:2336:fde2:db2d(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1c3a:2336:fde2:db2d%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Users\Mark>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Mark>
 
Joined
Feb 18, 2011
Messages
1,240 (0.50/day)
Likes
503
#9
- Disable netbios ipv6 and dhcpv6, you don't need those in your local environment, do you?
- Do you really need your own DNS server running?
- Disable VPN connection (just til testing/troubleshooting is over) (btw, is that tunnelbear)
- Router assigns *.48 to the PC, disable that rule for a test, and try a different IP and also Google's DNS on the PC at the same time (8.8.8.8 and 8.8.4.4)

let's see if anything changes.
 

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#10
OK, this is all a bit alien to me so please excuse me. Here's what I've done (or think I have done). In 'network connections/Ethernet status/properties' I have unticked 'TCP IPv6' and changed 192.168.1.48 to 192.168.1.105 (not sure how I did that...). I have also disabled the VPN. The 'ipconfig below says that 'NetBios' is disabled but the property's box on the PC says that it is enabled-slightly confusing and I could not see where to enable/disable this or the DNS server. Perhaps you could guide me to this please? As advised somewhere else, I have also disabled 'Microsoft network adapter multiplexor protocol'.

(btw, is that tunnelbear)
:confused:

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Mark>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Nightingale1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : default

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 60-A4-4C-B1-AE-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.105(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 20 September 2013 19:00:07
Lease Expires . . . . . . . . . . : 22 September 2013 19:00:06
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.default:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:2cc8:1581:3f57:fe96(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::2cc8:1581:3f57:fe96%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
 
Joined
Feb 18, 2011
Messages
1,240 (0.50/day)
Likes
503
#11
Well you did not say that you don't really know what you are doing. It's not a problem of course, but it changes things a little.

It's not even clear if the PC or the router is the problem at this time, so I suggested that you disable some unnecessary things which are usually known to cause many problems, sorry if those were too complicated.

  • You could reset some network related stuffz on the PC as a next step. Open an elevated command prompt (run as administrator), and enter the followings on the PC:
    netsh int ip reset reset.log
    netsh int ipv6 reset
    netsh winsock reset
    netsh branchcache reset
    netsh advfirewall reset
    (note: You can export your current firewall rules in the "group policy" before the reset if it's needed for some reason)

  • Btw, Would it be a problem to reset the router to the default settings if the things we are trying will not help? There is a menu point for that called "factory settings" (and also a little hole on the back if you prefer that one).. the Administrator username in the router after the reset would be admin and the password is probably on a sticker at the bottom of the router (special settings needed to go online with your ISP might be also necessary)
    This is not needed now (not yet), but perhaps the source of the problem is at the router and not the PC in question, so we may come to that eventually.

ps.: Do you have a second network card you could test in that PC and a different cable to rule out some hardware issues on the PC side?
 
Last edited:

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#12
Hi Ikaragu,
Well you did not say that you don't really know what you are doing.
My apologies - but learning quickly.

OK, the router has been reset several times over the past few weeks but no difference. However, after following your original guide to disable 'TCP IPv6' , change the IP and disable the VPN, I did a little 'Googleing' and found a lot of people having similar problems caused by the near constant 'ping' from the 'home network and 'SSDP Discovery service'. So, before I retired last night I followed 'this guide'. This morning, checking the router log, no attacks and the broadband speed is solid @ 39/10. The ony problem is now I have broken my own golden rule of changing one thing at a time and do not know the solution. Ever inquisitive, later I shall re-enable 'SSDP' and later the 'home network' and so on.

Do either of these items sound a possible cause to you?
 
Joined
Feb 18, 2011
Messages
1,240 (0.50/day)
Likes
503
#13
Hi Ikaragu,

My apologies - but learning quickly.

OK, the router has been reset several times over the past few weeks but no difference. However, after following your original guide to disable 'TCP IPv6' , change the IP and disable the VPN, I did a little 'Googleing' and found a lot of people having similar problems caused by the near constant 'ping' from the 'home network and 'SSDP Discovery service'. So, before I retired last night I followed 'this guide'. This morning, checking the router log, no attacks and the broadband speed is solid @ 39/10. The ony problem is now I have broken my own golden rule of changing one thing at a time and do not know the solution. Ever inquisitive, later I shall re-enable 'SSDP' and later the 'home network' and so on.

Do either of these items sound a possible cause to you?
No, but I have to admit I do not have very extensive experience with SSDP. I did met several similar issues with local DNS and DHCP server and also with some SPI firewalls, but UPnP/SSDP is something I never really liked or preferred to use.

I'm glad you have found a solution after all, well done. Perhaps you could contact the router manufacturer and see if they have a FW update or a solution of some kind with the problem you have.
 

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#14
As an update and may be some more advice......

Earlier this morning I re-enabled 'SSDP Discovery Service' and rebooted. Network had been fine for about 8 hours, even with the occasional 'DoS attack' logged. Nothing like the quantity before. So, a few minutes ago I set up the 'VPN (home group)', network and the broadband crawled to a stop nearly instantly. I disabled/left the home group and rebooted and all good again. So, I conclude that it is the Windows 8 home group connection causing the problem. The other PC's on the network are all Windows 7 and are all connected in the home group trouble free.

I guess the questions are 1/why? 2/how can I transfer files/documents from this Windows 8 PC to others easily?
 
Joined
Feb 18, 2011
Messages
1,240 (0.50/day)
Likes
503
#15
Simple network tunnelings definitely shouldn't cause DOS attack like symptoms in a router, it's a malfunction or a faulty device. The only thing I can think of is that you could try to loosen the strictness of the firewall a bit (like disable intrusion detection for example), but contacting the manufacturer would be the best choice, because it's a hardware of software problem with the router, and "normal" routers do not behave like this.

Good luck.
 
Joined
Jan 11, 2013
Messages
832 (0.46/day)
Likes
138
Location
California
System Name Primary/Secondary/HTPC/Server
Processor i5-4590/i3-3220/A4-5300 APU/Pentium G3258
Motherboard MSI Z97S Krait/Biostar TH67+/ASRock FM2A75Pro4-M/MSI Z87M-G43
Cooling Noctua NH-U12S/Stock Intel/Stock AMD/Stock Intel
Memory 16GB DDR3/8GB DDR3/8GB DDR3/10GB DDR3
Video Card(s) GeForce GTX760 2GB/Radeon HD5870 1GB/Radeon HD7480D/Intel
Storage 480GB SSD+ 3TB HDD/240GB SSD/60GB SSD/2x 2TB HDD Intel RAID1
Display(s) 3x Samsung 23" 1080P/Acer 24" 1080P/LG TV 32" 720P
Case Fractal Design/Corsair (it was free)/Silverstone ML03/Antec VSK3000
Audio Device(s) Onboard
Power Supply XFX 750W/Cougar 550W/Antec 380W/In Win 350W
Mouse it moves the pointer, clicks, and scrolls
Keyboard CM Storm MX Blue/Logitech/Logitech
Software Win7 Pro/Win7 Pro/Win10 Pro/Win7 Pro
Benchmark Scores Buy American - Choose Chevrolet/GMC Trucks!
#16
Consumer routers can be very finicky unfortunately. You might never figure if out. If you have another router you could use to test and see if the problem persists that would be cool.
 

duke666

New Member
Joined
Aug 17, 2013
Messages
16 (0.01/day)
Likes
1
#17
it's a malfunction or a faulty device.
I do not believe that to be the case with the router in question. As previously stated, none of my Win7 machines cause this problem with the router, only the Win8 machines.

And, I can assure you, that the 'DoS like' attacks not only slow the network down but actually prevent all network activity at their most frequent.

I did a clean install of Win8 on a PC today, nothing else. That causes the same problem until 'SSDP' is stopped and set to manual.

I simply use 'public' folder sharing now on the Win8 machines with 'SSDP' stopped.