router logs DoS attack from a local PC....

[duke666]

Hi Guys,

I recently purchased a new PC for the network and since then I keep losing connection to the broadband. Since I have had it the network periodically slows right down, then disappears and after a few minutes comes back. A quick look into the EE Bright Box router log shows lots (and I mean lots) of attacks that appear to coincide with this:

Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)

The IP is the new PC. I have searched for this issue but I cannot find a definitive solution. I do know that simply unplugging or disabling the network card in the machine resolves the issue for the other devices.


Any help greatly appreciated...

 

[W1zzard]

bittorrent?

 

[remixedcat]

Are you running any backup software??

 

[duke666]

I don't believe so, and I had to Google 'bittorrent' to find out what it is.

The PC in question is a low power ITX machine running Windows 8. The only software I have on it is weather related. I use it to collect weather data and FTP to weather sites. Nothing else.

 

[W1zzard]

maybe some virus/Trojan on that machine?

 

[Ikaruga]

Could be many things, but here are my three best guesses:

• Virus, Malware, etc
• An issue with the DNS (try to flush the dns cache)
• The PC in question has the same IP address as the router (check/modify the DHCP settings and/or do the the configuration manually)

edit: perhaps copy+paste ipconfig /all here?

 

[jboydgolfer]

i ALSO found a log on My router for a Smurf D-DOS Today.

[DoS attack: Smurf] attack packets in last 20 sec from ip xxxxxxxxxxxxxxxxxxxx Friday, Sep 20,2013 05:03:20

as long as the router is picking it up, it SHOULD have been identified , and dealt with accordingly.

MAYBE a re-install?? if it IS an option that is.

 

[duke666]

Could be many things, but here are my three best guesses:

• Virus, Malware, etc
• An issue with the DNS (try to flush the dns cache)
• The PC in question has the same IP address as the router (check/modify the DHCP settings and/or do the the configuration manually)

edit: perhaps copy+paste ipconfig /all here?

Ok, I should have said more in my first post. I have completed a scan using Norton 360, nothing found.
I have just tried flushing the DNS cache but no better.
I the IP on the PC is 192.168.1.48 and the router is 192.168.1.1 The other devices all have differing Ip's too.

Here is the IP config from the PC causing the problems. Hope it helps.

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Mark>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Nightingale1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : default

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 60-A4-4C-B1-AE-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d6a:1ae1:54d0:a78b%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.48(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 20 September 2013 14:32:14
Lease Expires . . . . . . . . . . : 22 September 2013 16:16:23
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 241214540
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-A9-9F-04-60-A4-4C-B1-AE-9C

DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.default:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:1c3a:2336:fde2:db2d(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1c3a:2336:fde2:db2d%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Users\Mark>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Mark>

 

[Ikaruga]

- Disable netbios ipv6 and dhcpv6, you don't need those in your local environment, do you?
- Do you really need your own DNS server running?
- Disable VPN connection (just til testing/troubleshooting is over) (btw, is that tunnelbear)
- Router assigns *.48 to the PC, disable that rule for a test, and try a different IP and also Google's DNS on the PC at the same time (8.8.8.8 and 8.8.4.4)

let's see if anything changes.

 

[duke666]

OK, this is all a bit alien to me so please excuse me. Here's what I've done (or think I have done). In 'network connections/Ethernet status/properties' I have unticked 'TCP IPv6' and changed 192.168.1.48 to 192.168.1.105 (not sure how I did that...). I have also disabled the VPN. The 'ipconfig below says that 'NetBios' is disabled but the property's box on the PC says that it is enabled-slightly confusing and I could not see where to enable/disable this or the DNS server. Perhaps you could guide me to this please? As advised somewhere else, I have also disabled 'Microsoft network adapter multiplexor protocol'.

(btw, is that tunnelbear)

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Mark>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Nightingale1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : default

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 60-A4-4C-B1-AE-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.105(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 20 September 2013 19:00:07
Lease Expires . . . . . . . . . . : 22 September 2013 19:00:06
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.default:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : default
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:2cc8:1581:3f57:fe96(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::2cc8:1581:3f57:fe96%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

 

[Ikaruga]

Well you did not say that you don't really know what you are doing. It's not a problem of course, but it changes things a little.

It's not even clear if the PC or the router is the problem at this time, so I suggested that you disable some unnecessary things which are usually known to cause many problems, sorry if those were too complicated.

• You could reset some network related stuffz on the PC as a next step. Open an elevated command prompt (run as administrator), and enter the followings on the PC:
  netsh int ip reset reset.log
  netsh int ipv6 reset
  netsh winsock reset
  netsh branchcache reset
  netsh advfirewall reset
  (note: You can export your current firewall rules in the "group policy" before the reset if it's needed for some reason)
  
  
• Btw, Would it be a problem to reset the router to the default settings if the things we are trying will not help? There is a menu point for that called "factory settings" (and also a little hole on the back if you prefer that one).. the Administrator username in the router after the reset would be admin and the password is probably on a sticker at the bottom of the router (special settings needed to go online with your ISP might be also necessary)
  This is not needed now (not yet), but perhaps the source of the problem is at the router and not the PC in question, so we may come to that eventually.

ps.: Do you have a second network card you could test in that PC and a different cable to rule out some hardware issues on the PC side?

 

[duke666]

Hi Ikaragu,

Well you did not say that you don't really know what you are doing.

My apologies - but learning quickly.

OK, the router has been reset several times over the past few weeks but no difference. However, after following your original guide to disable 'TCP IPv6' , change the IP and disable the VPN, I did a little 'Googleing' and found a lot of people having similar problems caused by the near constant 'ping' from the 'home network and 'SSDP Discovery service'. So, before I retired last night I followed 'this guide'. This morning, checking the router log, no attacks and the broadband speed is solid @ 39/10. The ony problem is now I have broken my own golden rule of changing one thing at a time and do not know the solution. Ever inquisitive, later I shall re-enable 'SSDP' and later the 'home network' and so on.

Do either of these items sound a possible cause to you?

 

[Ikaruga]

Hi Ikaragu,

My apologies - but learning quickly.

OK, the router has been reset several times over the past few weeks but no difference. However, after following your original guide to disable 'TCP IPv6' , change the IP and disable the VPN, I did a little 'Googleing' and found a lot of people having similar problems caused by the near constant 'ping' from the 'home network and 'SSDP Discovery service'. So, before I retired last night I followed 'this guide'. This morning, checking the router log, no attacks and the broadband speed is solid @ 39/10. The ony problem is now I have broken my own golden rule of changing one thing at a time and do not know the solution. Ever inquisitive, later I shall re-enable 'SSDP' and later the 'home network' and so on.

Do either of these items sound a possible cause to you?

No, but I have to admit I do not have very extensive experience with SSDP. I did met several similar issues with local DNS and DHCP server and also with some SPI firewalls, but UPnP/SSDP is something I never really liked or preferred to use.

I'm glad you have found a solution after all, well done. Perhaps you could contact the router manufacturer and see if they have a FW update or a solution of some kind with the problem you have.

 

[duke666]

As an update and may be some more advice......

Earlier this morning I re-enabled 'SSDP Discovery Service' and rebooted. Network had been fine for about 8 hours, even with the occasional 'DoS attack' logged. Nothing like the quantity before. So, a few minutes ago I set up the 'VPN (home group)', network and the broadband crawled to a stop nearly instantly. I disabled/left the home group and rebooted and all good again. So, I conclude that it is the Windows 8 home group connection causing the problem. The other PC's on the network are all Windows 7 and are all connected in the home group trouble free.

I guess the questions are 1/why? 2/how can I transfer files/documents from this Windows 8 PC to others easily?

 

[Ikaruga]

Simple network tunnelings definitely shouldn't cause DOS attack like symptoms in a router, it's a malfunction or a faulty device. The only thing I can think of is that you could try to loosen the strictness of the firewall a bit (like disable intrusion detection for example), but contacting the manufacturer would be the best choice, because it's a hardware of software problem with the router, and "normal" routers do not behave like this.

Good luck.

 

[shovenose]

Consumer routers can be very finicky unfortunately. You might never figure if out. If you have another router you could use to test and see if the problem persists that would be cool.

 

[duke666]

it's a malfunction or a faulty device.

I do not believe that to be the case with the router in question. As previously stated, none of my Win7 machines cause this problem with the router, only the Win8 machines.

And, I can assure you, that the 'DoS like' attacks not only slow the network down but actually prevent all network activity at their most frequent.

I did a clean install of Win8 on a PC today, nothing else. That causes the same problem until 'SSDP' is stopped and set to manual.

I simply use 'public' folder sharing now on the Win8 machines with 'SSDP' stopped.