Jump to content

DDOS attacks appearing in logs....


Recommended Posts

never seen this happen on any router I have owned...until now...?

 

[DoS Attack: SYN/ACK Scan] from source: 51.255.162.49, port 80, Sunday, March 11, 2018 20:27:20

 

Plus many more (France, Michigan, California Hong Kong, Bejing etc etc) in logs (around 25 +)

 

Genuine attacks... or bogus....?

 

DDOS.jpgDDOS1.jpgDDOS2.jpgDDOS3.jpg

DDOS4.jpg

Link to comment
Share on other sites

  • Administrators
Link to comment
Share on other sites

rebooted router to reset my IP

 

will continue to monitor

 

did notice weird issues (slow) yesterday and today when browsing...

 

hopefully not related to DDOS msgs... :unsure:

Link to comment
Share on other sites

  • Administrators

rebooted router to reset my IP

 

will continue to monitor

 

did notice weird issues (slow) yesterday and today when browsing...

 

hopefully not related to DDOS msgs... :unsure:

 

It won't be due to that. More likely it's your ISP on a busy Sunday! Obviously make sure you Anti-Bufferbloat is set to Always if you think you might have congestion issues.

Link to comment
Share on other sites

  • 1 month later...

hi as admin says router firewall is working      this was one ip   i checked  from my XR500 LOG   

further digging  UKRAIN then BAHRAIN 

There's a web site call blutmagie.de that shows the bandwidth for various TOR nodes. https://torstatus.blutmagie.de/

According to them, one of the fastest TOR nodes right now is "185.170.41.8". There's no registered hostname. And although it is one of the fastest, it is also marked as "hibernating". So my first question is: how can it be hibernating while also being one of the fastest nodes?

Then there's the registration information for this nodehttps://www.whois.com/whois/185.170.41.8     take a look at some of your log ip .

 


It says it's in Panama (country PA), but it registered through RIPE. (RIPE is for Europe, not central or south america. The registrant for Panama should be LACNIC.) It also says it is registered to "Trump Tower".

inetnum: 185.170.41.0 - 185.170.41.255           

org: ORG-OA825-RIPE

netname: OKSERVERS

country: PA

admin-c: OL2665-RIPE

tech-c: OL2665-RIPE

status: ASSIGNED PA

mnt-by: CYBR-DMZ

created: 2017-01-31T19:51:49Z

last-modified: 2017-04-29T11:18:45Z

source: RIPE

organisation: ORG-OA825-RIPE

org-name: OKSERVERS

org-type: OTHER

address: TRUMP TOWER

abuse-c: ACRO1670-RIPE

mnt-ref: CYBR-DMZ

mnt-by: CYBR-DMZ

created: 2017-03-12T11:26:43Z

last-modified: 2017-03-12T11:26:43Z

source: RIPE # Filtered

Checking the abuse address (whois ACRO1670-RIPE) lists the address as "Panama TRUMP TOWER".

I'm assuming that the RIPE registration information is fake. In which case, it should be reported to RIPE so they can deallocate it. https://www.ripe.net/report-form The alternative is that it isn't fake -- in which case, why is Trump running a high-speed TOR node?

Edit: Formatting

never seen this happen on any router I have owned...until now...?

 

[DoS Attack: SYN/ACK Scan] from source: 51.255.162.49, port 80, Sunday, March 11, 2018 20:27:20

 

Plus many more (France, Michigan, California Hong Kong, Bejing etc etc) in logs (around 25 +)

 

Genuine attacks... or bogus....?

 

DDOS.jpgDDOS1.jpgDDOS2.jpgDDOS3.jpg

DDOS4.jpg

Link to comment
Share on other sites

  • Netduma Staff

As funny as that is I'd avoid looking at those logs in too much depth; the events shown there happen on every network and are very common. We added the logs panel for developers / engineers to use rather than customers - it can look as though something major is happening (like a hack from Trump Tower) but in reality it won't affect your experience.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...