Post by: 8062282 on September 29, 2019, 08:28:37 PM
Ping of Death Attack: IN=br0 OUT=ppp1.1 SRC=192.168.1.9 DST=194.150.176.123 LEN=80 TOS=0x00 PREC=0x00 TTL=5 PROTO=ICMP TYPE=8 CODE=0 ID=21043 SEQ=5 MARK=0x4000007
Post by: Alex Atkin UK on September 29, 2019, 10:55:26 PM
Hi - Can anybody advise if this would be a valid IP address doing a Ping of Death. Do they still do these DoS attacks?
Ping of Death Attack: IN=br0 OUT=ppp1.1 SRC=192.168.1.9 DST=194.150.176.123 LEN=80 TOS=0x00 PREC=0x00 TTL=5 PROTO=ICMP TYPE=8 CODE=0 ID=21043 SEQ=5 MARK=0x4000007
Looking at that it look like its your own LAN host 192.168.1.9 that is doing the pinging.
Notice it says the traffic is coming from the br0 interface (the LAN) on the router and going OUT of ppp (the WAN).
Post by: burakkucat on September 30, 2019, 01:38:41 AM
Puzzling. ???
Post by: banger on September 30, 2019, 02:16:36 AM
Post by: 8062282 on September 30, 2019, 07:12:41 AM
Sent from my iPhone using Tapatalk
Post by: Weaver on September 30, 2019, 07:15:30 AM
Responsible ISPs are supposed to implement BCP 38 (https://tools.ietf.org/html/bcp38) to check for and prevent packets with spoofed source addresses from entering their networks. So that badness should not be happening nowadays if the word is getting through. I certainly do BCP 38 checking myself; I don’t allow packets to go out of my network if they have bogus source addresses, and I bin anything coming in if the source or dest address is obviously wrong in one of various ways. (This is OTT paranoia on my part, as my ISP does, I’m sure, do these checks anyway, but I don’t want to pay the costs of any junk traffic if it can be avoided.)
Post by: 8062282 on September 30, 2019, 07:17:28 AM
Post by: ejs on September 30, 2019, 07:29:11 AM
Post by: burakkucat on September 30, 2019, 04:55:37 PM
. . . it was coming from the council. Hence me asking if it was a valid IP address. Thinking on, could it be some person sat in a library using the public computers?
No, you've got that inverted. It is originating on your LAN and going to the local council.
I think ejs has proposed the most likely scenario.
Post by: 8062282 on October 01, 2019, 08:29:04 PM
No, you've got that inverted. It is originating on your LAN and going to the local council.
I think ejs has proposed the most likely scenario.
Is that bad? Should I be worried?
Post by: burakkucat on October 01, 2019, 10:57:40 PM
Is that bad? Should I be worried?
No, please don't worry about it.
From my "poking about", starting with the destination IPv4 address that you showed, it is clear that someone very local to you (if it wasn't you), using a device connected to your LAN, had performed a speed test to an Ookla server based in Preston.
It is unfortunate that your modem/router sees the (legitimate) traffic and classifies it as a "Ping of Death", thus ensuring that one (or more) entry(ies) are logged.
I see a similar effect when I am connected to an IRC server. My ZyXEL VMG1312-B10A logs it as "SYN Flooding" and so I have become accustomed to seeing the warnings when I review the logfile, daily.
A four word summary: You are not alone. :)
Post by: 8062282 on October 02, 2019, 06:01:06 AM
Post by: Chrysalis on October 02, 2019, 04:16:11 PM
There is even a discussion on openwrt right now where someone has picked up there is rate limit rules set by default that are dated back to adsl days and can be hit with normal traffic loads in 2019. Generally I suggest disabling anti ddos type protections on routers, just make sure the basic default deny firewall is enabled.
Post by: 8062282 on October 03, 2019, 07:51:46 PM
Some routers are so aggressive on anti ddos, e.g. on fritzboxes it was known that if you enabled their anti ddos (on by default), it would rate limit the tbb monitor pings.
There is even a discussion on openwrt right now where someone has picked up there is rate limit rules set by default that are dated back to adsl days and can be hit with normal traffic loads in 2019. Generally I suggest disabling anti ddos type protections on routers, just make sure the basic default deny firewall is enabled.
Thanks for that. I'll have a poke about in my settings..
Post by: burakkucat on October 03, 2019, 10:17:03 PM
Thanks for that. I'll have a poke about in my settings..
You are beginning to show a "curious kitteh" tendency! :D
Have you previously mentioned the make & model of your modem/router? . . . I can't remember . . . If yes, I'm sure that someone will be able to tell you exactly where to find the configuration option.
Edited to add: Ah, I see it is a ZyXEL VMG8924-B10A (https://forum.kitz.co.uk/index.php/topic,23828.msg402248.html#msg402248) --
Quote
I'm on my 3rd modem. I had a billion 7800DXL on ADSL & continued to use that when I was on BT ADSL. I them got a VMG3925-10B & now I'm using a VMG8924-B10A.
So login as "admin" (or "supervisor"), then take the "Security >>> Firewall >>> DoS" route and toggle the setting(s).
Post by: 8062282 on October 04, 2019, 06:04:39 AM
Post by: Alex Atkin UK on January 03, 2020, 01:43:37 AM