Kitz Forum
Internet => General Internet => Topic started by: 8062282 on September 29, 2019, 08:28:37 PM
-
Hi - Can anybody advise if this would be a valid IP address doing a Ping of Death. Do they still do these DoS attacks?
Ping of Death Attack: IN=br0 OUT=ppp1.1 SRC=192.168.1.9 DST=194.150.176.123 LEN=80 TOS=0x00 PREC=0x00 TTL=5 PROTO=ICMP TYPE=8 CODE=0 ID=21043 SEQ=5 MARK=0x4000007
-
Hi - Can anybody advise if this would be a valid IP address doing a Ping of Death. Do they still do these DoS attacks?
Ping of Death Attack: IN=br0 OUT=ppp1.1 SRC=192.168.1.9 DST=194.150.176.123 LEN=80 TOS=0x00 PREC=0x00 TTL=5 PROTO=ICMP TYPE=8 CODE=0 ID=21043 SEQ=5 MARK=0x4000007
Looking at that it look like its your own LAN host 192.168.1.9 that is doing the pinging.
Notice it says the traffic is coming from the br0 interface (the LAN) on the router and going OUT of ppp (the WAN).
-
The "DST=194.150.176.123" is interesting. It is not 8062282's current IPv4 address but one belonging to Lancashire County Council.
Puzzling. ???
-
Bot hijack?
-
Hi - I checked the IP & thought it was strange it was coming from the council. Hence me asking if it was a valid IP address. Thinking on, could it be some person sat in a library using the public computers?
Sent from my iPhone using Tapatalk
-
Is it genuine, not a spoofed source IP address?
Responsible ISPs are supposed to implement BCP 38 (https://tools.ietf.org/html/bcp38) to check for and prevent packets with spoofed source addresses from entering their networks. So that badness should not be happening nowadays if the word is getting through. I certainly do BCP 38 checking myself; I don’t allow packets to go out of my network if they have bogus source addresses, and I bin anything coming in if the source or dest address is obviously wrong in one of various ways. (This is OTT paranoia on my part, as my ISP does, I’m sure, do these checks anyway, but I don’t want to pay the costs of any junk traffic if it can be avoided.)
-
Hi - I have no idea. I know a lot of things can be hidden or changed. Strange it’s my own council
-
I think it's more likely that something in your LAN was doing a traceroute (on Windows, using ICMP) to that IP address. That would explain the outbound direction and the low TTL. The detection as a "ping of death attack" is a false positive.
-
. . . it was coming from the council. Hence me asking if it was a valid IP address. Thinking on, could it be some person sat in a library using the public computers?
No, you've got that inverted. It is originating on your LAN and going to the local council.
I think ejs has proposed the most likely scenario.
-
No, you've got that inverted. It is originating on your LAN and going to the local council.
I think ejs has proposed the most likely scenario.
Is that bad? Should I be worried?
-
Is that bad? Should I be worried?
No, please don't worry about it.
From my "poking about", starting with the destination IPv4 address that you showed, it is clear that someone very local to you (if it wasn't you), using a device connected to your LAN, had performed a speed test to an Ookla server based in Preston.
It is unfortunate that your modem/router sees the (legitimate) traffic and classifies it as a "Ping of Death", thus ensuring that one (or more) entry(ies) are logged.
I see a similar effect when I am connected to an IRC server. My ZyXEL VMG1312-B10A logs it as "SYN Flooding" and so I have become accustomed to seeing the warnings when I review the logfile, daily.
A four word summary: You are not alone. :)
-
Thanks B*cat. I do do the odd speed test so that answers that question 😄
-
Some routers are so aggressive on anti ddos, e.g. on fritzboxes it was known that if you enabled their anti ddos (on by default), it would rate limit the tbb monitor pings.
There is even a discussion on openwrt right now where someone has picked up there is rate limit rules set by default that are dated back to adsl days and can be hit with normal traffic loads in 2019. Generally I suggest disabling anti ddos type protections on routers, just make sure the basic default deny firewall is enabled.
-
Some routers are so aggressive on anti ddos, e.g. on fritzboxes it was known that if you enabled their anti ddos (on by default), it would rate limit the tbb monitor pings.
There is even a discussion on openwrt right now where someone has picked up there is rate limit rules set by default that are dated back to adsl days and can be hit with normal traffic loads in 2019. Generally I suggest disabling anti ddos type protections on routers, just make sure the basic default deny firewall is enabled.
Thanks for that. I'll have a poke about in my settings..
-
Thanks for that. I'll have a poke about in my settings..
You are beginning to show a "curious kitteh" tendency! :D
Have you previously mentioned the make & model of your modem/router? . . . I can't remember . . . If yes, I'm sure that someone will be able to tell you exactly where to find the configuration option.
Edited to add: Ah, I see it is a ZyXEL VMG8924-B10A (https://forum.kitz.co.uk/index.php/topic,23828.msg402248.html#msg402248) --
I'm on my 3rd modem. I had a billion 7800DXL on ADSL & continued to use that when I was on BT ADSL. I them got a VMG3925-10B & now I'm using a VMG8924-B10A.
So login as "admin" (or "supervisor"), then take the "Security >>> Firewall >>> DoS" route and toggle the setting(s).
-
Definitely curious - Will set it up later. Thanks 😄
-
I remember on an old router I had on ADSL, I had to reduce the DoS detection interval as gaming traffic would immediately cause a DoS prevention trigger.