My D-Link DIR-100 router seems to constantly log various attacks. In the router’s web interface, in the Status–>Log section, I notice that DOS attacks are directed at me every other minute or so. A typical log could read something like:
Mar 28 12:52:06 | DOS [TCP]: Attack Incoming xxx.xx.xxx.xx->0.0.0.0 [FIN Scan], or
Mar 28 12:52:11 | DOS [TCP]: Attack Incoming xxx.xx.xxx.xx->0.0.0.0 [ACK Scan], for example.
Other logs are for UDP attacks, incoming or outgoing, and vary between so called FIN, ACK, SYN, UDP and Hybrid scans. The “attacks” (if they are really), occur every five minutes or less.
What should I make of all this? Am I being exposed to real threats that my router protects me from, or is this perfectly normal?
Some technical info, which may or may not be useful:
My router is set up to protect against DoS, and SPI is enabled.
Both UPnP and WAN Ping responds are disabled.
I use dynamic IP.
The ShieldsUp firewall test indicates that all my ports are fully stealthed (via the router).
CIS doesn’t report any intrusive activity at all.
Any comment on this would be much appreciated. Please let me know if you need any more info.
It looks like NMAP scanning but I need to make sure.
Show me the log screen shots or txt.
You should show me attacker’s IP, ports(src/dst) then I can analyze it.
I don’t think it’s a normal noise.
Scanning or Worm from the zombie PC.
Here’s a screenshot of a recent log. The IP belongs, as far as I can tell, to RIPE. On another log page (not shown here) there seems to be “attacks” associated with Google’s IP.
Occasionally, I’m having problems with my internet connection being extremely slow (I’m on 100Mbit fibre). It’s usually solvable by rebooting the router from its interface. If I had to guess I’d say it’s got something to do with DNS…
Thanks for your help, but that screenshot was actually from a dual booted Ubuntu which I’m playing around with a little, so I’m not using CIS at the moment. The basic pattern still applies regardless of operating system, though.
Aha. Well, I don’t really see why the router would block something from the Comodo site, especially since the time stamps in the log don’t match my visits to this site, but I guess you might be on to something anyway.
I’ll have a look at my router configuration once more to see if there’s something wrong…