Xmas/SYN-ACK Port Scan attack, Router lahm!

Limp0r · 23.01.2011, 13:52

Hallo,

Leider habe ich mir auf meinen Router (D-Link Dir-300) irgendetwas eingefangen.

Hier mal das Protokoll vom Router , sollte wohl aussagekräftig genug sein.

Code:

ATTFilter

"Jan 23 13:27:33  ","SYN-ACK port scan attack from WAN (ip:178.162.248.58) detected."
"Jan 23 13:15:44  ","Remote management is disabled."
"Jan 23 13:15:44  ","Block WAN PING is enabled."
"Jan 23 13:15:41  ","Remote management is disabled."
"Jan 23 13:15:41  ","Block WAN PING is enabled."
"Jan 23 13:15:41  ","DMZ disabled."
"Jan 23 13:15:39  ","DHCP: Client receive ACK from 80.69.97.196, IP=88.152.35.128, Lease time=3600."
"Jan 23 13:03:33  ","SYN-ACK port scan attack from WAN (ip:178.162.248.58) detected."
"Jan 23 12:45:42  ","Remote management is disabled."
"Jan 23 12:45:42  ","Block WAN PING is enabled."
"Jan 23 12:45:40  ","Remote management is disabled."
"Jan 23 12:45:40  ","Block WAN PING is enabled."
"Jan 23 12:45:40  ","DMZ disabled."
"Jan 23 12:45:39  ","DHCP: Client receive ACK from 80.69.97.196, IP=88.152.35.128, Lease time=3600."
"Jan 23 12:21:18  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:21:15  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:21:02  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:20:15  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:54  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:53  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:52  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:32  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:30  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:27  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:25  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:23  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:19:22  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:15:43  ","Remote management is disabled."
"Jan 23 12:15:43  ","Block WAN PING is enabled."
"Jan 23 12:15:41  ","Remote management is disabled."
"Jan 23 12:15:41  ","Block WAN PING is enabled."
"Jan 23 12:15:41  ","DMZ disabled."
"Jan 23 12:15:39  ","DHCP: Client receive ACK from 80.69.97.196, IP=88.152.35.128, Lease time=3600."
"Jan 23 12:15:33  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 12:15:30  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 11:45:42  ","Remote management is disabled."
"Jan 23 11:45:42  ","Block WAN PING is enabled."
"Jan 23 11:45:40  ","Remote management is disabled."
"Jan 23 11:45:40  ","Block WAN PING is enabled."
"Jan 23 11:45:40  ","DMZ disabled."
"Jan 23 11:45:39  ","DHCP: Client receive ACK from 80.69.97.196, IP=88.152.35.128, Lease time=3600."
"Jan 23 11:42:10  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:41:22  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:40:59  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:40:47  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:40:38  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:40:36  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:40:36  ","Xmas port scan attack from WAN (ip:17.172.236.154) detected."
"Jan 23 11:22:58  ","Xmas port scan attack from WAN (ip:65.254.218.140) detected."
"Jan 23 11:15:45  ","Remote management is disabled."
"Jan 23 11:15:45  ","Block WAN PING is enabled."
"Jan 23 11:15:45  ","DMZ disabled."
"Jan 23 11:15:43  ","DHCP: Client receive ACK from 80.69.97.196, IP=88.152.35.128, Lease time=3595."
"Jan 23 11:15:42  ","DHCP: Client send REQUEST to server 80.69.97.196, request IP=88.152.35.128."
"Jan 23 11:15:42  ","DHCP: Client receive OFFER from 80.69.97.196."
"Jan 23 11:15:42  ","DHCP: Client send DISCOVER."
"Jan 23 11:15:39  ","Remote management is disabled."
"Jan 23 11:15:39  ","Block WAN PING is enabled."
"Jan 23 11:03:29  ","Remote management is disabled."
"Jan 23 11:03:29  ","Block WAN PING is enabled."
"Jan 23 11:03:03  ","Remote management is disabled."
"Jan 23 11:03:03  ","Block WAN PING is enabled."
"Jan 23 11:03:01  ","Remote management is disabled."
"Jan 23 11:03:01  ","Block WAN PING is enabled."
"Jan 23 10:59:32  ","Remote management is disabled."
"Jan 23 10:59:32  ","Block WAN PING is enabled."
"Jan 23 10:59:08  ","Remote management is disabled."
"Jan 23 10:59:08  ","Block WAN PING is enabled."
"Jan  1 00:00:54  ","Remote management is disabled."
"Jan  1 00:00:54  ","Block WAN PING is enabled."
"Jan  1 00:00:53  ","Remote management is disabled."
"Jan  1 00:00:53  ","Block WAN PING is enabled."
"Jan  1 00:00:50  ","Remote management is disabled."
"Jan  1 00:00:50  ","Block WAN PING is enabled."
"Jan  1 00:00:47  ","DHCP: Server sending ACK to 192.168.2.101. (Lease time = 604800)"
"Jan  1 00:00:47  ","DHCP: Server receive REQUEST from 00:1c:bf:7f:f0:0b."
"Jan  1 00:00:44  ","Remote management is disabled."
"Jan  1 00:00:44  ","Block WAN PING is enabled."
"Jan  1 00:00:41  ","Remote management is disabled."
"Jan  1 00:00:41  ","Block WAN PING is enabled."
"Jan  1 00:00:41  ","DMZ disabled."
"Jan  1 00:00:40  ","DHCP: Client receive ACK from 80.69.97.196, IP=88.152.35.128, Lease time=2378."
"Jan  1 00:00:38  ","DHCP: Client send REQUEST to server 80.69.97.196, request IP=88.152.35.128."
"Jan  1 00:00:38  ","DHCP: Client receive OFFER from 80.69.97.196."
"Jan  1 00:00:38  ","DHCP: Client send DISCOVER."
"Jan  1 00:00:32  ","VPN (L2TP) Pass-Through enabled."
"Jan  1 00:00:32  ","VPN (IPSec) Pass-Through enabled."
"Jan  1 00:00:31  ","VPN (PPTP) Pass-Through enabled."
"Jan  1 00:00:31  ","Domain blocking disabled."
"Jan  1 00:00:31  ","URL blocking disabled."
"Jan  1 00:00:31  ","MAC filter disabled."
"***************  ","System started."

Die Firewall am Router ist aktiviert , kann auch Firewall Regeln festlegen, weiß aber nicht genau was ich in jedes Feld eintippen sollte. Hier mal ein Screenshot:

Bei Destination kann man LAN und WAN auswählen.

Die Portweiterleitungen hab ich bis auf weiteres erstmal Deaktiviert hat nicht geholfen.

Auf WAN Ping antworten, sowie DMZ ist auch deaktiviert.

In einem anderen Thread habe ich gelesen es soll geholfen haben , die Router IP zu ändern. Ich habe sie von 192.168.0.1 auf [...].2.1 geändert. Glaube aber nicht , dies hat aber nicht geholfen.

Firmware ist die "neuste" vom Sat 05 Jul 2008 , v. 1.04
Ich hoffe ihr könnt mir helfen!

cosinus · 24.01.2011, 10:50

Was heißt eingefangen, da machen welche Portscans auf deinem Router, wirklich verhindern kannst du das so nicht. Ein Port-Scan an sich ist auch kein Angriff.
Was war überhaupt der Anlass, dass du in den Router reingeguckt hast?

Zitat:

Ich habe sie von 192.168.0.1 auf [...].2.1 geändert. Glaube aber nicht , dies hat aber nicht geholfen.

Wie soll das auch helfen? Das ist die interne (LAN-)Adresse des Routers. Hat mit der WAN-IP-Nummer nichts zu tun.

Limp0r · 24.01.2011, 16:38

Zitat:

Zitat von cosinus

Was heißt eingefangen, da machen welche Portscans auf deinem Router, wirklich verhindern kannst du das so nicht. Ein Port-Scan an sich ist auch kein Angriff.
Was war überhaupt der Anlass, dass du in den Router reingeguckt hast?

Wie soll das auch helfen? Das ist die interne (LAN-)Adresse des Routers. Hat mit der WAN-IP-Nummer nichts zu tun.

Naja das Internet wurd halt mega lahm und dann wollte ich den Router ma neustarten , hab ich halt auch mal ins protokoll reingeschaut.
Finds nur dumm das der ping auf 2000 springt sobald man so angepingt wird.
Liegt das am router , hab hier noch nen Speedport von Telekom rumfliegen , bei unserem Provider wechsel nach Unitymedia wurde der D-Link angeschlossen.

Wie kann man denn seine WAN-IP ändern, bzw geht das überhaupt?

cosinus · 24.01.2011, 20:01

Machst du rein zufällig sowas wie P2P während die "Angriffe" protokolliert werden? Mit P2P meine ich Tauschbörsenprogramme, also sowas wie Azureus/Bittorrent/µTorrent, eMule und Konsorten

24.01.2011, 20:01	#4
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Xmas/SYN-ACK Port Scan attack, Router lahm! Machst du rein zufällig sowas wie P2P während die "Angriffe" protokolliert werden? Mit P2P meine ich Tauschbörsenprogramme, also sowas wie Azureus/Bittorrent/µTorrent, eMule und Konsorten __________________ Logfiles bitte immer in CODE-Tags posten

Xmas/SYN-ACK Port Scan attack, Router lahm!

Plagegeister aller Art und deren Bekämpfung: Xmas/SYN-ACK Port Scan attack, Router lahm!