Sonic.net

Hello,

Just to be clear, while I do NOT get my conductivity from Sonic, although I am a Sonic customer.

Has anyone else noticed in their router logs recently a large amount of port 0 WinNuke DoS attacks?

Here's but a small example:

• [DoS Attack: WinNuke Attack] from source: 211.110.212.10, port 0, Monday, October 06,2014 07:00:28
  [DoS Attack: WinNuke Attack] from source: 162.243.140.188, port 0, Monday, October 06,2014 07:00:09
  [DoS Attack: WinNuke Attack] from source: 220.165.8.25, port 0, Monday, October 06,2014 06:56:31
  [DoS Attack: WinNuke Attack] from source: 91.205.172.31, port 0, Monday, October 06,2014 06:53:38
  [DoS Attack: WinNuke Attack] from source: 178.132.204.107, port 0, Monday, October 06,2014 06:53:00
  [DoS Attack: WinNuke Attack] from source: 108.171.188.245, port 0, Monday, October 06,2014 06:52:36
  [DoS Attack: WinNuke Attack] from source: 162.243.172.187, port 0, Monday, October 06,2014 06:51:28
  [DoS Attack: WinNuke Attack] from source: 67.213.94.4, port 0, Monday, October 06,2014 06:47:35
  [DoS Attack: WinNuke Attack] from source: 82.222.7.139, port 0, Monday, October 06,2014 06:47:04
  [DoS Attack: WinNuke Attack] from source: 173.214.248.92, port 0, Monday, October 06,2014 06:46:05

While the overwhelming bulk are WinNuke, also sprinkled in there are these:

• [DoS Attack: Xmas Tress Scan] from source: 23.253.49.8, port 0, Monday, October 06,2014 07:01:30
  [DoS Attack: FIN Scan] from source: 199.91.67.202, port 0, Monday, October 06,2014 06:45:13
  [DoS Attack: SYN/RST Scan] from source: 50.57.121.204, port 0, Monday, October 06,2014 06:26:36
  [DoS Attack: NULL Scan] from source: 46.184.254.122, port 0, Sunday, October 05,2014 14:22:54
  [DoS Attack: IMAP Scan] from source: 62.75.171.110, port 0, Sunday, October 05,2014 14:19:44
  [DoS Attack: RST Scan] from source: 198.46.157.71, port 0, Sunday, October 05,2014 14:15:14

These Port 0 DoS attacks appear to be all stopped at the router, but annoyingly they are cluttering the log. It is my understanding that WinNuke was a Windows 95 DoS attack that was patched ages ago, and I'm not running Windows 95. I checked the timing, but it doesn't appear to be related to the recent poorly conceived AVAST forced update fiasco that's currently going on. The IP address are not coming from a single country. Clearly the low amount of attacks do not rise to the level of a personal attack. Besides I've already changed my IP address twice in case the previous user upset someone, but they keep coming. So that leave a Zombie attack against my provider and perhaps providers.

I know that there is nothing the good folks at Sonic can specifically do about this and riding it out is probably the only thing I can do about this, but I was wondering just how wide spread these DoS attacks had reached. And any other info anyone cared to share. Thanks.

No one?

If you look at firewall logs, you will see that attacks of many sorts are constant. I heard it recently reported that an older Windows box if placed on the Internet un-patched will be compromised within an average of eighty seconds. At a recent presentation by the FBI to service providers that I attended, the agent characterized this sort of thing as "background noise". Patch your systems, and move on with life.

That's normal background hacking. You're probably getting 10 to 300 hacking attempts per minute per IP address.

The legit networks listed there - Digital Ocean, CONTABO, Selectel, Rackspace, etc. - will take action if you contact them with good logs. It's a bit of a whack-a-mole game but sometimes it helps when you have limited DSL throughput.

China and Korea don't care that their customers are attacking you and almost none of the government operated networks have valid contacts. All that you can do is tune your firewall so that it minimizes wasted bandwidth and CPU time. For example, dropping China's and Korea's packets is much more efficient than letting your server send a proper protocol-level reply. Taiwan is similar but their attacks usually target port 25.

Hi Dane,

dane wrote:If you look at firewall logs, you will see that attacks of many sorts are constant.

dane wrote:At a recent presentation by the FBI to service providers that I attended, the agent characterized this sort of thing as "background noise".

I have been monitoring router logs for years and I am familiar with background noise. If this was background I would not have bothered to post. No, this was different. In case it was not clear before, what I included was a very small sample because I did not believe it was necessary to post 1,000's of lines of the same thing.

dane wrote:I heard it recently reported that an older Windows box if placed on the Internet un-patched will be compromised within an average of eighty seconds.

That's true, and if we only go as far back to Windows XP, that sort of thing has been happening for over a decade.

dane wrote:Patch your systems, and move on with life.

The hardware device is already using the latest firmware.

Hi Kevin,

kevinmcm wrote:That's normal background hacking. You're probably getting 10 to 300 hacking attempts per minute per IP address.

In my experience, the attack was not normal background. Normal background would be random ports and typically a "TCP/UDP Chargen" attack.

kevinmcm wrote:The legit networks listed there - Digital Ocean, CONTABO, Selectel, Rackspace, etc. - will take action if you contact them with good logs. It's a bit of a whack-a-mole game but sometimes it helps when you have limited DSL throughput.

I did sent e-mail to some of the networks and included specific log information. I do not have a DSL, it's a 30 service with upwards of 100 available. However, I do understand your point. Sometimes I long for the days when I had to place the phone's receiver into the suction cups or flip the data switch on the side of the modem. :)

kevinmcm wrote:China and Korea don't care that their customers are attacking you and almost none of the government operated networks have valid contacts. All that you can do is tune your firewall so that it minimizes wasted bandwidth and CPU time. For example, dropping China's and Korea's packets is much more efficient than letting your server send a proper protocol-level reply. Taiwan is similar but their attacks usually target port 25.

Unfortunately, the router does not have Geo IP blocking. It might be time to remedy that.

UPDATE: I just checked the log and the attacks have stopped.