Connection Flood Attack

page: 1
8

log in

join

posted on Jan, 18 2011 @ 02:20 PM
link   
This just popped up on my screen from my anti-virus firewall:



I have never seen such a thing, the ip doesn't seem to lead anywhere, and a google search didn't yield much that a computer layperson such as myself could make sense of.

Can someone help me understand what this means or who could be doing this?


Thanks.




posted on Jan, 18 2011 @ 02:23 PM
link   
That IP address is on your LAN

Perhaps some software you have is looping back through a trojan horse proxy, hence the flood on your own computer?

I'd disconnect your computer from the router/modem, and scan that thing 3 ways from sunday with your anti-virus software. Check your Internet Explorer proxy settings, etc.
edit on 18-1-2011 by harrytuttle because: (no reason given)



posted on Jan, 18 2011 @ 02:25 PM
link   
reply to post by schrodingers dog
 


What site were you trying to connect to (or were connected to) when that popped up?
Was it ATS? Just curious...
edit on 18-1-2011 by LadySkadi because: (no reason given)



posted on Jan, 18 2011 @ 02:26 PM
link   
reply to post by schrodingers dog
 


This site says that the IP you list has been a little naughty. They are probably port scanning your IP, checking multiple ports rapidly, in succession, looking for backdoors and open ports.

I am thinking that this IP is a proxy of some sort, as it will not DNS resolve or trace.

~Heff



posted on Jan, 18 2011 @ 02:27 PM
link   
reply to post by schrodingers dog
 


Explanation: S&F!

Personal Disclosure: OL has helped you before with IT issues and I am not an expert! But my record speaks for itself and I am sure that you trust me to help again. I shall ask my 2 IT network engineer and technician brothers to make OL very aware of what the real issue is behind this and I will get back to you asap but I do require some time say 24hrs to do that OK. I hope other members can help you in the mean time.


P.S.
and much love! Sincerely OL.



posted on Jan, 18 2011 @ 02:30 PM
link   

Originally posted by harrytuttle
That IP address is on your LAN


I'm not exactly sure what that means ...
My wireless router shows an ip: 192.168.1.1
and something called IPV4 address shows as: 192.168.1.2
so I'm not sure what 192.168.1.3 is.


Perhaps some software you have is looping back through a trojan horse proxy, hence the flood on your own computer?


I have no new software installed for quite some time, and the only things running at the time was what I always have on ... namely mail, itunes, safari, and skype.


I'd disconnect your computer from the router/modem, and scan that thing 3 ways from sunday with your anti-virus software. Check your Internet Explorer proxy settings, etc.


Okay, I'll do that ... I'm on a mac though so IE isn't an issue.


Thank you.



posted on Jan, 18 2011 @ 02:32 PM
link   
reply to post by LadySkadi
 


Yes, I was just on ATS at the time ... though not knowing how these things work I don't know if it is related.



posted on Jan, 18 2011 @ 02:34 PM
link   
reply to post by schrodingers dog
 

192.168.1.3 is another device connected to your router - is it a wireless router? Is security enabled?

Perhaps someone is connected to your wireless router and they are attempting to scan your network - hence the flooding report from that IP address and your firewall blocked it in response.

So, do you have wireless?



posted on Jan, 18 2011 @ 02:37 PM
link   
A hacker, virus or legitimate program of some type was flooding requests to your IP/router.

One of two causes for this:

1) someone is trying to port sniff your machine, looking for open doors to infiltrate
2) someone is trying to knock you offline

There is no other reason for this outside of what others have already mentioned. If anything, check the vendor of your router's website and see if they offer more information for that specific warning. Sometimes, they will give an error that is more of a blanket error for anything that goes wrong, so it's best to check with the vendor first.

The message says the IP was blocked. If you see the message again, I would unplug your LAN connection and run a scan of your machine to see what ports or protocols might be running that should not be.

~Namaste
edit on 18-1-2011 by SonOfTheLawOfOne because: (no reason given)



posted on Jan, 18 2011 @ 02:39 PM
link   

Originally posted by harrytuttle

So, do you have wireless?


Yes I have ... I have a feeling that thanks to you I may know what this is related to.

My directv is connected to my wireless router, I just checked it and itis showing 192.168.1.4 as the IP address. This might actually be because when the alert came up I was asked if I wanted to block the one ending in 3 and I did ... so I guess the box looked for the next number.

Would that make sense?
More importantly, why is my tv attacking my internets?


ETA: I just thought of something else ... my appleTV is also going through my router and I was downloading a TV show from itunes. Could that have set it off?
edit on 18 Jan 2011 by schrodingers dog because: (no reason given)


ETA: Okay ... I tried something and it seems to have isolated the problem ... I unblocked the IP, launched itunes, and started syncing my appletv to itunes and the alert popped up again. So it seems my av firwall is all of a sudden confusing my appletv sync for a flood attack.

The thing is I've been doing this for years with no issue ... so either this is something that was changed with my last VirusBarrierX6 update or aliens are using my appletv as a vehicle for what I can only assume is a subsequent probe attack on my bottom!!!
edit on 18 Jan 2011 by schrodingers dog because: (no reason given)



posted on Jan, 18 2011 @ 02:57 PM
link   
reply to post by schrodingers dog
 


this is what I found...
forum1.netgear.com...



posted on Jan, 18 2011 @ 03:07 PM
link   
Found an adress for that ip:4676 Admiralty Way, Suite 330 LA

ICANN - Internet Corporation for Assigned Names and Numbers

en.wikipedia.org...
edit on 18-1-2011 by SSimon because: (no reason given)



posted on Jan, 18 2011 @ 03:16 PM
link   
reply to post by schrodingers dog
 

That's good news S-dog! Nice troubleshooting work there - sounds like something changed with either your apple software (iTunes/appleTV) or your AV/Firewall software got extra sensitive from it's latest update.



posted on Jan, 18 2011 @ 03:25 PM
link   
reply to post by harrytuttle
 


Thanks ht ... ugh, it's a big pain in the butt to reset appletv but I'll get my head around it.

My last question would be, is there any way someone could have been trying to use that connection to hack into my computer or should I stop being paranoid and focus on this one avenue?

ETA: And a great big thank you to everyone else as well.
edit on 18 Jan 2011 by schrodingers dog because: (no reason given)



posted on Jan, 18 2011 @ 03:47 PM
link   
reply to post by schrodingers dog
 

I wouldn't worry - you use Apple products - your chances of being a target are extremely low.



posted on Jan, 18 2011 @ 10:31 PM
link   
try
\\192.168.1.3
To see if it is a "pc" sharing files
Try
192.168.1.3...
To see if it is a device offering up web pages.

Unless someone hacked your wireless, I suspect it is your own PC throwing false positives. In my experience I have received weird errors like that caused by all kinds of stuff. Stuff from VPN connections to plugging in a smart phone. Do you have an iphone that connects to your wireless network?


One of my routers i manage hates mail.me.com , The apple service that supposedly syncs files to apples cloud.

ISA Server name: ROUTER

ISA Server detected an all port scan attack from Internet Protocol (IP) address 17.148.16.42.



posted on Jan, 19 2011 @ 06:44 AM
link   
As for me for protecting mac i prefer use ProteMac NetMine protemac.com...
.It's firewall help protects my mac from viruses attack.



posted on Jan, 20 2011 @ 12:52 PM
link   
simple solution, get into your routers management interface, check the logs for DHCP leases, find the mac addresses there, check them against whatever devices are in your network, if it doesn't match, suspect.

192.168..x.x is a private range, not a public range. These are internal addresses, most routers by default use 192.168.1.x or 192.168.0.x for their range of IPs.

The router will be 192.168.x.1 and will hand out IPs to any devices present in the network. If your router is supplied from the ISP, or has the ISP connection (cable or DSL) it will have an uplink port which is the internet connection, this is the only connection that will get a public IP from the ISP, your router effectively performs Network Address Translation for you, allowing multiple machines to use a single public IP to hit the internet.

It should be fast and easy to see which device has what IP, if you are concerned about intrusion simple enable MAC based filtering, only allowing the MAC addresses of the devices you personally want on the network.

I have some experience with basic WIFI cracking, wep and wpa. A few tips, use WPA-2 with a large, random, salted (using alt characters like #) password and it's pretty darn secure, to brute force that would basically take too much time to be worth it. Most "cracking" isn't cracking at all, it's using the rainbow tables method by which you hash the SSID of the network and attempt to dictionary attack the password (you must supply a list of possible passwords). Also, if you router has the option to deny access to the management page from the WLAN enable that as it's quite easy to get into your network, and if you allow changes to the router from the wireless anyone within range could get in, block you out, open ports for themselves, or even get your ISP login information.

Step 1 is to locate the network and a client machine.
Step 2 using packet injection and mac spoofing mask yourself as the client machine and send a request to the network that makes the client reconnect.
Step 3 capture the handshake between client and network
Step 4 run the precompiled HASH table with dictionary attack against downloaded hash.

If you have the password in your list, eventually it will crack it. I've seen WEP take 3 hours, and another WEP take less than 2 minutes. I've only ever gotten into a WPA network once, and it's because they used real word phrase that was in my dictionary list.

The reason I posted that is one of the first few steps to cracking into your network is to spoof the client, so mac filtering isn't 100% either.

A flood attack is basically what it sounds like, too many incoming packets that literally clog up your network interface. A large scale would be a DoS attack where you flood a target from usually a botnet of hundreds of infected machines. Sending soo much traffic that it floods the link and in most cases bumps them offline, just like the old telephone modem days.

I'd check your router and see if it offers DoS protection and other options for it's firewall that would probably be where the false positive is coming from, and is easily disabled.
edit on 20-1-2011 by phishybongwaters because: forgot something





new topics

top topics



 
8

log in

join