Home Modem/Router logs show DDoS Attacke

I was experiencing home network slow downs and when I checked saw these in my router logs. Any idea what could be done. (I am not sure if they are the actual cause of my internet slowdowns)

image

What are the numbers in the second column?

The second column is names as COUNT.

These don’t appear to be DDoS (Distributed Denial of Service) as much as simply DoS. DDoS would involve many remote devices flooding your connection. Single DoS attacks against a typical residential user is usually not “targeted” as much as “broadcast,” hoping to find vulnerable systems that can be exploited and later used as part of a DDoS or perhaps, more recently, to install ransomware in hopes to profit.

The fact that your router recognized these attacks is a fairly good indication that these are probably not the cause of your slow-downs. But it’s no guarantee, and other attacks that are related might not have been recognized.

I would suggest checking that your router/firewall is running the latest firmware, verify that you don’t have a “bastion host” or “DMZ host” configured (your router would forward all inbound traffic to this host, so DoS attempts or other undesirable traffic will be included… which could significantly degrade the performance of that machine and any others that might depend on it for access.) If the manufacturer of your router hasn’t created new firmware in the last year or so, it’s probably a good indication that your model is no longer supported and you might consider upgrading it to stay secure.

Quick and dirty answer:

Null route 139.24.124.0/32. But just an fyi, one should file a detailed report with that German ISP:

% Information related to ‘139.21.0.0 - 139.25.255.255’

% Abuse contact for ‘139.21.0.0 - 139.25.255.255’ is ‘[email protected]’

inetnum:        139.21.0.0 - 139.25.255.255
netname:        DE-SIEMENS-19930327
country:        DE
org:            ORG-SNIC1-RIPE
admin-c:        SNIC1-RIPE
tech-c:         SNIC1-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         SAG-MNT
mnt-lower:      SAG-MNT
mnt-routes:     SAG-MNT
created:        2016-01-28T13:10:26Z
last-modified:  2016-05-26T09:16:17Z
source:         RIPE

Longer answer, install something like threatstop and pi-hole at the edge. Set your dns to block everything in or out that’s not needed. (detail scan of services are needed) and also since this was logged don’t worry too much about it.

Anything exposed to the internet is going to get hit with attacks. The vast majority of these are automated bots.
Just keep your router software updated and your PC updated with a decent virus and spyware detection software.

One hit in eight seconds. Two hits in 37 seconds. That has to be the worst DDoS attack in the history of such attacks. Looks like an especially low amount of riffraff related noise to me. My poor little Pi (serving a simple website) gets orders of magnitude more unwanted attention and it performs well. I believe you are barking up the wrong tree.

2 Likes

Slightly off topic: any idea why Malware bytes would consider Threatstop site as “suspicious”?

1 Like

You could do that I suppose, but source addresses are likely-as-not spoofed and/or the source address has compromised equipment doing the actual, obfuscated actor’s doing.

Yeah, this.

Seemingly-random DDoS attacks are something my employer’s customers periodically weather. An IP address starts getting hammered with so much traffic that it effectively shuts down the node (typically a DSLAM but sometimes an OLT) until the attack ends or the dynamic IP being attacked goes into an unallocated status.

The events in the router’s logs was most likely a probe - the kind that goes on countless times a day across the net.

3 Likes

Yup … most people don’t realize how much fire a internet firewall actually gets day to day … it is why you never put a regular PC straight on the internet, ever.

1 Like

The number of single-PC, direct-to-bridge-mode-modem DSL subscribers still out there astounds me. I’m sure they’re out there in similar numbers in the cable modem world too.

1 Like

Yup. There are quite a few devices direct on the internet as well, like camera systems.

I think this is one of the reasons IPv6 hasn’t really taken off on the Internet. The promise of IPv6 was every PC and device will have a unique Internet IP. But most people feel better not knowing how or having to properly configure a firewall and just sitting behind a NAT.

Competition. Keywords… any reason but I suspect anti-trust practices in light of a post net neutrality world.
Since all threat stop does is just automating firewall/null routes via a script which pulls from all top remote block lists(rbls) and a few honeynets. Just like symantec and malwarebytes does for their pro versions while leaching off threatstop’s datasets.

meh… more like network guys just want to get things done and those that do accept ipv6 tend to lean more on v4 anyways because “more things work with v4” to quote a few teams at NYSE:VZ.

My theory on higher-priced IoT devices is only to expect maintenance so long as there’s the prospect of perpetual revenue attached to them via services or continued sales of the same platform - ideally both. If any of those elements is missing or goes away, then expect them to be compromised in relatively short order and never fixed. There is some degree of simple mitigation via local network setup (sh_tlist from WAN access) and perhaps global access via packet inspection or buffering (i.e. host camera images via another box) but that’s a good deal more work.

The last time I had slowdowns similar to what you are experiencing, was when I had an older router. I replaced it and the new one eliminated the problems.

Now for DDoS attacks, run something like fail2ban on your local server. (It also helps to block the entirety of some countries including India and China.)

I think we’ve made the point; this is clearly not DDoS or any sort of Denial of Service attack but more of the usual wild internet traffic kind of thing.

Now if one really is experiencing “network slow downs”, and they have good edge security in place they should be checking a few things. In no particular order:

  • wifi saturation
  • packet collisions
  • network usage
  • ram/cpu usage (those packets do use these too)
  • cables and ports

Also, your network especially wifi based ones are as fast as your slowest node. For example; one’s blazing fast r/PCMasterRace rig with all the wifi speed it can have is on a network with a table that used a $0.02 broadcom chip from 7 years ago that’s faulty to the point of getting only 28kbps your $2000 rig is going to feel like it’s on AOL. Yes, I am speaking from experience.




While your at it test your security regularly too:


https://www.routersecurity.org/testrouter.php