Reply
Highlighted
Aspirant

DoS Log flooding from China ip's

I keep getting flooded around the same time each night. It drops my 30mb connection down to a few kb. I'm not sure whats happening. The only open ports are 22 to my linux box for ssh using key pair and two web cams. The logs show a lot of activity on port 80, 443, 21 and 22. No torrents being used. There is a raspberry pi and two ipads on the network. Netficx streaming is used. Any idea whats up? The ip's appear to be from china.


[LAN access from remote] from 222.186.21.7:6000 to 192.168.1.10:22, Sunday, January 11, 2015 21:22:57
[DoS Attack: RST Scan] from source: 184.28.188.88, port 80, Sunday, January 11, 2015 21:21:48
[DoS Attack: RST Scan] from source: 74.125.224.123, port 443, Sunday, January 11, 2015 21:20:24
[DoS Attack: RST Scan] from source: 216.58.216.2, port 443, Sunday, January 11, 2015 21:20:24
[LAN access from remote] from 122.225.109.218:6000 to 192.168.1.10:22, Sunday, January 11, 2015 21:19:22
[admin login] from source 192.168.1.101, Sunday, January 11, 2015 21:15:19
[DoS Attack: ACK Scan] from source: 8.14.169.161, port 443, Sunday, January 11, 2015 21:14:43
[DoS Attack: TCP/UDP Chargen] from source: 192.3.183.234, port 54601, Sunday, January 11, 2015 21:14:40
[DoS Attack: SYN/ACK Scan] from source: 72.246.160.221, port 80, Sunday, January 11, 2015 21:13:33
[DoS Attack: SYN/ACK Scan] from source: 23.213.7.205, port 80, Sunday, January 11, 2015 21:13:24
[DoS Attack: SYN/ACK Scan] from source: 72.246.160.221, port 80, Sunday, January 11, 2015 21:13:05
[DoS Attack: SYN/ACK Scan] from source: 23.15.130.224, port 80, Sunday, January 11, 2015 21:13:04
[DoS Attack: SYN/ACK Scan] from source: 72.246.160.221, port 80, Sunday, January 11, 2015 21:13:04
[DoS Attack: SYN/ACK Scan] from source: 23.213.7.205, port 80, Sunday, January 11, 2015 21:13:03
[DoS Attack: SYN/ACK Scan] from source: 72.246.160.221, port 80, Sunday, January 11, 2015 21:13:03
[DoS Attack: SYN/ACK Scan] from source: 71.74.42.241, port 443, Sunday, January 11, 2015 21:12:59
[DoS Attack: SYN/ACK Scan] from source: 23.213.7.205, port 80, Sunday, January 11, 2015 21:12:55
[DoS Attack: SYN/ACK Scan] from source: 23.15.130.224, port 80, Sunday, January 11, 2015 21:12:54
[DoS Attack: SYN/ACK Scan] from source: 23.213.7.205, port 80, Sunday, January 11, 2015 21:12:53
[DoS Attack: SYN/ACK Scan] from source: 23.3.195.93, port 80, Sunday, January 11, 2015 21:10:33
[DoS Attack: ACK Scan] from source: 72.21.81.253, port 80, Sunday, January 11, 2015 21:10:27
[DoS Attack: ACK Scan] from source: 212.1.212.110, port 21, Sunday, January 11, 2015 21:08:28
[DoS Attack: ACK Scan] from source: 72.21.81.253, port 80, Sunday, January 11, 2015 21:08:27
[DoS Attack: ACK Scan] from source: 212.1.212.110, port 21, Sunday, January 11, 2015 21:07:22
[DoS Attack: ACK Scan] from source: 72.21.81.253, port 80, Sunday, January 11, 2015 21:07:14
[DoS Attack: ACK Scan] from source: 212.1.212.110, port 21, Sunday, January 11, 2015 21:07:09
[DoS Attack: RST Scan] from source: 54.244.243.173, port 443, Sunday, January 11, 2015 21:07:07
[DoS Attack: ACK Scan] from source: 212.1.212.110, port 21, Sunday, January 11, 2015 21:06:50
[DoS Attack: RST Scan] from source: 91.198.22.70, port 80, Sunday, January 11, 2015 21:06:50
[DoS Attack: ACK Scan] from source: 212.1.212.110, port 21, Sunday, January 11, 2015 21:06:43
[DoS Attack: ACK Scan] from source: 72.21.81.253, port 80, Sunday, January 11, 2015 21:06:38
[DoS Attack: RST Scan] from source: 50.112.96.217, port 443, Sunday, January 11, 2015 21:06:05
[DoS Attack: RST Scan] from source: 54.244.243.161, port 443, Sunday, January 11, 2015 21:05:03
[admin login] from source 192.168.1.101, Sunday, January 11, 2015 21:01:57
[DoS Attack: RST Scan] from source: 61.240.144.65, port 53304, Sunday, January 11, 2015 21:01:20
Message 1 of 4
Highlighted
Mentor

Re: DoS Log flooding from China ip's

Internet scans are a fact of life, I consider them "background noise" - I suggest you ignore them, until or unless, they actually become a problem, in which case you can try complaining to your ISP. I also want to make you aware that there's nothing you can do, at your end, to mitigate the effects of a DoS attack - you're on the downstream end of a limited bandwidth link, to deny you service would only require flooding that link - your firewall will discard the packets as it should, but, because the link is overwhelmed by the sheer volume of data, you would be unable to use it, and that would deny you the use of it.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 2 of 4
Highlighted
Aspirant

Re: DoS Log flooding from China ip's

@fordem That's the problem, it slows the router greatly. From 30/mbs to 200/kbs. It even slows the lan traffic.
Message 3 of 4
Highlighted
Mentor

Re: DoS Log flooding from China ip's

Turn off logging or DoS attack protection and see what happens - activity on the WAN side should/would normally have no effect on the LAN side, so if you're seeing a slow down on the LAN side as well, that would suggest you're either actually flowing traffic through the router rather than just discarding it, or, the resources required to log the scans are causing the slow down. You can also try discussing the slowdowns with your ISP and show them the logs, if they are willing to help they can filter the traffic at their end which will prevent it from getting to your link.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 4 of 4
Top Contributors
Discussion stats
  • 3 replies
  • 7780 views
  • 0 kudos
  • 2 in conversation
Announcements