Results 1 to 8 of 8

Thread: Denial of service attack?

  1. #1

    Thread Starter
    Hyperactive Member Arrow_Raider's Avatar
    Join Date
    Dec 2001
    Location
    AVR Lovers Club
    Posts
    423

    Denial of service attack?

    What is all of this?
    Attached Images Attached Images  
    My monkey wearing the fedora points and laughs at you.

  2. #2
    PowerPoster eranga262154's Avatar
    Join Date
    Jun 2006
    Posts
    2,201

    Re: Denial of service attack?

    Basically it described about the communication between your server(simply IP) and the service providers servers(IPs). Check that, you can find there port numbers, protocols they use and many more.
    “victory breeds hatred, the defeated live in pain; happily the peaceful live giving up victory and defeat” - Gautama Buddha

  3. #3
    Hyperactive Member
    Join Date
    Oct 2006
    Posts
    354

    Re: Denial of service attack?

    You are running a sniffer on the network and whatever box that has ip 192.168.1.103 is sending ICMP packets to different ip addresses. My guess is you're miss reading the sniff because the destination unreachable source is from your network not the outside.

    The standard thing to send over ICMP is an ICMP echo AKA ping.

    So the box in question is running a programming pinging different address and they are failing. My guess is that box is running a download program like bit torrent, lime wire, etc. Those go out and actively ping host. You are getting destination unreachable because those boxes like your network is behind a router and/or firewall/ACL/NAT which blocks icmp echo request for security reason.

    my guess is probably right because two ip addresses that are being pinged are:


    gh-2037.gh.rice.edu (probably computer in rice's dormintory)
    rrcs-72-43-169-54.nyc.biz.rr.com (road runner cable internet)

  4. #4

    Thread Starter
    Hyperactive Member Arrow_Raider's Avatar
    Join Date
    Dec 2001
    Location
    AVR Lovers Club
    Posts
    423

    Re: Denial of service attack?

    I am 192.168.1.103 and I am aware of what wireshark does. I have been having a lot of issues with my internet connection dropping so I was running wireshark to see what was going on. That is a screenshot of what it does all the time. Whenever I am connected to the internet, the entire log on wireshark will be filled with that crap. Are those IPs trying to connect to some port that isn't open on my computer?

    I am behind a NAT router and I have onecare firewall. I have tried closing all of my applications and have looked at netstat -ano. I don't run any torrents or limewire.


    I have a suspicion that this is caused by joost. I recently downloaded joost, which acts as a p2p client because shows are streamed from the joost servers and other viewers on the joost network. I currently have joost removed, but I think other joost clients remember my IP and are trying to get content from my computer, which obviously is failing since joost isn't running. Does that seem reasonable? Can you think of any other causes? If that is the cause, would the only way to stop it be to get a new WAN IP on my router(and never use joost again)?
    My monkey wearing the fedora points and laughs at you.

  5. #5
    Hyperactive Member
    Join Date
    Oct 2006
    Posts
    354

    Re: Denial of service attack?

    Quote Originally Posted by Arrow_Raider
    I am 192.168.1.103 and I am aware of what wireshark does. I have been having a lot of issues with my internet connection dropping so I was running wireshark to see what was going on. That is a screenshot of what it does all the time. Whenever I am connected to the internet, the entire log on wireshark will be filled with that crap. Are those IPs trying to connect to some port that isn't open on my computer?

    I am behind a NAT router and I have onecare firewall. I have tried closing all of my applications and have looked at netstat -ano. I don't run any torrents or limewire.

    I have a suspicion that this is caused by joost. I recently downloaded joost, which acts as a p2p client because shows are streamed from the joost servers and other viewers on the joost network. I currently have joost removed, but I think other joost clients remember my IP and are trying to get content from my computer, which obviously is failing since joost isn't running. Does that seem reasonable? Can you think of any other causes? If that is the cause, would the only way to stop it be to get a new WAN IP on my router(and never use joost again)?
    If you are behind a NAT external client cannot connectly to you unless the router has port fowarding on particularly the port listed above. So your theory is pretty bunk unless you have software creating the connection to those IP address. More than likely you have some sort of p2p client running. Your perception you uninstalled the offend app. Did you actually verify that the connection did stop?

    The easiest way to test to if it is software is to run you computer in safe mode. Looks like you have vista.

    http://vista.pcdoctor-guide.com/?p=36

    Safe mode will only run essential MS services and turn off all application startup. remember to run safe mode with networking...

    Run your sniffer from there. If it passes the test, then it is software causing the problem and you need to out what is causing it.

    To figure which application is causing the problems do a selective start. (you can do this from safe mode)

    start->(in start search)msconfig->services->check hide all non miscrosoft services->disable all->select start tab->disable all (this is from my head, it should pretty close if not spot on)

    boot normally, and then sniff. if this fixed it do msconfig again and start enabling services in groups and start items in the same manner.

    does start->(in start search)cmd->netstat -a show anything on the port listed above?

  6. #6
    coder. Lord Orwell's Avatar
    Join Date
    Feb 2001
    Location
    Elberfeld, IN
    Posts
    7,628

    Re: Denial of service attack?

    I hope this helps a little:
    ICMP is only used to report an error. The error it is reporting is listed in the sniffer.
    Why don't you open a captured packet and examine it?
    udp packets are set up with a 64-bit header, then the rest is data. I think you might be on to something with the file sharing theory because UDP is an unreliable protocol and is only used for chat clients, games, etc.

    Why don't you unplug your router/cable modem for about an hour and reset your IP address?
    My light show youtube page (it's made the news) www.youtube.com/@lightsofelberfeld
    Contact me on the socials www.facebook.com/lordorwell

  7. #7

    Thread Starter
    Hyperactive Member Arrow_Raider's Avatar
    Join Date
    Dec 2001
    Location
    AVR Lovers Club
    Posts
    423

    Re: Denial of service attack?

    I figured out what was causing the problem. The problem was caused by joost as I had suspected. I unplugged my computer for a while and then replugged it in. Wireshark wasn't showing the constant stream of udp and icmp packets anymore. I opened joost and then closed joost and suddenly, wireshark was filled with the udp and icmp packets again. After some trial and error, I discovered that the following was happening:
    When Joost is started, it opens up a forward port on the router using upnp.
    When you close Joost, it doesn't discard the upnp forward; it just leaves it there. It also doesn't notify the server or clients that it is going offline and can no longer serve content to other Joost clients.
    Because the forward is still active, other Joost clients can still send packets to my computer. However, the program is now closed and so there is no program running to respond on that port, so my computer sends out ICMP messages indicating that the port is closed. The joost client has not been programmed to do anything with that message, so it just keeps sending packets. The joost clients don't finally understand that you are not serving content until you disconnect from the internet or network - either way, they stop getting any response at all and drop you off the list of peers.

    To resolve this problem, I have disabled upnp on my router. I can no longer serve content to other joost users, but I really don't care about that. I have also posted this issue on the bug forums of joost.
    My monkey wearing the fedora points and laughs at you.

  8. #8
    New Member
    Join Date
    Mar 2009
    Posts
    1

    Re: Denial of service attack?

    To use ddos protection You can set up a firewall as well as use Nginx Webserver instead of simple webserver. For better ddos attack protection, go to GigabitDC or Prolexic. They are very good at ddos attack protection.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width