# UDP Flood attack



## 01993james (Mar 31, 2010)

I've recently switched from a BT homehub (which broke [stopped giving out more that 1 bar of signal]) back to our old Belkin router (model #F5D7632-4)

I can access the internet for about 5 minutes, before I lose it and get "could not connect" type messages from my browser. After investigating further I noticed something interesting in the routers security log, A UDP flood.. I'll put the log below:


```
03/31/2010  17:29:33 **UDP Flood to Host** 192.168.2.2, 56853->> 158.43.240.4, 53 (from ATM1 Outbound)
03/31/2010  17:29:32 **UDP Flood to Host** 192.168.2.2, 56853->> 194.72.0.98, 53 (from ATM1 Outbound)
03/31/2010  17:29:31 **UDP Flood to Host** 192.168.2.2, 56853->> 8.8.8.8, 53 (from ATM1 Outbound)
03/31/2010  17:29:22 **SYN Flood to Host** 192.168.2.2, 50549->> 72.21.81.133, 80 (from ATM1 Outbound)
03/31/2010  17:29:05 192.168.2.2 login success
03/31/2010  17:29:00 NTP Date/Time updated.   
08/01/2003  00:00:16 If(ATM1) PPP connection ok !
08/01/2003  00:00:15 ATM1 get IP:86.146.56.136
08/01/2003  00:00:13 ATM1 start PPP           
08/01/2003  00:00:13 ADSL Media Up !          
08/01/2003  00:00:01 sending ACK to 192.168.2.2
```
There's also a SYN flood just before the others.

Anyone have a clue about why this might be happening? Am I at the receiving end of someone just having fun giving me a DDOS attack, or have I got a dodgy configuration somewhere. I've scanned my computer with AVG to no avail.

Oh, also, I can still access the internet wireless, even when the internet is unavailable on the wired computer

EDIT: here's a pingtest result. yes, that is 96% packet loss. 

EDIT2: latest security log:

```
03/31/2010  19:11:51 **SYN Flood to Host** 192.168.2.2, 51439->> 72.21.81.133, 80 (from ATM1 Outbound)
03/31/2010  19:10:02 **UDP Flood to Host** 192.168.2.2, 8080->> 213.229.66.233, 8080 (from ATM1 Outbound)
03/31/2010  19:06:31 sending ACK to 192.168.2.4
03/31/2010  19:06:31 sending OFFER to 192.168.2.4
03/31/2010  18:51:32 sending ACK to 192.168.2.3
03/31/2010  18:48:36 **UDP Flood to Host** 192.168.2.2, 59068->> 158.43.240.4, 53 (from ATM1 Outbound)
03/31/2010  18:48:35 **UDP Flood to Host** 192.168.2.2, 63235->> 194.72.0.98, 53 (from ATM1 Outbound)
03/31/2010  18:48:34 **UDP Flood to Host** 192.168.2.2, 58891->> 8.8.8.8, 53 (from ATM1 Outbound)
03/31/2010  18:01:53 sending ACK to 192.168.2.5
03/31/2010  17:54:14 192.168.2.2 login success 
03/31/2010  17:54:10 sending ACK to 192.168.2.5
03/31/2010  17:53:32 **SYN Flood to Host** 192.168.2.2, 51078->> 72.21.81.133, 80 (from ATM1 Outbound)
03/31/2010  17:53:29 sending ACK to 192.168.2.3
03/31/2010  17:52:54 NTP Date/Time updated.    
08/01/2003  00:00:20 If(ATM1) PPP connection ok !
08/01/2003  00:00:19 ATM1 get IP:86.128.35.104 
08/01/2003  00:00:14 ATM1 start PPP            
08/01/2003  00:00:14 ADSL Media Up !           
08/01/2003  00:00:03 sending ACK to 192.168.2.2
```


----------



## zx10guy (Mar 30, 2008)

Are you running any peer to peer software?


----------



## 01993james (Mar 31, 2010)

No, I saw a thread saying that p2p might be the problem, but I haven't run utorrent in AGES, plus, in the security log it says ports 80 and 53, which aren't p2p ports.


----------



## zx10guy (Mar 30, 2008)

Well, you have something screwy going on with what ever PC is sitting on 192.168.2.2. Because the traffic is originating from that box going out bound. The only time I've seen this type of behavior is if there is some sort of peer to peer software running on that box or the box has been compromised in some fashion. Since you said you haven't run utorrent in ages, this would indicate to me at some time you had it running on this computer.


----------



## 01993james (Mar 31, 2010)

IP 192.168.2.2 is the computer which I cant access the internet on. 
And yes, to confirm, I have run utorrent before.

should I try running a few antivirus scans with stuff like MBAM and Kapersky?


----------



## zx10guy (Mar 30, 2008)

Yes. You can try that. But personally, when a box gets compromised, it's a total rebuild for me. Meaning, the entire box is going to get wiped and reloaded.


----------



## Saga Lout (Sep 15, 2004)

*Oh dear - your location could have something to do with it. Without giving out any personal information, roughly how far within that fifty miles of an MK server are [email protected] Ten miles or so to the south and you might have been affected by the damage caused to some cabling yesterday. In the MK are itself, it could just be the cheapskate aluminium cables they used when putting in the infratructure.

*


----------



## 01993james (Mar 31, 2010)

Sigh, but its only like 1-2 months old. I might try a system restore to the earliest time I have.

When you say compromised, do you mean virus or what? because if it is a virus, then I'm sure it can be removed. :S


----------



## 01993james (Mar 31, 2010)

@saga lout

I am about 30 miles west by south west, which is not far north west of oxford.

still a chance? I'm not sure it would cause a problem like this though :S


----------



## Saga Lout (Sep 15, 2004)

01993james said:


> @saga lout
> 
> I am about 30 miles west by south west, which is not far north west of oxford.
> 
> still a chance? I'm not sure it would cause a problem like this though :S


Probably not then - that problem was to the South by the A5 road. Reading the thread through again, your problem is internal. Are there three machines in the Network?


----------



## zx10guy (Mar 30, 2008)

01993james said:


> Sigh, but its only like 1-2 months old. I might try a system restore to the earliest time I have.
> 
> When you say compromised, do you mean virus or what? because if it is a virus, then I'm sure it can be removed. :S


A system restore might help. Something is going on where there is something running on your box sending out this traffic in enough quantity where your router is flagging it as a UDP flood. This behavior is unusual in any normal circumstance even if there is some sort of OS issue. Hence why I feel the box has some sort of malware issue with it.

In regards to running anti-virus/anti-malware tools, it *may* remove the offending code an then again it may not. Too many people put too much emphasis on these things. The tools are only as good as their signature files and modeling engines. If there is some new virus out in the wild which no one has been able to detect yet, guess what....

That's why I say to be sure, you need to do a complete wipe and reload. This is also why I run utilities like Deep Freeze and do periodic images of my laptop which I use to touch the internet. If anything goes wrong, all I have to do is re-image the hard drive. I also don't keep any data on the hard drive. All data is saved off on thumb drives, external hard drives, or my central file server.

And I doubt this is a hardware issue.


----------



## 01993james (Mar 31, 2010)

Saga Lout said:


> Probably not then - that problem was to the South by the A5 road. Reading the thread through again, your problem is internal. Are there three machines in the Network?


192.168.2.2 - Nero 
192.168.2.3 - foo 
192.168.2.4 - lappie 
192.168.2.5 - iPod-touch

those are clients listed by my router. Nero is the "infected" one, foo is downstairs as a desktop, and lappie is guess what - a laptop.


----------



## 01993james (Mar 31, 2010)

zx10guy said:


> A system restore might help. Something is going on where there is something running on your box sending out this traffic in enough quantity where your router is flagging it as a UDP flood. This behavior is unusual in any normal circumstance even if there is some sort of OS issue. Hence why I feel the box has some sort of malware issue with it.
> 
> In regards to running anti-virus/anti-malware tools, it *may* remove the offending code an then again it may not. Too many people put too much emphasis on these things. The tools are only as good as their signature files and modeling engines. If there is some new virus out in the wild which no one has been able to detect yet, guess what....
> 
> ...


Ok, well I'm running MBAM now. I'll see what crops up.

I image my computer, but due to the fact that I only have a 500GB external drive, I can only store 1 image, and I choose to keep it updated incase of a hdd failure or something like that.

Also: I want a file server! I've thought of getting windows home server a few times before :3


----------

