# DOS: ACK Scans?!?



## medican1 (Sep 18, 2015)

Hey guys,

I'm brand new here, created my account specifically so I could post here about this issue that I've been having.

If it's at all helpful - I have a Netgear Nighthawk R7000 router at home, Optimum as my ISP and maybe 10 total devices connected: 2 laptops, 2 smartphones, 2 tablets, PS4, printer, etc. 

I'm somewhat technologically savvy but I don't ever, ever check my router logs. I happened to check them tonight and saw "DOS ACK Scan" on there several times and got anxious when I saw the dreaded D-O-S word. 

The first cluster that I saw:

*[DoS attack: ACK Scan] attack packets in last 20 sec from ip [159.153.21.134], Thursday, Sep 17,2015 22:37:23
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [159.153.21.134], Thursday, Sep 17,2015 21:07:01
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [159.153.21.134], Thursday, Sep 17,2015 20:18:49*

The IP address here belongs to Electronic Arts, which makes sense because I was playing Madden 16 at the time of all of these. I remember while I was playing Madden that it would come up and say "loading..." and then re-log me in to their servers.

Going through more of my logs, I then came across this:

*[DoS attack: ACK Scan] attack packets in last 20 sec from ip [65.55.113.7], Wednesday, Sep 16,2015 17:07:56*

The IP address here belongs to Microsoft, but what confuses me about this is that neither my fiance or I were home at the time this occurred. We bring our computers with us to work/school and only have our Canon printer and Amazon Fire Stick always attached to the network when we're not home, because all of our other devices are on us.

Came across this one:

*[DoS attack: ACK Scan] attack packets in last 20 sec from ip [159.153.21.134], Saturday, Sep 12,2015 22:31:28*

This is the same IP from above that belongs to Electronic Arts. Again, I remember the same thing happening with Madden where it would come up "loading..." and re-log me in to their servers.

After seeing these, I've been somewhat anxious and worried that there is some sort of shady behavior going on within my network. I've done malware scans on both of our computers (Windows PC and MacBook) with no detections.

I've read a little about it and I believe if I interpreted it correctly that ACK scans are just port scans, but even so - is this something to worry about? If so, how can I fix it?

Thanks for all the help guys!


----------



## OneMoar (Sep 18, 2015)

ignore it
false warning routers firewall-table is  likely just miscatorgorising it
could be EA services attempting to connect to madden for status and bouncing off the routers firewall as well


----------



## medican1 (Sep 18, 2015)

OneMoar said:


> ignore it
> false warning routers firewall-table is  likely just miscatorgorising it
> could be EA services attempting to connect to madden for status and bouncing off the routers firewall as well



What would the explanation be then for the Microsoft IP?


----------



## OneMoar (Sep 18, 2015)

medican1 said:


> What would the explanation be then for the Microsoft IP?


your netgear router sucks at iptables
consumer routers are setup to be as paranoid as possible, and filter/restrict _everything_ by default
no hax0rs are DDOSing you its fine ignore it


----------



## medican1 (Sep 18, 2015)

OneMoar said:


> your netgear router sucks at iptables
> consumer routers are setup to be as paranoid as possible, and filter/restrict _everything_ by default
> no hax0rs are DDOSing you its fine ignore it



This does not lead you to be worried about it at all? This doesn't exhibit shady behavior?

Could you elaborate on how the Microsoft DoS came up when there wasn't a computer attached to the network?


----------



## OneMoar (Sep 18, 2015)

medican1 said:


> This does not lead you to be worried about it at all? This doesn't exhibit shady behavior?
> 
> Could you elaborate on how the Microsoft DoS came up when there wasn't a computer attached to the network?


take the tin-foil hat off please
likely simply a machine on the network probing for a open port or a request that timed out after the the WAN connection went offline
its normal network traffic if you where under attack you would know it
and even if you where there would be exactly nothing you could do about it anyway the firewall is doing what the firewall is intended todo filter unnecessary or unwanted traffic and notifying you that its doing so
20 seconds is a pretty short window likely its set to be over-sensitive


----------



## Aquinus (Sep 18, 2015)

OneMoar said:


> take the tin-foil hat off please
> likely simply a machine on the network probing for a open port or a request that timed out after the the WAN connection went offline
> its normal network traffic if you where under attack you would know it
> and even if you where there would be exactly nothing you could do about it anyway the firewall is doing what the firewall is intended todo filter unnecessary or unwanted traffic and notifying you that its doing so
> 20 seconds is a pretty short window likely its set to be over-sensitive


This. A true DOS or DDOS attack would result in hundreds of packets in say, a minutes time and it usually happens when you have something publically facing that isn't blocked by a firewall such as a DNS server.

As @OneMoar said, nothing to worry about. NetGear just sucks at doing iptables.


----------



## medican1 (Sep 18, 2015)

Aquinus said:


> This. A true DOS or DDOS attack would result in hundreds of packets in say, a minutes time and it usually happens when you have something publically facing that isn't blocked by a firewall such as a DNS server.



I knew for the most part that if it was a DoS, that it would be consistent for a period of time with logs coming in. The times are so sporadic, that I didn't think it was necessarily bad, but wanted an opinion of someone who knows more than me on this topic.

I know I did a malware check already on both computers that came back clear, but could this be the result of some sort of undetected malware that I have on my network?

Really appreciate the help guys!


----------



## Frick (Sep 18, 2015)

And things will come aknocking anyway, sniffing around. It's in the nature of the internet. And naah, not malware. Keep away from shady sites, pirating strange and exotic things, don't open attachements you don't trust, open links that points to this-is-totally-battle.net and so on and you'll be fine, unless someone after some bizzare nature is out to get you personally. Keep your softwares updated as well.

What avarage joes should fear is ID theft and social network hacks (and cryptoviruses, but if you follow what I wrote above it's not likely you'll get one of those). Not much sense in DoSing a random guy just like that, especially not when social engineering is so much easier and faster.


----------



## medican1 (Sep 18, 2015)

Frick said:


> And things will come aknocking anyway, sniffing around. It's in the nature of the internet. And naah, not malware. Keep away from shady sites, pirating strange and exotic things, don't open attachements you don't trust, open links that points to this-is-totally-battle.net and so on and you'll be fine, unless someone after some bizzare nature is out to get you personally. Keep your softwares updated as well.
> 
> What avarage joes should fear is ID theft and social network hacks (and cryptoviruses, but if you follow what I wrote above it's not likely you'll get one of those). Not much sense in DoSing a random guy just like that, especially not when social engineering is so much easier and faster.



As far as shady activities go - we don't go on shady sites, we never pirate anything, haven't ever manually opened a port to the router and don't ever open or let my fiancé open strange attachments.

I do remember seeing this after doing a firmware update on the router, if that is important at all. Never checked the logs much before that.

Do you think it's worth it to call up my ISP (Optimum) and ask them to change our IP address? Could that potentially fix it?


----------



## Frick (Sep 18, 2015)

medican1 said:


> Do you think it's worth it to call up my ISP (Optimum) and ask them to change our IP address? Could that potentially fix it?



As the others hinted at there's nothing to actually fix. If you want to you can keep an eye out and when you get a thousand of them in a few seconds then sure there might be time to do something (beginning with troubleshooting because it would likely be a bug rather than an attack), but until then sail on as usual and forget about it. If you really want to get paranoid, download Wireshark and marvel at just how much data is shoveled to and from your machine. If Netgear indeed sucks at IP tables (which is likely) then it's not strange some of the packets will be falsely flagged as dangerous.

Trust @OneMoar and @Aquinus. They tend to know their stuff, even if at least one of them suck at punctuation.


----------



## Aquinus (Sep 18, 2015)

medican1 said:


> Do you think it's worth it to call up my ISP (Optimum) and ask them to change our IP address? Could that potentially fix it?


No. You're going to get spurious traffic from strange sources. It's going to happen. There is a very good reason why I DROP packets on my gateway and don't REJECT them but, that's a discussion for people who use Linux as a router or gateway server. Also it's entirely possible that it's just some service that you're connecting to where the other server is trying to see if it can open a connection back to the computer. Usually this doesn't work and requires an established connection that was initiated by your computer (to make NAT traversal possible,) so it's entirely possible that they're just legitimate packets getting dropped that aren't required for regular functioning (if the IP belongs to a legitimate company, such as Microsoft.)

Simple fact is that you have nothing to worry about. The fact that you're seeing those messages means that the firewall is at least doing its job (or attempting to,) so I wouldn't worry about it.

Let me put it another way, the worst of attacks are the ones that aren't going to show up in a firewall log. They'll be ones were you have an open vulnerability that you most likely know nothing about.

Also, you can reset the IP yourself if it's dynamic. Just turn your router off for the DHCP lease time or spoof a different MAC address.



Frick said:


> Trust @OneMoar and @Aquinus. They tend to know their stuff, even if at least one of them suck at punctuation.


I see what you did there.


----------



## medican1 (Sep 18, 2015)

Aquinus said:


> Also, you can reset the IP yourself if it's dynamic. Just turn your router off for the DHCP lease time or spoof a different MAC address.



I actually tried that twice - had my router and modem disconnected for 30-45 minutes, booted it all back up and had the same IP. Did it again overnight, had the same IP so I believe Optimum uses static-IPs.



Frick said:


> If you really want to get paranoid, download Wireshark and marvel at just how much data is shoveled to and from your machine.



Frick, I am actually familiar with Wireshark. My professor for my Computer Networks class in college made us download and play with it. It was actually really, really interesting IMO.


----------



## Frick (Sep 18, 2015)

medican1 said:


> Frick, I am actually familiar with Wireshark. My professor for my Computer Networks class in college made us download and play with it. It was actually really, really interesting IMO.



Then you know why this is a non-issue.


----------



## remixedcat (Sep 18, 2015)

It's microsoft trying to force feel you windows 10


----------



## medican1 (Sep 27, 2015)

Hey guys,

I'm back again after seeing something that I don't understand.

I've been still checking my router logs occasionally to see if there is anything strange going on, and I've just been seeing the same [DoS Attack: ACK Scan] items from the EA IP address before (always occurs when I play madden, for some reason).

Anyways, I was scrolling through my logs and came across this:

*[DoS attack: Smurf] attack packets in last 20 sec from ip [79.100.236.255], Saturday, Sep 26,2015 00:05:56*

After doing a bit of research, I came to the conclusion that Smurf attacks aren't nearly as innoncent as ACK scans, but don't fully understand what is going on. Also, the IP address is associated with "Vivacom" out of Bulgaria. What is this, and is this something to be worried about?

EDIT: I guess I should also post this is the only "Smurf" attack that I've seen in my logs, and this is also the first time that I've sent that IP in my logs.


----------



## Ikaruga (Sep 27, 2015)

Try to boot from a linux usb stick and see if you still get it (make sure you have nothing else using the router during the test, not even other wireless devices, turn off the radio if you can). I'm very lucky because I get a new IP every time I change my MAC address in the router and the IP stays the same for a year if I don't touch the MAC (to make it more awesome I get 3 unique IPs at the same time if I plug in a switch into the modem...but that's an other story), so try to clone the mac address of your PC for example and see if you get a new IP or not (modem + router OFF/ON needed) .


----------



## jboydgolfer (Sep 27, 2015)

just disable the "Log attempted Dos attack" option in your router log menu. skype sows as DOS for me sometimes, as well as MOST apple devices communication to the mothership, along with MANY other services and devices.


----------



## medican1 (Sep 27, 2015)

Ikaruga said:


> Try to boot from a linux usb stick and see if you still get it (make sure you have nothing else using the router during the test, not even other wireless devices, turn off the radio if you can). I'm very lucky because I get a new IP every time I change my MAC address in the router and the IP stays the same for a year if I don't touch the MAC (to make it more awesome I get 3 unique IPs at the same time if I plug in a switch into the modem...but that's an other story), so try to clone the mac address of your PC for example and see if you get a new IP or not (modem + router OFF/ON needed) .



I don't have a bootable Linux drive, unfortunately, and I hate Linux (but that's for another day).

Would you think this is something to be concerned about? What exactly is a Smurf attack? I tried to research it a bit, but didn't fully understand the material.


----------



## Ikaruga (Sep 27, 2015)

medican1 said:


> I don't have a bootable Linux drive, unfortunately, and I hate Linux (but that's for another day).
> 
> Would you think this is something to be concerned about? What exactly is a Smurf attack? I tried to research it a bit, but didn't fully understand the material.


Then make a bootable windows pendrive, or try safe mode with networking at least... You could also set up wireshark and see if anything is happening from/towards that IP. If you don't understand networking then your best bet is to take the router and bring it to your friend's house. Use it there for an hour and see if it shows the same behavior or not. If it does, then you can start messing around with the settings, if not, then it's an attack indeed, or one of your PCs doing something nasty or just something normal what the router misinterprets.


----------



## Rhyseh (Sep 28, 2015)

Honestly this is normal. There are constantly port-scans running from servers all over the world. Some of it can be malicious, most of what you are seeing probably isn't. Regardless the only thing you can do to stop this is to disconnect from the internet. Other than that you have to trust your border devices to manage the traffic appropriately.


----------



## dorsetknob (Sep 28, 2015)




----------



## Solaris17 (Sep 28, 2015)

Rhyseh said:


> Honestly this is normal. There are constantly port-scans running from servers all over the world. Some of it can be malicious, most of what you are seeing probably isn't. Regardless the only thing you can do to stop this is to disconnect from the internet. Other than that you have to trust your border devices to manage the traffic appropriately.


^ This

The internet is like space if you watch your logs carefully enough you can see all the noise.


----------



## 95Viper (Sep 28, 2015)

Also, if you synch any accounts, such as, Onedrive (or some equivalents), Steam, Origin, Hotmail, Outlook, Inrix, Google, or thousands of others with your home pc, laptop, tablet, and even your smartphones... they will try to do what they are suppose to do... synch with the devices they are set to synch with.  They are probably looking to the last location (address) they had.

Then, there is the noise in the ether, like Solaris17 is speaking of... 99.9% harmless.


----------



## OneMoar (Sep 28, 2015)

someone kill this thread with fire and take away the ops access to his routers configuration page before he hurts him self or somebody else


----------



## OneMoar (Sep 28, 2015)

Frick said:


> Then you know why this is a non-issue.


you are assuming they aren't teaching him wrong which is highly probabl
tl;dr stop reading the log and stop googling stuff


----------

