# Router DoS Attack Logs



## lwgnlseven (Nov 10, 2013)

Hey guys. I was wondering if you could help me understand DoS Attacks and if I should be concerned. I noticed today while playing Battlefield 3, I was lagging like crazy, so I decided to check my router logs. I noticed a whole bunch of DoS Attacks. I had no idea what they where and thought someone was trying to flood my internet. After doing a bit more research, some of the IP's were coming from Electronic Arts (BF3) I reset the router (Netgear WNDR3700v4) and those attacks are still showing up, but less frequent. Are these normal to appear? Should I be concerned?

[DoS Attack: RST Scan] from source: 23.21.239.206, port 80, Sunday, November 10, 2013 00:47:01

Some research on this IP shows the following information.

http://db-ip.com/23.21.239.206

I'm seeing amazon.com as a common DoS Attack: RST Scan. I'm not even on amazon.com or using any amazon software I don't believe. What do these scans mean? Should I just ignore these attacks?


----------



## remixedcat (Nov 10, 2013)

The scans are coming from crafted instances hosted on Amazon's EC2 cloud hosting servers.

People create a virtual appliance on thier cloud servers that is used to do things like DDoS networks/servers, crack passwords, etc.  (Since you can pretty much make any kind of virtual machine instance you want)

People select EC2 becuase it's rarely monitored due to the sheer number of instances on it, as well as the client needing to pay them to actually be noticed by them (they do not have free support at all) This makes it attractive to hackers due to the fact they likely won't get caught as easy as a typical hosting company.


----------



## Kaynar (Nov 10, 2013)

I also get "Possible DoS attack detected" on a daily basis with IPs coming from amazon.com, cloudflare, google and several other USA based IPs. There's nothing I can do about it. Tried a format (since I needed one anw), got new IP every 2-3 days but nothing helps. To me it seems the servers of my provider (Orange UK) have a problem ^^.

The major problem I have is that the NAT Table is actually up to 15 pages long (that's a shitload of entries) for just 2 computers in the house and we don't even download torrents or visit weird websites...


----------



## Frick (Nov 10, 2013)

So what exactly do they see as a Possible DoS attack? A friend had tons of "possible fragmentation attacks", because F-secure was set to block any packets below 256 bytes, which is nonsense.


----------



## remixedcat (Nov 10, 2013)

What's funny in my router logs I see this:



> Nov 10 06:48:01  DoS: Port Scan Attack source=31.13.78.71 destination=*redacted*



and the IP is from Facebook Ireland.. LOL.


----------



## de.das.dude (Nov 10, 2013)

yeah, once i got a IP from mexico trying to log in to my facebook XD


----------



## Frick (Nov 10, 2013)

Are port scans attacks now? 

Someone likened being connected to the internet as someone knocking on the door every second, feeling the handle every minute and sometimes brings a crowbar.


----------



## remixedcat (Nov 10, 2013)

The router has a "port scan" option in the firewall settings and therefore, appears in the logs when firewall configured to show.

Sonicwall firewalls have the same entries in the logs as well.


----------



## Frick (Nov 10, 2013)

remixedcat said:


> The router has a "port scan" option in the firewall settings and therefore, appears in the logs when firewall configured to show.
> 
> Sonicwall firewalls have the same entries in the logs as well.



Yeah it's good that you can log it, I just find it funny they call it an attack.


----------



## remixedcat (Nov 10, 2013)

It's worse with sonicwall firewalls lots of people are like  about it...


----------



## lwgnlseven (Nov 10, 2013)

Thank you for the responses. But should I be concerned about any of this? IS someone trying to hack my computer? Is my router doing its job by blocking these attacks? And is this a normal occurrence for others?

Here are 2 more entries this morning. I disconnected the modem for 30+ minutes. I did get a new IP address. These 2 new entries appeared within 30 minutes or so of re connecting the modem.

[DoS Attack: SYN/ACK Scan] from source: 46.105.108.205, port 80, Sunday, November 10, 2013 09:29:17
[DoS Attack: SYN/ACK Scan] from source: 37.143.9.236, port 135, Sunday, November 10, 2013 09:50:16
[DoS Attack: SYN/ACK Scan] from source: 198.50.178.20, port 80, Sunday, November 10, 2013 10:16:42
[DoS Attack: SYN/ACK Scan] from source: 91.214.70.140, port 8877, Sunday, November 10, 2013 10:17:53
[DoS Attack: RST Scan] from source: 204.186.215.44, port 443, Sunday, November 10, 2013 10:22:10
[DoS Attack: SYN/ACK Scan] from source: 94.23.157.190, port 27033, Sunday, November 10, 2013 10:22:55
[DoS Attack: SYN/ACK Scan] from source: 74.217.75.7, port 80, Sunday, November 10, 2013 12:53:27

Google search of the 37.143.9.236 shows results from websites called "malwr.com" analysis. Is this malware? I don't know much of anything about these DoS Attacks....should I be concerned about this?
Google search of the 94.23.157.190 reports a CS:GO server. I don't even own CS:GO or have ever played it.
___________________________________________________________________________________________________________________________________________________________________________________
I've found some other responses to other people about these DoS attacks and someone posted this...

"Perfectly normal random internet noise, which is being blocked as it should be.

Quote:
1 every minute is abit worry me.

No need. One port scan a minute is nothing. You could have 100 port scans a minute and it wouldn't be a problem. These port scans aren't personally targetted at you, but bots scanning entire IP ranges randomly, and your IP happens to be part of one being scanned."

Is this guy right? Why is this happening? I've never monitored my logs before, it could have been doing this all along. It just seems "not normal" to see all of these "attacks" on my router. Are they really "attacks"? or just normal internet trafficking?

I scanned all 4 computers in the house with MalwareBytes - Antimalware. My dad's computer had 5 malware on it, all 5 were removed. I rebooted the computer, then rebooted the router, and had another DoS attack right after that. 
[DoS Attack: SYN/ACK Scan] from source: 74.217.75.7, port 80, Sunday, November 10, 2013 12:53:27


----------



## remixedcat (Nov 10, 2013)

THAT is a wide range of IP addresses! 

You should be ok. Now if your router has a weak processor then that would kinda bog it down, however most modern routers can deal with it fine. Some routers these days are faster then some android phones people use. My router's CPU speed 660Mhz is faster then my mom's LG phone 600Mhz. LOL.


----------



## lwgnlseven (Nov 10, 2013)

remixedcat said:


> THAT is a wide range of IP addresses!
> 
> You should be ok. Now if your router has a weak processor then that would kinda bog it down, however most modern routers can deal with it fine. Some routers these days are faster then some android phones people use. My router's CPU speed 660Mhz is faster then my mom's LG phone 600Mhz. LOL.



Why am I getting these attacks though? What does it all mean? I'm getting them from France, USA, Russia, basically all over. A common port that I see "attacked" is port 80 and port 443, which I have opened for battlefield 3. It's common while playing battlefield 3, that these reports are shown attacking those 2 ports. Since I'm using those ports to play the game, is that where all the info is being sent from the EA servers? Port 80 is suppose to be an HTTP port, web browsing. Battlefield 3 uses a webpage based server setup, could this be where those DoS could be coming from?

I'm just a little paranoid because I don't want anyone to be "hacking" my network. Not sure what else I can do OR if I should just forget it since nothing is wrong?
________________________________________________________________________________________________________________________________________________________________________________________

I turned off UPNP and now have been seeing some new entries.

[LAN access from remote] from 212.83.149.170:5063 to 192.168.1.4:5060, Sunday, November 10, 2013 18:03:17
[LAN access from remote] from 64.17.255.226:5061 to 192.168.1.4:5060, Sunday, November 10, 2013 16:42:15
[LAN access from remote] from 188.138.41.34:5118 to 192.168.1.4:5060, Sunday, November 10, 2013 15:39:16

Should I have UPNP on or off?
________________________________________________________________________________________________________________________________________________________________________________________
[DoS Attack: RST Scan] from source: 107.20.252.41, port 80, Sunday, November 10, 2013 22:21:39
[DoS Attack: RST Scan] from source: 74.125.172.82, port 80, Sunday, November 10, 2013 22:20:03
[DoS Attack: RST Scan] from source: 204.186.215.49, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.20, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.24, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.30, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.55, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.45, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.59, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.24, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.55, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.25, port 80, Sunday, November 10, 2013 22:06:59
[DoS Attack: RST Scan] from source: 204.186.215.59, port 80, Sunday, November 10, 2013 21:54:24
[DoS Attack: RST Scan] from source: 204.186.215.40, port 443, Sunday, November 10, 2013 21:47:04
[DoS Attack: RST Scan] from source: 23.21.239.206, port 80, Sunday, November 10, 2013 21:43:38
[DoS Attack: RST Scan] from source: 204.186.215.25, port 443, Sunday, November 10, 2013 21:40:52


----------



## remixedcat (Nov 11, 2013)

any other weird software you have???


----------



## jboydgolfer (Nov 11, 2013)

I KNOW that when I use My PC @ my brother's house, and His kids are gaming on their XBox's, I get a TON of D-Dos attack's. It's gotta be the other player's Consoles doing port scan's, or some Multiplayer B.S. I have to imagine that if the router IS logging it, then it MUST be handling it.I remember something about skype on the Netgear forums involving False, or over zealous D-Dos log's as well(while gamer's use it for communication during MP gaming).You can do two thing's. Un-check the box that say's "Log D-Dos attack's". or ignore 'Em. Seeing as how Changing IP's doesn't seem to help, The other option is to contact the ISP, and let 'em know.


----------



## Frick (Nov 11, 2013)

jboydgolfer said:


> I KNOW that when I use My PC @ my brother's house, and His kids are gaming on their XBox's, I get a TON of D-Dos attack's. It's gotta be the other player's Consoles doing port scan's, or some Multiplayer B.S. I have to imagine that if the router IS logging it, then it MUST be handling it.I remember something about skype on the Netgear forums involving False, or over zealous D-Dos log's as well(while gamer's use it for communication during MP gaming).You can do two thing's. Un-check the box that say's "Log D-Dos attack's". or ignore 'Em. Seeing as how Changing IP's doesn't seem to help, The other option is to contact the ISP, and let 'em know.



I'd ignore it, and obviously trafic increases during gaming, and it's not BS it's just how it works. Service asking server and other where they are, if they're there, exhange information, confirms exhange, repeat.

@lwgnlseven: I wouldn't worry about it. There are lots of noise on the internet, and those SYN/ACK-"attacks" (which means they are asking if you're there, and they don't respond when you tell them because their address is forged, and it would have to be a LOT more of them to be an attack, the point is blocking connections) could just be something having the wrong IP address, or something. Whatever. There is a LOT of traffic on the internet, it's the way it is. Some of it is bad, but that is the reason routers have simple firewalls in them.


----------



## lwgnlseven (Nov 11, 2013)

Thanks for all the info guys. So can I safely check paypal, check online banking, enter passwords without worrying about my information being compromised? None of my information should be getting leaked with these scans right? I cleared the love before I went to bed and checked them in the morning. All of the computers were off overnight. The only thing connected would have been 2 ipod touches using wifi.

[admin login] from source 192.168.1.5, Monday, November 11, 2013 04:52:02\
[LAN access from remote] from 212.83.149.167:5062 to 192.168.1.4:5060, Monday, November 11, 2013 01:57:05\
[DoS Attack: SYN/ACK Scan] from source: 67.212.162.186, port 25565, Monday, November 11, 2013 01:44:19\
[DoS Attack: TCP/UDP Chargen] from source: 142.0.37.232, port 55102, Monday, November 11, 2013 00:58:59\
[DoS Attack: SYN/ACK Scan] from source: 176.31.188.220, port 22, Sunday, November 10, 2013 23:17:32\
[LAN access from remote] from 85.25.243.142:5084 to 192.168.1.4:5060, Sunday, November 10, 2013 23:07:28\
[DoS Attack: TCP/UDP Chargen] from source: 199.168.141.74, port 53784, Sunday, November 10, 2013 23:05:45\
[DoS Attack: RST Scan] from source: 31.13.71.23, port 443, Sunday, November 10, 2013 23:05:00\

What does "LAN access from remote" mean? Is it normal to have these entries overnight when no one is using any Internet?


----------



## remixedcat (Nov 11, 2013)

67.212.162.186=minecraft server

85.25.243.142=somewhere in Germany

the ipod touches could have an app that is triggering these


----------



## lwgnlseven (Nov 11, 2013)

remixedcat said:


> 67.212.162.186=minecraft server
> 
> 85.25.243.142=somewhere in Germany
> 
> the ipod touches could have an app that is triggering these



That's strange, I've never owned, installed, or played minecraft from any computer on the network. Not sure why a minecraft server would be scanning my IP on my router? I've turned off UPnP to see if anything changes.


----------



## jboydgolfer (Nov 12, 2013)

lwgnlseven said:


> That's strange, I've never owned, installed, or played minecraft from any computer on the network. Not sure why a minecraft server would be scanning my IP on my router? I've turned off UPnP to see if anything changes.



I know for a FACT that Minecraft causes D-Dos log reports in MY Netgear Router. As Soon as I disabled Port Forwarding, or whatever dedicated server B.S was set up by a person who was on My LAN I lost 90% of the D-Dos reports. As for UPNP, I cannot say, but Running a server from Your end causes the Other players on the server to do Constant port Scans, and triggers the Router to See it as a D-Dos attack. Smurf, or the like.

That is MY experience with Server Hosting/Multiplayer Gaming and D-Dos Logging on MY Router. I Don't know How to Set 'Em up(Server's), but once the Hosting was Stopped, So Did the MAJORITY of the Attack logs reports. In the End, I decided since the issue was related to gaming, and NOT actual D-Dos attacks, I Just disabled the Damn check box option for Logging of D-Dos attacks.


----------



## lwgnlseven (Nov 12, 2013)

Appreciate the responses. I'm getting a headache constantly looking up information about these attacks. I'm leaning towards just forgetting about them and just moving on. Do you guys think that is the right thing to do? You're pretty positive these are _*normal?*_

This is my log within the last 80 minutes.

[admin login] from source 192.168.1.4, Monday, November 11, 2013 16:51:44
[DoS Attack: TCP/UDP Chargen] from source: 199.168.136.219, port 37627, Monday, November 11, 2013 16:40:42
[DoS Attack: SYN/ACK Scan] from source: 173.194.43.46, port 80, Monday, November 11, 2013 16:37:44
[LAN access from remote] from 85.25.243.142:5365 to 192.168.1.4:5060, Monday, November 11, 2013 16:33:46
[DoS Attack: RST Scan] from source: 74.125.174.74, port 80, Monday, November 11, 2013 16:31:20
[LAN access from remote] from 74.118.193.45:5151 to 192.168.1.4:5060, Monday, November 11, 2013 16:29:05
[admin login] from source 192.168.1.4, Monday, November 11, 2013 16:09:59
[DoS Attack: RST Scan] from source: 204.186.215.40, port 443, Monday, November 11, 2013 16:06:05
[DoS Attack: RST Scan] from source: 37.18.208.107, port 80, Monday, November 11, 2013 16:05:24
[admin login] from source 192.168.1.4, Monday, November 11, 2013 16:01:39
[DoS Attack: TCP/UDP Chargen] from source: 80.82.64.238, port 44658, Monday, November 11, 2013 15:59:46
[DoS Attack: RST Scan] from source: 23.66.171.9, port 443, Monday, November 11, 2013 15:54:57
[LAN access from remote] from 142.4.213.219:5062 to 192.168.1.4:5060, Monday, November 11, 2013 15:40:02
[DoS Attack: RST Scan] from source: 204.186.215.39, port 443, Monday, November 11, 2013 15:39:44
[Log Cleared] Monday, November 11, 2013 15:34:10

I've also now closed port 5060 to see if that stops the lan access remote entries. I had ports 5055-5100 open for a game that I don't play anymore. Port 5060 is in that range. Hopefully deleting that port forwarding entry will stop that.


----------



## Frick (Nov 12, 2013)

You're fine. Some of them are Google. If that's all you're getting in 80 minutes you're barely online. 

Relax. If you want to know more, you CAN look up all the IP's and ports, if you're interested. Can be pretty educating. If you're not interested, forget about it.


----------



## lwgnlseven (Nov 13, 2013)

I've been suffering with random high latency spikes for a year now. My cable company and ISP could figure out what was wrong. I had started a thread about it here for more information.

http://www.techpowerup.com/forums/showthread.php?t=180420

Last night while playing Battlefield 3, there were 2 instances of high spiking. Normal to me, not to others. My ping in game went from 30 up to 350 for about 15 seconds each time, and then back to normal. When this happens, the game becomes a bit unplayable due to lagging badly. I checked my logs, and both times when my ping spiked, I received a DoS Attack: RST Scan. Could these DoS attacks been causing my high ping spikes for over a year? It could have been a coincidence in timing since I've never really checked the logs before. I will continue to monitor if the spiking remains consistent with the DoS attacks.

If this is the case, any way to block these scans from happening? Could I get a new ISP to stop them? I've been through 2 different modems, and 2 different routers, and neither of that fixed the ping spike issue.


----------



## remixedcat (Nov 13, 2013)

Could be Origin doing it


----------



## lwgnlseven (Nov 17, 2013)

Hey guys, is it normal to see such a wide variety of ports being probed? And due to the fact that these logs are listed, that just means the request was dropped? I wasn't attacked?

*Ports being scanned are .... 80, 443, 8487, 22, 53, 8877, 22, 60978, 8010, 3389, 35029, 8040, 40031, 1252, 6005, 8024, 6005, 7723, 2106 etc etc etc.*

[admin login] from source 192.168.1.4, Sunday, November 17, 2013 07:03:18
[DoS Attack: SYN/ACK Scan] from source: 121.199.56.103, port 80, Sunday, November 17, 2013 06:40:08
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Sunday, November 17, 2013 06:05:20
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 8487, Sunday, November 17, 2013 05:38:19
[DoS Attack: SYN/ACK Scan] from source: 46.105.111.169, port 80, Sunday, November 17, 2013 04:30:02
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Sunday, November 17, 2013 04:29:53
[DoS Attack: SYN/ACK Scan] from source: 168.62.23.92, port 80, Sunday, November 17, 2013 04:20:33
[DoS Attack: SYN/ACK Scan] from source: 94.23.183.196, port 80, Sunday, November 17, 2013 03:57:59
[DoS Attack: SYN/ACK Scan] from source: 176.31.225.30, port 22, Sunday, November 17, 2013 03:34:12
[DoS Attack: SYN/ACK Scan] from source: 121.199.39.232, port 53, Sunday, November 17, 2013 02:33:45
[DoS Attack: SYN/ACK Scan] from source: 91.214.70.98, port 8877, Sunday, November 17, 2013 02:31:22
[DoS Attack: SYN/ACK Scan] from source: 121.199.39.232, port 22, Sunday, November 17, 2013 02:26:00
[DoS Attack: TCP/UDP Chargen] from source: 192.241.147.176, port 60978, Sunday, November 17, 2013 02:13:09
[DoS Attack: SYN/ACK Scan] from source: 91.214.70.98, port 8877, Sunday, November 17, 2013 02:04:34
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Sunday, November 17, 2013 01:22:34
[DoS Attack: SYN/ACK Scan] from source: 154.47.160.69, port 8010, Sunday, November 17, 2013 01:18:33
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Sunday, November 17, 2013 01:13:25
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 3389, Sunday, November 17, 2013 00:31:58
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Sunday, November 17, 2013 00:30:53
[DoS Attack: TCP/UDP Chargen] from source: 94.102.51.225, port 35029, Sunday, November 17, 2013 00:05:28
[DoS Attack: SYN/ACK Scan] from source: 154.47.160.19, port 8040, Saturday, November 16, 2013 22:55:34
[DoS Attack: SYN/ACK Scan] from source: 192.198.197.244, port 80, Saturday, November 16, 2013 22:33:30
[DoS Attack: SYN/ACK Scan] from source: 203.211.130.242, port 80, Saturday, November 16, 2013 22:14:42
[admin login] from source 192.168.1.5, Saturday, November 16, 2013 22:11:36
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 21:46:47
[DoS Attack: RST Scan] from source: 31.13.69.80, port 443, Saturday, November 16, 2013 21:34:01
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 21:24:15
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 21:08:43
[DoS Attack: RST Scan] from source: 204.186.215.59, port 443, Saturday, November 16, 2013 21:02:22
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 3389, Saturday, November 16, 2013 20:52:25
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 19:59:19
[DoS Attack: RST Scan] from source: 54.235.80.198, port 443, Saturday, November 16, 2013 19:38:34
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 19:26:37
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 19:22:36
[DoS Attack: SYN/ACK Scan] from source: 37.187.77.93, port 443, Saturday, November 16, 2013 19:15:33
[DoS Attack: RST Scan] from source: 128.242.186.206, port 443, Saturday, November 16, 2013 19:14:38
[DoS Attack: RST Scan] from source: 31.13.69.80, port 443, Saturday, November 16, 2013 19:08:06
[DoS Attack: SYN/ACK Scan] from source: 198.78.220.126, port 80, Saturday, November 16, 2013 19:01:16
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 18:59:34
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 18:49:50
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 18:23:47
[DoS Attack: SYN/ACK Scan] from source: 198.78.220.126, port 80, Saturday, November 16, 2013 18:08:31
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 18:07:01
[Time synchronized with NTP server] Saturday, November 16, 2013 17:59:05
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 17:51:14
[admin login] from source 192.168.1.7, Saturday, November 16, 2013 17:47:23
[admin login failure] from source 192.168.1.7, Saturday, November 16, 2013 17:47:20
[admin login failure] from source 192.168.1.7, Saturday, November 16, 2013 17:47:18
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 17:45:31
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 17:41:17
[DoS Attack: RST Scan] from source: 31.13.71.49, port 443, Saturday, November 16, 2013 17:38:50
[admin login] from source 192.168.1.4, Saturday, November 16, 2013 17:28:22
[admin login] from source 192.168.1.7, Saturday, November 16, 2013 17:15:07
[DoS Attack: SYN/ACK Scan] from source: 168.62.23.92, port 40031, Saturday, November 16, 2013 16:55:12
[DoS Attack: RST Scan] from source: 8.27.243.126, port 80, Saturday, November 16, 2013 16:00:01
[DoS Attack: RST Scan] from source: 173.252.73.51, port 443, Saturday, November 16, 2013 15:24:38
[DoS Attack: SYN/ACK Scan] from source: 176.31.60.250, port 1252, Saturday, November 16, 2013 15:19:51
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 15:08:05
[DoS Attack: SYN/ACK Scan] from source: 198.78.220.126, port 80, Saturday, November 16, 2013 14:54:53
[DoS Attack: RST Scan] from source: 31.13.71.49, port 443, Saturday, November 16, 2013 14:43:30
[DoS Attack: SYN/ACK Scan] from source: 198.78.220.126, port 80, Saturday, November 16, 2013 14:41:17
[DoS Attack: SYN/ACK Scan] from source: 5.135.198.161, port 6005, Saturday, November 16, 2013 13:57:59
[DoS Attack: SYN/ACK Scan] from source: 149.5.169.20, port 8024, Saturday, November 16, 2013 13:42:13
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 8487, Saturday, November 16, 2013 13:39:09
[DoS Attack: SYN/ACK Scan] from source: 188.165.213.63, port 80, Saturday, November 16, 2013 13:17:49
[DoS Attack: SYN/ACK Scan] from source: 154.35.175.201, port 6667, Saturday, November 16, 2013 12:14:55
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 12:14:16
[DoS Attack: RST Scan] from source: 207.178.57.59, port 80, Saturday, November 16, 2013 11:55:17
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 11:29:48
[DoS Attack: SYN/ACK Scan] from source: 119.81.38.59, port 80, Saturday, November 16, 2013 10:45:36
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 09:46:55
[DoS Attack: SYN/ACK Scan] from source: 46.105.10.89, port 22, Saturday, November 16, 2013 09:31:30
[DoS Attack: SYN/ACK Scan] from source: 91.121.195.134, port 80, Saturday, November 16, 2013 08:07:49
[admin login] from source 192.168.1.5, Saturday, November 16, 2013 08:05:58
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 07:41:00
[DoS Attack: RST Scan] from source: 31.13.69.176, port 443, Saturday, November 16, 2013 07:34:04
[admin login] from source 192.168.1.5, Saturday, November 16, 2013 07:27:19
[DoS Attack: SYN/ACK Scan] from source: 46.105.111.169, port 80, Saturday, November 16, 2013 07:13:41
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 06:52:46
[DoS Attack: SYN/ACK Scan] from source: 216.146.46.11, port 80, Saturday, November 16, 2013 06:42:01
[DoS Attack: SYN/ACK Scan] from source: 94.23.116.63, port 7723, Saturday, November 16, 2013 06:37:49
[DoS Attack: SYN/ACK Scan] from source: 185.25.152.1, port 80, Saturday, November 16, 2013 05:44:44
[DoS Attack: SYN/ACK Scan] from source: 203.211.130.242, port 80, Saturday, November 16, 2013 04:19:48
[DoS Attack: SYN/ACK Scan] from source: 192.99.9.157, port 2106, Saturday, November 16, 2013 04:07:49
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 03:49:53
[DoS Attack: SYN/ACK Scan] from source: 119.81.38.59, port 80, Saturday, November 16, 2013 03:40:52
[DoS Attack: SYN/ACK Scan] from source: 5.250.245.38, port 80, Saturday, November 16, 2013 03:19:26
[DoS Attack: SYN/ACK Scan] from source: 95.64.37.10, port 80, Saturday, November 16, 2013 02:32:43
[DoS Attack: SYN/ACK Scan] from source: 119.81.38.59, port 80, Saturday, November 16, 2013 02:13:58
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 8487, Saturday, November 16, 2013 01:06:02
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 3389, Saturday, November 16, 2013 01:00:35
[DoS Attack: SYN/ACK Scan] from source: 85.17.127.225, port 1935, Friday, November 15, 2013 23:42:23
[LAN access from remote] from 204.61.216.47:53 to 192.168.1.4:25250, Friday, November 15, 2013 23:33:55
[admin login] from source 192.168.1.4, Friday, November 15, 2013 22:27:34
[DoS Attack: SYN/ACK Scan] from source: 192.198.197.244, port 80, Friday, November 15, 2013 22:23:00
[admin login] from source 192.168.1.4, Friday, November 15, 2013 22:20:56
[DoS Attack: SYN/ACK Scan] from source: 37.59.29.220, port 80, Friday, November 15, 2013 22:20:11
[admin login] from source 192.168.1.4, Friday, November 15, 2013 22:12:35
[DoS Attack: SYN/ACK Scan] from source: 192.198.197.244, port 80, Friday, November 15, 2013 22:01:49
[DoS Attack: RST Scan] from source: 208.111.161.254, port 80, Friday, November 15, 2013 21:49:09
[admin login] from source 192.168.1.4, Friday, November 15, 2013 20:20:27
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 8487, Friday, November 15, 2013 20:03:13
[DoS Attack: SYN/ACK Scan] from source: 121.124.124.45, port 3389, Friday, November 15, 2013 20:00:31
[admin login] from source 192.168.1.4, Friday, November 15, 2013 19:39:57
[DoS Attack: RST Scan] from source: 204.186.215.14, port 80, Friday, November 15, 2013 19:37:39
[Log Cleared] Friday, November 15, 2013 19:32:12


----------



## remixedcat (Nov 17, 2013)

I'lldo an IP lookup when I get to my pc


----------



## lwgnlseven (Nov 17, 2013)

remixedcat said:


> I'lldo an IP lookup when I get to my pc



Thank you. The IP's are coming from random countries all over the world and random companies I've never heard of. Romania, Germany, Korea, France, Netherlands, are a few to name. I'm also concerned about the various ports they are scanning. Like I mentioned, port 80 and 443 are pretty typical, but there are so many random other ports being scanned.

If they are harmless and my router is blocking them, then that's great, but the concern is eventually they might get through. I've emailed my ISP last night letting them know of these scans so hopefully I hear back from them. I would just like some peace of mind from someone that has more knowledge about these port scans then I do.


----------



## remixedcat (Nov 17, 2013)

I would do some more virus scans if I were you as well.


----------



## lwgnlseven (Nov 17, 2013)

remixedcat said:


> I would do some more virus scans if I were you as well.



I can try although I've already done full scans on all 4 computers. I've got 4 computers and have run full AVG scans, full super anti spyware scans, and full anti malware scans on all 4.


----------



## remixedcat (Nov 17, 2013)

scan with a different anti virus software.


----------



## lwgnlseven (Nov 17, 2013)

If I find any virus/ malware, should I try to change IP after removing those threats?


----------



## remixedcat (Nov 17, 2013)

Yes.


----------



## DF is BUSY (Nov 19, 2013)

wow OP, that is a huge list and range of IPs

you should nslookup each one to see whats up with those.

my router logged 2 "dos attacks" like a few days. it was amazon, my ISP and some other place i forgot. strange, but they stopped already


----------

