# router logs DoS attack from a local PC....



## duke666 (Sep 20, 2013)

Hi Guys,

I recently purchased a new PC for the network and since then I keep losing connection to the broadband. Since I have had it the network periodically slows right down, then disappears and after a few minutes comes back. A quick look into the EE Bright Box router log shows lots (and I mean lots) of attacks that appear to coincide with this:



> Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
> Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)
> Fri Sep 20 14:28:17 2013 Possible DoS attack detected from 192.168.1.48(60:a4:4c:b1:ae:9c)



The IP is the new PC. I have searched for this issue but I cannot find a definitive solution. I do know that simply unplugging or disabling the network card in the machine resolves the issue for the other devices.


Any help greatly appreciated...


----------



## W1zzard (Sep 20, 2013)

bittorrent?


----------



## remixedcat (Sep 20, 2013)

Are you running any backup software??


----------



## duke666 (Sep 20, 2013)

I don't believe so, and I had to Google 'bittorrent' to find out what it is.

The PC in question is a low power ITX machine running Windows 8. The only software I have on it is weather related. I use it to collect weather data and FTP to weather sites. Nothing else.


----------



## W1zzard (Sep 20, 2013)

maybe some virus/Trojan on that machine?


----------



## Ikaruga (Sep 20, 2013)

Could be many things, but here are my three best guesses:


Virus, Malware, etc 
An issue with the DNS (try to flush the dns cache)
The PC in question has the same IP address as the router (check/modify the DHCP settings and/or do the the configuration manually)

edit: perhaps copy+paste ipconfig /all here?


----------



## jboydgolfer (Sep 20, 2013)

i ALSO found a log on My router for a Smurf D-DOS Today.

[DoS attack: Smurf] attack packets in last 20 sec from ip xxxxxxxxxxxxxxxxxxxx  Friday, Sep 20,2013 05:03:20

as long as the router is picking it up,  it SHOULD have been identified , and dealt with accordingly.

MAYBE a re-install?? if it IS an option that is.


----------



## duke666 (Sep 20, 2013)

Ikaruga said:


> Could be many things, but here are my three best guesses:
> 
> 
> Virus, Malware, etc
> ...



Ok, I should have said more in my first post. I have completed a scan using Norton 360, nothing found.
I have just tried flushing the DNS cache but no better. 
I the IP on the PC is 192.168.1.48 and the router is 192.168.1.1 The other devices all have differing Ip's too.

Here is the IP config from the PC causing the problems. Hope it helps.



> Microsoft Windows [Version 6.2.9200]
> (c) 2012 Microsoft Corporation. All rights reserved.
> 
> C:\Users\Mark>ipconfig /all
> ...


----------



## Ikaruga (Sep 20, 2013)

- Disable netbios ipv6 and dhcpv6, you don't need those in your local environment, do you?
- Do you really need your own DNS server running?
- Disable VPN connection (just til testing/troubleshooting is over) (btw, is that tunnelbear)
- Router assigns *.48 to the PC, disable that rule for a test, and try a different IP and also Google's DNS on the PC at the same time (8.8.8.8 and 8.8.4.4)

let's see if anything changes.


----------



## duke666 (Sep 20, 2013)

OK, this is all a bit alien to me so please excuse me. Here's what I've done (or think I have done). In 'network connections/Ethernet status/properties' I have unticked 'TCP IPv6' and changed 192.168.1.48 to 192.168.1.105 (not sure how I did that...). I have also disabled the VPN. The 'ipconfig below says that 'NetBios' is disabled but the property's box on the PC says that it is enabled-slightly confusing and I could not see where to enable/disable this or the DNS server. Perhaps you could guide me to this please? As advised somewhere else, I have also disabled 'Microsoft network adapter multiplexor protocol'.



> (btw, is that tunnelbear)






> Microsoft Windows [Version 6.2.9200]
> (c) 2012 Microsoft Corporation. All rights reserved.
> 
> C:\Users\Mark>ipconfig /all
> ...


----------



## Ikaruga (Sep 21, 2013)

Well you did not say that you don't really know what you are doing. It's not a problem of course, but it changes things a little. 

It's not even clear if the PC or the router is the problem at this time, so I suggested that you disable some unnecessary things which are usually known to cause many problems, sorry if those were too complicated.


You could reset some network related stuffz on the PC as a next step. Open an elevated command prompt (run as administrator), and enter the followings on the PC:
netsh int ip reset reset.log
netsh int ipv6 reset
netsh winsock reset
netsh branchcache reset 
netsh advfirewall reset 
(note: You can export your current firewall rules in the "group policy" before the reset if it's needed for some reason)


Btw, Would it be a problem to reset the router to the default settings if the things we are trying will not help? There is a menu point for that called "factory settings" (and also a little hole on the back if you prefer that one).. the Administrator username in the router after the reset would be *admin* and the password is probably on a sticker at the bottom of the router (special settings needed to go online with your ISP might be also necessary)
This is not needed now (not yet), but perhaps the source of the problem is at the router and not the PC in question, so we may come to that eventually.

*ps.:* Do you have a second network card you could test in that PC and a different cable to rule out some hardware issues on the PC side?


----------



## duke666 (Sep 21, 2013)

Hi Ikaragu,


> Well you did not say that you don't really know what you are doing.


My apologies - but learning quickly.

OK, the router has been reset several times over the past few weeks but no difference. However, after following your original guide to disable 'TCP IPv6' , change the IP and disable the VPN, I did a little 'Googleing' and found a lot of people having similar problems caused by the near constant 'ping' from the 'home network and 'SSDP Discovery service'. So, before I retired last night I followed 'this guide'. This morning, checking the router log, no attacks and the broadband speed is solid @ 39/10. The ony problem is now I have broken my own golden rule of changing one thing at a time and do not know the solution. Ever inquisitive, later I shall re-enable 'SSDP' and later the 'home network' and so on.

Do either of these items sound a possible cause to you?


----------



## Ikaruga (Sep 21, 2013)

duke666 said:


> Hi Ikaragu,
> 
> My apologies - but learning quickly.
> 
> ...



No, but I have to admit I do not have very extensive experience with SSDP. I did met several similar issues with local DNS and DHCP server and also with some SPI firewalls, but UPnP/SSDP is something I never really liked or preferred to use. 

I'm glad you have found a solution after all, well done. Perhaps you could contact the router manufacturer and see if they have a FW update or a solution of some kind with the problem you have.


----------



## duke666 (Sep 21, 2013)

As an update and may be some more advice......

Earlier this morning I re-enabled 'SSDP Discovery Service' and rebooted. Network had been fine for about 8 hours, even with the occasional 'DoS attack' logged. Nothing like the quantity before. So, a few minutes ago I set up the 'VPN (home group)', network and the broadband crawled to a stop nearly instantly. I disabled/left the home group and rebooted and all good again. So, I conclude that it is the Windows 8 home group connection causing the problem. The other PC's on the network are all Windows 7 and are all connected in the home group trouble free.

I guess the questions are 1/why? 2/how can I transfer files/documents from this Windows 8 PC to others easily?


----------



## Ikaruga (Sep 24, 2013)

Simple network tunnelings definitely shouldn't cause DOS attack like symptoms in a router, it's a malfunction or a faulty device. The only thing I can think of is that you could try to loosen the strictness of the firewall a bit (like disable intrusion detection for example), but contacting the manufacturer would be the best choice, because it's a hardware of software problem with the router, and "normal" routers do not behave like this.

Good luck.


----------



## shovenose (Sep 24, 2013)

Consumer routers can be very finicky unfortunately. You might never figure if out. If you have another router you could use to test and see if the problem persists that would be cool.


----------



## duke666 (Sep 25, 2013)

Ikaruga said:


> it's a malfunction or a faulty device.



I do not believe that to be the case with the router in question. As previously stated, none of my Win7 machines cause this problem with the router, only the Win8 machines.

And, I can assure you, that the 'DoS like' attacks not only slow the network down but actually prevent all network activity at their most frequent.

I did a clean install of Win8 on a PC today, nothing else. That causes the same problem until 'SSDP' is stopped and set to manual.

I simply use 'public' folder sharing now on the Win8 machines with 'SSDP' stopped.


----------

