Advice on router security alert?

Advice on router security alert?

am 07.12.2007 19:22:29 von martin_pentreath

Hi,

I'm based in the UK running Windows XP. My netgear router has sent me
the following "security alert" email:

UDP Packet - Source:67.159.44.180,4237 Destination:83.245.16.37,1025 -
[DOS]UDP Packet - Source:67.159.44.106,4237 Destination:
83.245.16.37,1025 - [DOS]UDP Packet - Source:67.159.44.180,4237
Destination:83.245.16.37,1025 - [DOS]UDP Packet - Source:
67.159.44.106,4237 Destination:83.245.16.37,1025 - [DOS]UDP Packet -
Source:67.159.44.180,4237 Destination:83.245.16.37,1025 - [DOS]UDP
Packet - Source:67.159.44.106,4237 Destination:83.245.16.37,1025 -
[DOS]UDP Packet - Source:212.58.227.104,21922 Destination:
83.245.16.37,6970 - [DOS]


I've looked up the IP addresses and found the following:

===============================
Search ARIN WHOIS for: 67.159.44.106

OrgName: FDC Servers.net, LLC
OrgID: FDCSE
Address: 141 West Jackson Blvd, Suite 1135
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US

======================================
Search ARIN WHOIS for: 212.58.227.104

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
====================================

So what does this mean??

Re: Advice on router security alert?

am 07.12.2007 20:14:16 von Ansgar -59cobalt- Wiechers

martin_pentreath@hotmail.com wrote:
> I'm based in the UK running Windows XP. My netgear router has sent me
> the following "security alert" email:
>
> UDP Packet - Source:67.159.44.180,4237 Destination:83.245.16.37,1025 - [DOS]
> UDP Packet - Source:67.159.44.106,4237 Destination:83.245.16.37,1025 - [DOS]
> UDP Packet - Source:67.159.44.180,4237 Destination:83.245.16.37,1025 - [DOS]
> UDP Packet - Source:67.159.44.106,4237 Destination:83.245.16.37,1025 - [DOS]
> UDP Packet - Source:67.159.44.180,4237 Destination:83.245.16.37,1025 - [DOS]
> UDP Packet - Source:67.159.44.106,4237 Destination:83.245.16.37,1025 - [DOS]
> UDP Packet - Source:212.58.227.104,21922 Destination: 83.245.16.37,6970 - [DOS]
>
>
> I've looked up the IP addresses and found the following:
>
> ===============================
> Search ARIN WHOIS for: 67.159.44.106
>
> OrgName: FDC Servers.net, LLC
> OrgID: FDCSE
> Address: 141 West Jackson Blvd, Suite 1135
> City: Chicago
> StateProv: IL
> PostalCode: 60604
> Country: US
>
> ======================================
> Search ARIN WHOIS for: 212.58.227.104
>
> OrgName: RIPE Network Coordination Centre
> OrgID: RIPE
> Address: P.O. Box 10096
> City: Amsterdam
> StateProv:
> PostalCode: 1001EB
> Country: NL
> ====================================
>
> So what does this mean??

It means that a host at BBC, a host presumably owned by a Mr. McElvana,
and a third host sent a couple UDP packets to your netgear router (to
ports that seem to be closed). And that your netgear router thinks that
it might be a Denial-of-Service attack, for whatever reason.

With the given information that's all we can say.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich