Router detecting port scan and ack flood attack

  • Over the past few days, I'm noticing that the log of my wireless router is showing an ACK flood attack from various IP addresses. I use a D-Link DIR-600L. I've searched through the internet, also through this question. But I cannot come to any solution. My ISP advised me to change DNS IP addresses and enter them manually. Doing so still didn't improve the results. In fact, now some websites are not opening, and I'm getting HTTP Error 404 when logging onto Facebook from chrome, not other browsers. Cleared all history too, nothing changed. MalwareBytes Anti Malware showed that my system is clear. Resetting the router to factory defaults only solves the problem for some amount of time. I use a PPPoE connection, where a wire from the ISP goes into the router, and from there an Ethernet wire goes into my computer.

    Here is a part of the log file I recently stored to the computer:

    Mar 20 20:44:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:44:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:43:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:43:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:42:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:42:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:41:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:41:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:40:38  Port Scan Attack Detect Packet Dropped<br>
    Mar 20 20:40:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:40:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:39:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:39:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:38:38  Port Scan Attack Detect Packet Dropped<br>
    Mar 20 20:38:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:38:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:37:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:37:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:36:38  Port Scan Attack Detect Packet Dropped<br>
    Mar 20 20:36:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:36:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:35:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:35:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:34:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:34:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:33:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:33:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:32:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:32:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:31:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:31:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:30:38  Port Scan Attack Detect Packet Dropped<br>
    Mar 20 20:30:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:30:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:29:38  Per-source ACK Flood Attack Detect Packet Dropped<br>
    Mar 20 20:29:38 Whole System ACK Flood Attack from WAN Rule:Default deny<br>
    Mar 20 20:29:17 DHCP lease IP 192.168.0.100 to android-8d3000955a8eba27 c4-43-8f-41-c9-02<br>
    Mar 20 20:29:13 Authentication Success c4-43-8f-41-c9-02<br>
    Mar 20 20:29:13 Authenticating...... c4-43-8f-41-c9-02<br>
    Mar 20 14:58:48 Remote management is disabled. <br>
    Mar 20 14:58:48 Anti-spoofing enabled. <br>
    Mar 20 14:58:48 Block WAN PING enabled. <br>
    Mar 20 14:58:48 URL Blocking disabled. <br>
    Mar 20 14:58:48 RTSP ALG enabled. <br>
    Mar 20 14:58:48 VPN (IPsec) Pass-Through enabled. <br>
    Mar 20 14:58:47 VPN (PPTP) Pass-Through enabled. <br>
    Mar 20 14:58:47 VPN (L2TP) Pass-Through enabled. <br>
    Mar 20 14:58:45 PPPoE line connected <br>
    Mar 20 14:58:45 IPCP: secondary DNS address (X.X.X.X) <br>
    Mar 20 14:58:45 IPCP: primary DNS address (Y.Y.Y.Y) <br>
    Mar 20 14:58:45 IPCP: remote IP address (XX.XX.XX.XX) <br>
    Mar 20 14:58:45 IPCP: local IP address (YY.YY.YY.YY) <br>
    Mar 20 14:58:44 CHAP authentication succeeded <br>
    Mar 20 14:58:38 PPPoE: Receive PADS <br>
    Mar 20 14:58:38 PPPoE: Sending PADR <br>
    Mar 20 14:58:38 WAN Dialup Try to establish PPPoE line<br>
    

    Interestingly, almost all of the attacks are taking place at 1 minute intervals

    Is this a matter for concern? My internet browsing speeds have gone tremendously low due to this.

    I have the following settings on my router

    1. Anti-spoof checking: ON
    2. Firewall: OFF
    3. DMZ: OFF
    4. WPS: OFF
    5. Enhanced Wireless: OFF
    6. Preamble: Short
    7. Channel selection: Auto
    8. Mode: 802.11 mixed (n/g/b)
    9. Bandwidth: Auto
    10. 20/40Mhz co-exist: OFF
    11. Short Guard: ON
    12. UPnP: ON
    13. Multicast stream: ON
    14. DNS Relay: OFF

    EDIT:

    Answering to @DKNUCKLES's queston, here is the output from netstat -ant command:

    Active Connections
    
      Proto  Local Address          Foreign Address        State           Offload S
    tate
    
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:554            0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:10243          0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       InHost
    
      TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING       InHost
    
      TCP    127.0.0.1:5357         127.0.0.1:49708        TIME_WAIT       InHost
    
      TCP    127.0.0.1:5357         127.0.0.1:49711        TIME_WAIT       InHost
    
      TCP    127.0.0.1:5357         127.0.0.1:49712        TIME_WAIT       InHost
    
      TCP    127.0.0.1:5357         127.0.0.1:49738        TIME_WAIT       InHost
    
      TCP    127.0.0.1:5357         127.0.0.1:49744        TIME_WAIT       InHost
    
      TCP    192.168.0.100:139      0.0.0.0:0              LISTENING       InHost
    
      TCP    192.168.0.100:49713    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49718    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49722    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49723    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49728    173.252.102.241:443    ESTABLISHED     InHost
    
      TCP    192.168.0.100:49729    173.252.102.241:443    TIME_WAIT       InHost
    
      TCP    192.168.0.100:49735    31.13.79.49:443        ESTABLISHED     InHost
    
      TCP    192.168.0.100:49736    74.125.200.138:443     ESTABLISHED     InHost
    
      TCP    192.168.0.100:49737    74.125.236.132:443     ESTABLISHED     InHost
    
      TCP    192.168.0.100:49745    74.125.135.125:5222    ESTABLISHED     InHost
    
      TCP    192.168.0.100:49746    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49751    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49759    198.252.206.25:80      ESTABLISHED     InHost
    
      TCP    192.168.0.100:49760    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49767    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49787    192.168.0.1:80         TIME_WAIT       InHost
    
      TCP    192.168.0.100:49792    31.13.79.96:443        ESTABLISHED     InHost
    
      TCP    [::]:135               [::]:0                 LISTENING       InHost
    
      TCP    [::]:445               [::]:0                 LISTENING       InHost
    
      TCP    [::]:554               [::]:0                 LISTENING       InHost
    
      TCP    [::]:2869              [::]:0                 LISTENING       InHost
    
      TCP    [::]:3587              [::]:0                 LISTENING       InHost
    
      TCP    [::]:5357              [::]:0                 LISTENING       InHost
    
      TCP    [::]:10243             [::]:0                 LISTENING       InHost
    
      TCP    [::]:49152             [::]:0                 LISTENING       InHost
    
      TCP    [::]:49153             [::]:0                 LISTENING       InHost
    
      TCP    [::]:49154             [::]:0                 LISTENING       InHost
    
      TCP    [::]:49155             [::]:0                 LISTENING       InHost
    
      TCP    [::]:49156             [::]:0                 LISTENING       InHost
    
      TCP    [::]:49157             [::]:0                 LISTENING       InHost
    
      UDP    0.0.0.0:500            *:*
    
      UDP    0.0.0.0:3544           *:*
    
      UDP    0.0.0.0:3702           *:*
    
      UDP    0.0.0.0:3702           *:*
    
      UDP    0.0.0.0:3702           *:*
    
      UDP    0.0.0.0:3702           *:*
    
      UDP    0.0.0.0:4500           *:*
    
      UDP    0.0.0.0:5004           *:*
    
      UDP    0.0.0.0:5005           *:*
    
      UDP    0.0.0.0:5355           *:*
    
      UDP    0.0.0.0:49784          *:*
    
      UDP    0.0.0.0:53772          *:*
    
      UDP    0.0.0.0:61041          *:*
    
      UDP    127.0.0.1:1900         *:*
    
      UDP    127.0.0.1:49783        *:*
    
      UDP    192.168.0.100:137      *:*
    
      UDP    192.168.0.100:138      *:*
    
      UDP    192.168.0.100:1900     *:*
    
      UDP    192.168.0.100:49782    *:*
    
      UDP    192.168.0.100:54659    *:*
    
      UDP    [::]:500               *:*
    
      UDP    [::]:3540              *:*
    
      UDP    [::]:3702              *:*
    
      UDP    [::]:3702              *:*
    
      UDP    [::]:3702              *:*
    
      UDP    [::]:3702              *:*
    
      UDP    [::]:4500              *:*
    
      UDP    [::]:5004              *:*
    
      UDP    [::]:5005              *:*
    
      UDP    [::]:5355              *:*
    
      UDP    [::]:49785             *:*
    
      UDP    [::]:53773             *:*
    
      UDP    [::]:61042             *:*
    
      UDP    [::1]:1900             *:*
    
      UDP    [::1]:49781            *:*
    
      UDP    [fe80::3089:dda9:e5bb:4761%13]:546  *:*
    
      UDP    [fe80::3089:dda9:e5bb:4761%13]:1900  *:*
    
      UDP    [fe80::3089:dda9:e5bb:4761%13]:49780  *:*
    

    Yes, the traffic corresponds to the traffic I'm seeing on the router, which is being blocked and detected as an ACK flood attack.

    Perhaps the biggest matter for concern is the "FIREWALL: OFF" part.

    Firewall: OFF that's a BAD move.... never turn off routers firewall that's internet 101

    Does your router get a pulic IP address that is not managed by the ISP?

    @xkcd: yes it does. it has an IP address of its own and leases automatic addresses to the devices connecting to it. Is that a matter for concern?

    @AyushKhemka - Yes, if its been assigned a public static IP address by the ISP, then they are responsible to mitigate any DoS attacks on it, because only their firewall/IDS etc. can do anything about it. TBH in such a scenario you can't really do much as you are downstream.

    hmm well, yeah that's the `DHCP server: ON` setting on my router. For example, if it has an IP address of 127.0.0.1, it will start assigning all the devices trying to connect to it as 127.0.0.100, 127.0.0.101, and so on.

  • The anti-spoofing mechanism of your firewall appears to be blocking the traffic, which means that it's doing what it's supposed to do. Devices exposed to the internet are routinely checked for easy exploits, port scanned, etc. I would say that my client networks are scanned at least once a day, and we mitigate the risk by ensuring the proper defense mechanisms are in place.

    Here's what I would do if I were you.

    • Reset the device to factory defaults and disconnect the cable to the WAN
    • Set a strong password for administration of the device (different than the one you currently have)
    • Ensure the Firewall is enabled and UPnP is disabled (all other settings look okay)
    • Make sure that remote administration is disabled
    • Monitor closely

    Switched off Anti Spoofing, turned on firewall, and set a stronger password. The port scan attack vanished as expected, but there's a new thing I noticed. The flood attacks start only after my router authenticates my laptop, not otherwise. Any specific reason to that?

    Keep anti-spoofing on. If the attack begins after your notebook authenticates it would leave me to believe that your notebook is compromised. An ACK attack works off established connections, so it's possible that your notebook is infected. Run a netstat -ant command (assuming it's windows) and see if the traffic from your notebook corresponds to the traffic you're seeing on your router.

    Edited my question, have a look. These are the stats of my PC, not any other wireless device being connected. The traffic does correspond to the traffic being blocked by the router.

    @AyushKhemka, I am having exactly same issue. Need to know, what do you mean turning firewall On. What rules you applied there?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM