My home router slowing down, getting attacked?

Toggle sidebar Toggle sidebar
V

vsdagama

Distinguished
May 12, 2008
501
0
18,980
Hey guys,

Last few days/week me and my family are experiencing a very slow internet.

I couldn't figure out why, here is my speedtest.net results:
3446203372.png


Now I was looking in my router settings (DIR 655) and I found the following in the logs:
Priority Time Message
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 95.22.55.13:17166 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 42.114.248.73:27740 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 99.51.2.71:52441 to 192.168.0.114:1024
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 180.227.137.42:14875 to 192.168.0.114:1024
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 71.88.242.193:41896 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 82.11.84.98:23587 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 91.209.233.194:33087 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 154.5.190.137:1639 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 85.192.188.9:14742 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 177.65.107.115:19985 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 62.199.177.247:56252 to 192.168.0.114:1025
[INFO] Fri Apr 18 00:44:18 2014 Blocked incoming UDP packet from 96.36.128.246:48073 to 192.168.0.114:1025
Click to expand...

This will happen about 50 times each second!

It seems like something or someone is trying to access or find something?

192.168.0.114 is the adress of the Dir 655 on the network of the ISP's modem. All of my pc's and devices are on the router (192.168.1.1)

I can't watch a youtube video without reloading 8 times, I can't browse websites, nothing will load and yet I have a speedtest like that... What is going on? I don't understand. Any help is welcome.

Thanks
 
Solution
B
Generally that is traffic that is created by malware. These tend to be botnet things that are infected.

If you are "lucky?" your machine has malware on it and is requesting these machine to connect to it but your router does not know how to actually let the malware connect to you. Run something like malwarebytes or microsofts malware scanner and see if you find something.

The reason I say it would be lucky if you found malware on your machine is at least you can fix it. If somehow your IP got learned by a bunch of machine sending you junk you might as well turn off you internet and watch tv for a few days and hope it goes away. Only your ISP could stop this by attempting to prevent it from entering their network....but they...
Sort by date Sort by votes
B

bill001g

Titan
Aug 9, 2012
28,367
2,766
125,640
Generally that is traffic that is created by malware. These tend to be botnet things that are infected.

If you are "lucky?" your machine has malware on it and is requesting these machine to connect to it but your router does not know how to actually let the malware connect to you. Run something like malwarebytes or microsofts malware scanner and see if you find something.

The reason I say it would be lucky if you found malware on your machine is at least you can fix it. If somehow your IP got learned by a bunch of machine sending you junk you might as well turn off you internet and watch tv for a few days and hope it goes away. Only your ISP could stop this by attempting to prevent it from entering their network....but they would have to actually care about their customers.

There really is no way to fix a denial of service attack like this from your end.

Maybe you could block it in the ISP modem/router. Maybe it is consuming the memory in that device and if you drop it before it enters maybe it will help.
 
Upvote 0 Downvote
Solution
K

Kewlx25

Distinguished
Oct 23, 2009
2,275
0
20,160


A quick Google shows Ports 1024 and 1025 being primarily used by trojans and malware, so this supports your theory.
 
Upvote 0 Downvote
V

vsdagama

Distinguished
May 12, 2008
501
0
18,980
I'm scanning all systems now with Avast, malwarebytes and hitman pro ;)

I'm happy to have found out the cause!! because I was getting pretty frustrated not having smooth internet for quite some time...

For now I got my router out of the DMZ I set up (for accessing my NAS from elsewhere), but after all the scans are done I'm pretty sure I can put my router back into the DMZ of the ISP modem like before.
 
Upvote 0 Downvote
V

vsdagama

Distinguished
May 12, 2008
501
0
18,980
As stated above, I did Avast, Malwarebytes and Hitman pro scans on all computers in the house. All detected crap is deleted and then scanned again to be sure.

Still, I see some activity from IP's trying to get to my router. It is less frequent though (from 40-50 times per second to 1-2 times per second) and at the moment they are trying to access port 62957.

[INFO] Wed Apr 23 13:31:44 2014 Blocked incoming UDP packet from 83.234.55.118:21062 to 192.168.0.114:62957
[INFO] Wed Apr 23 13:31:44 2014 Blocked incoming UDP packet from 194.170.169.38:10077 to 192.168.0.114:62957
[INFO] Wed Apr 23 13:31:42 2014 Blocked incoming UDP packet from 91.105.176.65:41069 to 192.168.0.114:62957

They are almost all Russian IP's, I'm from Belgium and have nothing to do with Russia so this makes it more suspicious...
http://www.ipillion.com/ip/46.159.195.99
http://www.ipillion.com/ip/109.187.5.200

I must say I also have a Synology NAS in my network, don't know if that could have anything to do with it. (or they're trying to break in to it?)

I'm currently contacting my ISP to look what can be done..
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom