Sign in with
Sign up | Sign in
Your question

Trouble Blocking Attacks From China

Tags:
  • Routers
  • Malware
  • Networking
  • Hacking
Last response: in Networking
Share
June 19, 2014 7:25:34 PM

To make a long story short... I was recently hacked. It started with a DoS attack, but then I was infected with some sort of malware. I believe I have cleaned-out the malware, but... there's another issue.

I am receiving (or blocking) packets from random, (but similar) IP addresses. Most of them originate in China. (Also seeing Thailand, Netherlands, Russia, and Philippines.) I was getting bombarded by packets at first, but now it's every ~5 minutes. I suspect someone is using an anonymous network (like tor or something) to wage war on my router.

The simple solution would be to block the IP address ranges in the router right? Well... I have a bad situation there. My router is a netgear 7550. The firmware cannot be replaced, and is horrible. Netgear sold these things to AT&T "as-is", then AT&T sold them to other companies. (Which is how I got mine, basically.) Netgear refuses to provide any support for my model. I cannot block a range of addresses. It will only allow me to block a single IP address at a time. I've gone into the windows firewall and blocked all the ip addresses... but it's constantly shifting... so... i don't even know.

(My only option with the router/modem firewall is to block everything and whitelist only what I want to use. This would be difficult as I have many different games I play online. It would be time-consuming to figure-out how to whitelist every port for every game.)

Here's an example of the kind-of thing I'm seeing in the router firewall log:

Time; xx:xx:xx
Direction/Severity; In: ppp0
Rule/Process: Blocked
Src IP: <LIKELY OFFENDER IP ADDRESS> Port: 6000
Dest IP: <MY MODEM/ROUTER IP ADDRESS> Port: 22
Proto: TCP
Len: 44

More about : trouble blocking attacks china

June 19, 2014 7:35:46 PM

You cannot block all of them, no matter what router you have.

The best you can do is request that your ISP change your IP address.
They will be looking for your old IP of 74.168.2.foo, and you will have a new one of 74.223.8.fubar

And wipe and reinstall your entire PC. Malware/virus eradication often looks like it works, but really bad ones can spoof most known AV and malware tools.
m
0
l
June 19, 2014 7:44:59 PM

My neatgear router used to block Ping requests 24/7 from countries all over the world if that's what your talking about. Echo Block something like that i forgot i disabled the log so it doesn't flood my router with warnings. I upgraded to DD-WRT firmware i can't remember what it was called on top of my head think its something allow router to be pinged or something to stop the block warnings.

You can leave it on or off but i have it off so league of legends loads the scores faster and same with my browser loading faster. If i have it set to block ping requests takes 6 seconds for my browser to load and 8 seconds for LoL scores some odd reason same with checking what ports are opened via command prompt. Those random Ip's your seeing come from visiting websites like facebook youtube mmo champs or any advertisements.
m
0
l
Related resources
June 19, 2014 8:16:06 PM

Danifilth said:
My neatgear router used to block Ping requests 24/7 from countries all over the world if that's what your talking about. Echo Block something like that i forgot i disabled the log so it doesn't flood my router with warnings. I upgraded to DD-WRT firmware i can't remember what it was called on top of my head think its something allow router to be pinged or something to stop the block warnings.

You can leave it on or off but i have it off so league of legends loads the scores faster and same with my browser loading faster. If i have it set to block ping requests takes 6 seconds for my browser to load and 8 seconds for LoL scores some odd reason same with checking what ports are opened via command prompt. Those random Ip's your seeing come from visiting websites like facebook youtube mmo champs or any advertisements.


1) My firmware is terrible, but my ISP won't allow me to change it. (Router/modem is their property.)
2) Firmware contains very few, and limited options. No option for ping/echo.
3) The random IPs are definitely from a hacking attempt. I run a number of browser add-ons to block scripts and ads. I also disable all auto-update features of everything on my computer. I can reboot, load up my browser without a home page... access the logs from the router... and see packets from China every ~5 minutes. I am 100% sure on this. I have traced every IP going through. I see ad servers, google, tomshardware, my DNS server, the sites I use to lookup IPs, and China.
m
0
l
June 20, 2014 6:18:55 AM

It does not matter if you block the traffic or not. I will first assume you are not stupid and put your PC in the DMZ so that traffic from china or where ever is not getting to your actual PC.

The traffic will always get to your router itself. When it gets a packet it either has a open nat session to device on your internal network or it does not. If there is no open session the packet it dropped. What would be the difference if you said drop all packets from china. Your router would still have to receive and process them and then drop them. It would just not ever check to see if any should be sent inside which would never happen anyway because of how nat works.

Most filters on routers are used to prevent traffic from being sent from the inside TO some IP on the internet.

There is no solution for this problem. The traffic has already gotten all the way to your house, only the ISP can prevent the traffic from being sent to your house and unless it is causing THEM a issue they don't care.
m
0
l
September 23, 2014 2:17:10 AM

If you are using Cisco then you can filter the traffics by creating access control lists. For Netgear I am not sure. I guess you can see http://ip2location.com/free/visitor-blocker for some tips.
m
0
l
!