ICMP flood Attack

[scgt1 1]

6 hours ago, itman said:

Agreed.

You need to examine the source of the echo requests which can on be done by examining the router's firewall log for like activity. If external flooding activity is occurring, it needs to be stopped by the router firewall.

Again, most router firewalls are configured to drop incoming ICMP echo requests by default. Of course, routers can be misconfigured or hacked.

The above that I posted is from the Log. Not exactly where to go from here since if what your saying is in fact what is going on then this is an issue obviously and somehow needs to be stopped. Getting a bit over my head though.

[itman 1,743]

11 minutes ago, scgt1 said:

The above that I posted is from the Log. Not exactly where to go from here since if what your saying is in fact what is going on then this is an issue obviously and somehow needs to be stopped. Getting a bit over my head though.

You don't have a problem. The router is dropping/blocking those requests on the WAN side of the router. In other words, they are not getting through to your internal network.

[scgt1 1]

17 minutes ago, itman said:

You don't have a problem. The router is dropping/blocking those requests on the WAN side of the router. In other words, they are not getting through to your internal network.

Are these ok though:

[UPnP set event: Public_UPNP_C3] from source (My actual computers IP on the network)

[LAN access from remote] from 67.148.153.40:49792 to 192.168.***.***:5101, Saturday, Jun 10,2017 00:41:13 (Dish Hopper IP)
[LAN access from remote] from 67.148.153.44:54215 to 192.168.***.***:5101, Saturday, Jun 10,2017 00:35:37 (Dish Hopper IP)

[LAN access from remote] from 65.55.158.119:3544 to 192.168.***.***:63694, Friday, Jun 09,2017 21:20:18 (My actual computer IP on the network)

 

I don't know what those from IP's are.

[scgt1 1]

So I turn off UPNP on the router and now I'm getting this pop up from Eset and another one for a duplicate IP on the home network I didn't catch that one in time before it went away though.

The below "computer" is both my 65" Samsung tv and the Dish hopper in the living room. I'm also getting these notices on my fiances computer since turning off UPNP on the router. If I turn it back on these notices stop.

Edited June 11, 2017 by scgt1

[AxW 0]

On 6/8/2017 at 4:58 PM, itman said:

You have only one "home" network I assume?

If you share files and devices with other PCs on your network, then delete/remove the entries for home - Public network and home (2) leaving only one "home - Home or office network." If you don't share files and devices with other PCs on your network, then keep "home - Public network" and delete/remove the other two home network entries.

Did you set up two Virtual networks?

Report back if Flood alerts persist after making the above changes.

@itman

I pared it down to a single home and virtual network. I am no longer getting alerts. I do not recall configuring the additional network entries so I am wondering if perhaps they got duped when i upgraded to w10 from 8? or perhaps the original vendor? or perhaps some program added them? those are my best guess. I bet you have better ones )

 

Thanks very much for your assistance in this matter!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[scgt1 1]

I too have a bunch of networks showing up in Eset on my daily/media server while we just have two showing up on my fiances pc and my game rig.

Eset SS on my fiances computer and my game rig both show:

Wired Network 1 Home or Office Network inherited from Network Adapter

Wired Network 2 Home of Office Network Inherited from Network Adapter

While my daily shows the attached image. Looking up the in Network and Sharing center I only show two active networks. The first being Private Network using the Realtech network adapter and the second using TAP Windows Adapter 9. The unidentified network shows no network connectivity yet there is data up and down active on it. I'm not sure if that is the tunneling adapter that AirVPN uses or not.

 

 

 

[NOD 2]

Cache poisoning attacks are not resolved with DNSSEC?
Verify DNSSEC compliance : https://dnssec.vs.uni-due.de/

https://developers.google.com/speed/public-dns/docs/security

Edited June 11, 2017 by NOD

[scgt1 1]

39 minutes ago, NOD said:

Cache poisoning attacks are not resolved with DNSSEC?
Verify DNSSEC compliance : https://dnssec.vs.uni-due.de/

https://developers.google.com/speed/public-dns/docs/security

 Nice to think it can spoof your own Ip's to make you think it's something on your own network. To make me feel even more secure:

No, your DNS resolver does NOT validate DNSSEC signatures.

I'm about to find some place to hire a security/network professional to fix this . It's all way over my head. I'm quite sure after reading on that Google page about the cache poisoning attacks I've already allowed it through with Eset. :-(

FYI my AirVPN sub was coming due in July and I picked up a lifetime winscribe VPN sub a few days back for cheap so I just installed that this morning and I've removed AirVPN but nothing seems to have changed. So I don't think the VPN service had anything to do with it.

Since switching to a different VPN client I'm running some of the security tests:

File Sharing:

Attempting connection to your computer. . . Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!

Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

 

UPNP:

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

Common Ports:

FAILED Ports 21,22,80,143, and 443 are open

All Service Ports:

21,22,80,143,443, and 587

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.



Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)



Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

Looks like I'm less secure with this VPN or something is on the system/router now that is mucking with more. I only had ports 88 and 89 open prior I believe.

 

Edited June 11, 2017 by scgt1

[itman 1,743]

12 hours ago, scgt1 said:

Are these ok though:

[UPnP set event: Public_UPNP_C3] from source (My actual computers IP on the network)

[LAN access from remote] from 67.148.153.40:49792 to 192.168.***.***:5101, Saturday, Jun 10,2017 00:41:13 (Dish Hopper IP)
[LAN access from remote] from 67.148.153.44:54215 to 192.168.***.***:5101, Saturday, Jun 10,2017 00:35:37 (Dish Hopper IP)

[LAN access from remote] from 65.55.158.119:3544 to 192.168.***.***:63694, Friday, Jun 09,2017 21:20:18 (My actual computer IP on the network)

 

I don't know what those from IP's are.

The first two log entries are for your Dish Satellite service. The last entry normal Internet traffic. 

Edited June 11, 2017 by itman

[itman 1,743]

8 hours ago, scgt1 said:

So I turn off UPNP on the router and now I'm getting this pop up from Eset and another one for a duplicate IP on the home network I didn't catch that one in time before it went away though.

The below "computer" is both my 65" Samsung tv and the Dish hopper in the living room. I'm also getting these notices on my fiances computer since turning off UPNP on the router. If I turn it back on these notices stop.

Turn UPNP back on in the router. Appears your Dish TV boxes need to be discovered by the router.

[itman 1,743]

4 hours ago, scgt1 said:

I too have a bunch of networks showing up in Eset on my daily/media server while we just have two showing up on my fiances pc and my game rig.

Eset SS on my fiances computer and my game rig both show:

Wired Network 1 Home or Office Network inherited from Network Adapter

Wired Network 2 Home of Office Network Inherited from Network Adapter

While my daily shows the attached image. Looking up the in Network and Sharing center I only show two active networks. The first being Private Network using the Realtech network adapter and the second using TAP Windows Adapter 9. The unidentified network shows no network connectivity yet there is data up and down active on it. I'm not sure if that is the tunneling adapter that AirVPN uses or not.

 

 

 

According to this article: https://www.expressvpn.com/support/troubleshooting/log-items/no-tap-windows-adapters-on-system/ , it is normal for the TAP Windows Adapter 9 to show "No network active" in Win's Network and Sharing Center. I assume this connection is showing in Eset's network connections as "Virtual network 1."

At this point, I don't know why Eset network shows two wired network connections. It might do that when a virtual network connection is detected using the TAP Windows adapter. In which case, the Eset "wired network 2" would be applicable. @Marcos comments?

[scgt1 1]

Well I reset my router and had a heck of a time getting back into it to set it up. Couldn't access it via any of the 3 pc's or my phone which have regularly been on the network prior to the rest. I pulled out my old surface RT tablet and was finally able to connect to the default connection without issue. Makes me wonder if I have 3 pc's and my cell infected with something.

I've gone back through all the settings with changing my router's IP this go around considering all the freakin problems that have been appearing as of late with these notices out of nowhere which are now on 3 pc's (The ICMP flood issue geared toward the router).

I've ran shields up tests again on my daily and got the same UPNP exposure results that say I can't be seen. Now only port 443 shows up in the common ports test but states:

443

HTTPS

Closed

Your computer has responded that this port exists but is currently closed to connections

[scgt1 1]

Can't add anything else to the above post because it keeps putting the cursor in what I pasted.

The All Service ports test yields the same as above just 443 as Closed the rest of the ports are secured unlike a few posts up where a bunch were open.

This is also what it had to say about the same test:

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.



Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)



Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

So still having some form of issue I think which with the router being hard reset and having to completely set it up again I would think it's the computers on the home network. I wish they taught this when I was in school I would know what I'm doing with this junk.

[itman 1,743]

13 minutes ago, scgt1 said:

Well I reset my router and had a heck of a time getting back into it to set it up. Couldn't access it via any of the 3 pc's or my phone which have regularly been on the network prior to the rest. I pulled out my old surface RT tablet and was finally able to connect to the default connection without issue. Makes me wonder if I have 3 pc's and my cell infected with something.

I've gone back through all the settings with changing my router's IP this go around considering all the freakin problems that have been appearing as of late with these notices out of nowhere which are now on 3 pc's (The ICMP flood issue geared toward the router).

I've ran shields up tests again on my daily and got the same UPNP exposure results that say I can't be seen. Now only port 443 shows up in the common ports test but states:

443

HTTPS

Closed

Your computer has responded that this port exists but is currently closed to connections

I believe Dish is associated with AT&T.

I have Uverse. It does indeed use port 443 on the WAN side on the router for inbound communication. Something I am not keen on but can't do anything about.

-EDIT- If you check your router firewall rules, you will see that there is a rule that alone allows inbound traffic from your ISP address for port 443.

Bottom line - you're OK.

FYI - When you do the GRC Shields Up test. Make sure all applications are shutdown including your e-mail client. 

Edited June 11, 2017 by itman

[scgt1 1]

12 minutes ago, itman said:

I believe Dish is associated with AT&T.

I have Uverse. It does indeed use port 443 on the WAN side on the router for inbound communication. Something I am not keen on but can't do anything about.

Bottom line - you're OK.

FYI - When you do the GRC Shields Up test. Make sure all applications are shutdown including your e-mail client. 

I'll have to try that again with all the extra background stuff off.

I've removed all the extra network listings in Eset to what I believe are the home and virtual (windscribevpn) What should these be set as public or private? I've also ran a network scan/tree with eset and the router doesn't come up as a notice anymore but my main desktop (the one I'm on) does and states traffic blocked.

I really don't want to spend a day reloading this computer again but it's seeming that I'm heading down that road. Would probably be best to do all 3 of them just to make sure. I obviously need to make sure the router is completely secure first though or I'm just taking a leak toward the wind. lol

I'm not seeing anymore of the notices in the router log since I reset it either but I also haven't turned off windscribeVPN client either or rebooted yet.

Turn off windscribevpn client and the stupid ICMP threat popup from Eset for the router again.

 

Edited June 11, 2017 by scgt1

[itman 1,743]

2 minutes ago, scgt1 said:

I've removed all the extra network listings in Eset to what I believe are the home and virtual (windscribevpn) What should these be set as public or private? I've also ran a network scan/tree with eset and the router doesn't come up as a notice anymore but my main desktop (the one I'm on) does and states traffic blocked.

As I stated previously in this thread if your share files and devices with other people on your home network, the Eset network setting should be Private; otherwise, it should be Public.

As far as any VPN connection, that should be Public. Note - I am assuming your VPN connection is not to your work place.

[itman 1,743]

23 minutes ago, scgt1 said:

Turn off windscribevpn client and the stupid ICMP threat popup from Eset for the router again.

Appears it is constantly pinging for connectivity purposes - hopefully. Only way to stop that would be to uninstall the software and that hopefully would stop it. You might consider a "paid" VPN. 

Edited June 11, 2017 by itman

[scgt1 1]

39 minutes ago, itman said:

As I stated previously in this thread if your share files and devices with other people on your home network, the Eset network setting should be Private; otherwise, it should be Public.

As far as any VPN connection, that should be Public. Note - I am assuming your VPN connection is not to your work place.

Ok I set the wired Network 1 to Home/Office and the WindscripeVPN connection to Public again removing 3 other rogue connections. This is all on a home network not work place.

27 minutes ago, itman said:

Appears it is constantly pinging for connectivity purposes - hopefully. Only way to stop that would be to uninstall the software and that hopefully would stop it. You might consider a "paid" VPN. 

I am paying for the lifetime WindscripeVPN service. It has what they claim is a built-in firewall that doesn't allow connections unless the application is connected but I've occasionally been able to still load web pages when it isn't connected. I wrote into them on this matter but haven't received a message back.

I also unblocked my R7000 from the Network Connection/Troubleshooting Wizard.

I've scanned the home network with Eset and it tells me no threats were found yet this computer and the touter show a yellow exclamation point and state: Traffic blocked. Some traffic from this device has been blocked by the firewall.

Flip side I guess after resetting the router I haven't seen the ARP Poisoning attack notices anymore and don't see anything odd in the router log yet either.

Edited June 11, 2017 by scgt1

[scgt1 1]

Had a wild hair and ran the Shields up tests upnp, file sharing, common ports, all service ports on my cell and every test passed with flying colors. I'm not running a mobile version of Eset and just using the default android security on it.

My game rig passes the common port test and has the 443 port as stealth so not sure why it shows closed on my daily unless it has something to do with the VPN service. My game rig also passes the all service ports test where as mentioned before it fails on the closed 443. Both my daily and game rig are on the same home network along with the dish boxes. So why one shows 443 as open and the other doesn't.........

Both my phone and the game rig aren't ran through the VPN and are just protected with the routers security so they show the actual broadcast IP where my daily shows the assigned IP from the VPN service. So it may be the VPN service that has something to do with 443 being closed and not stealth. 

 

Well turning off the firewall on the VPN Client (is said to not allow traffic when the client isn't connected) then disconnecting from the vpn client and running the common ports test again I pass and 443 shows secured. While running the all service ports 443 shows secured also. So I guess it's something to get with Windscribe about.

Edited June 11, 2017 by scgt1

[itman 1,743]

59 minutes ago, scgt1 said:

am paying for the lifetime WindscripeVPN service. It has what they claim is a built-in firewall that doesn't allow connections unless the application is connected but I've occasionally been able to still load web pages when it isn't connected. I wrote into them on this matter but haven't received a message back.

I am posting this as a general statement to all that use a VPN.

When you use a VPN, you are establishing a tunneled connection to your PC. Tunnel connections have the ability to bypass firewalls. This is clearly shown in the previously posted Win's Network and Sharing Center screen shot noting the VPN connection is not active yet inbound/outbound traffic on that connection is occurring.

I don't use a VPN for Internet activity and never will. As such, I really don't know what protections the Eset firewall offers in regard to VPN connections. Hopefully, someone knowledgeable in that area can comment. Clearly Eset's IDS protections are functioning but they alone are not a substitute for secure firewall rules. 

[itman 1,743]

1 hour ago, scgt1 said:

It has what they claim is a built-in firewall that doesn't allow connections unless the application is connected but I've occasionally been able to still load web pages when it isn't connected. I wrote into them on this matter but haven't received a message back.

Here is an article on how to create Eset firewall rules which are in effect a "kill switch" that will block all VPN traffic when the VPN is disconnected: https://tech.eurosecure.com/index.php?action=artikel&cat=1&id=8&artlang=en . You can use this as a guide modifying program and port/s used. Also, you will have to assign the profile name created to your Eset VPN network connection.

In reference to my above posting, note that there are two rules - allow all VPN traffic and block all VPN traffic. In other words when using a VPN connection, the Eset firewall detail rule processing is totally bypassed. You are 100% reliant on the VPN to filter incoming traffic to your PC. Additionally, no Eset outbound firewall blocking is possible.

Edited June 11, 2017 by itman

[scgt1 1]

Food for thought it seems maybe Winscribe requires port 443 possibly with their instructions for setting their service up directly with dd wrt

https://windscribe.com/guides/ddwrt

[itman 1,743]

14 minutes ago, scgt1 said:

Food for thought it seems maybe Winscribe requires port 443 possibly with their instructions for setting their service up directly with dd wrt

https://windscribe.com/guides/ddwrt

Appears to me the default port used by WindScribe is port 443. Can probably be changed but would have to be co-ordinated with WindScribe.

What is being created is in effect a "pinhole" on the router.