DOS attacks from DSL Reports Servers

[cc666]

I have been checking bufferbloat recently and have been noticing DOS attacks the evening of when I checked.
See below:

[DoS Attack: ACK Scan] from source: 24.72.224.10, port 80, Saturday, December 30, 2017 22:50:02
[DoS Attack: ACK Scan] from source: 162.151.17.198, port 80, Saturday, December 30, 2017 22:49:30
[DoS Attack: ACK Scan] from source: 162.248.95.144, port 80, Saturday, December 30, 2017 22:49:30
[DoS Attack: ACK Scan] from source: 162.151.17.198, port 80, Saturday, December 30, 2017 22:49:27
[DoS Attack: ACK Scan] from source: 162.248.95.145, port 80, Saturday, December 30, 2017 22:49:27
[DoS Attack: ACK Scan] from source: 162.248.95.144, port 80, Saturday, December 30, 2017 22:49:27
[DoS Attack: ACK Scan] from source: 162.248.95.145, port 80, Saturday, December 30, 2017 22:49:27
[DoS Attack: ACK Scan] from source: 162.248.95.144, port 80, Saturday, December 30, 2017 22:49:26
[DoS Attack: ACK Scan] from source: 24.72.224.10, port 80, Saturday, December 30, 2017 22:49:12
[DoS Attack: ACK Scan] from source: 162.151.17.198, port 80, Saturday, December 30, 2017 22:48:55
[DoS Attack: ACK Scan] from source: 162.248.95.144, port 80, Saturday, December 30, 2017 22:48:55
[DoS Attack: ACK Scan] from source: 162.248.95.145, port 80, Saturday, December 30, 2017 22:48:54
[DoS Attack: ACK Scan] from source: 162.151.17.198, port 80, Saturday, December 30, 2017 22:48:54
[DoS Attack: ACK Scan] from source: 162.248.95.144, port 80, Saturday, December 30, 2017 22:48:54
[DoS Attack: ACK Scan] from source: 162.248.95.145, port 80, Saturday, December 30, 2017 22:48:54
[DoS Attack: ACK Scan] from source: 162.248.95.144, port 80, Saturday, December 30, 2017 22:48:53

The 162.248.95.155 and .145 are from DSL reports! This is just a portion of my log but its loaded with these DOS attacks. Copying and pasting these ip address into a browser shows:

This is a remote server dedicated to DSLReports services there is nothing much to see here.

Any ideas?

CC

 

[RMerlin]

Have you been using their speedtest tool? If so, then I would expect some security systems to complain about it.

 

[cc666]

Have you been using their speedtest tool? If so, then I would expect some security systems to complain about it.

Merlin,

I run this: http://www.dslreports.com/speedtest

CC

 

[e38BimmerFN]

Are these during the time frames your doing the speed tests that these are being seen? I don't see this in my logs...
"[Time synchronized with NTP server] Monday, January 01, 2018 15:34:38
[Internet connected] IP address: 192.168.0.178, Monday, January 01, 2018 15:33:54
[Log Cleared] Monday, January 01, 2018 15:32:44"
Cleared logs then ran test:

"
IP Location United States New York City Nuclearfallout Enterprises Inc.
ASN AS13789 INTERNAP-BLK3 - Internap Network Services Corporation, US (registered Aug 18, 1999)
Resolve Host v-162-248-95-145.unman-vds.internap-nyc.nfoservers.com
Whois Server whois.arin.net
IP Address 162.248.95.145
NetRange: 162.248.88.0 - 162.248.95.255
CIDR: 162.248.88.0/21
NetName: NFOSERVERS-3
NetHandle: NET-162-248-88-0-1
Parent: NET162 (NET-162-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14745, AS12179, AS32374, AS13789, AS12182, AS13790, AS19024, AS32751
Organization: Nuclearfallout Enterprises, Inc. (NUCLE-3)
RegDate: 2013-11-08
Updated: 2013-11-08
Ref: https://whois.arin.net/rest/net/NET-162-248-88-0-1

OrgName: Nuclearfallout Enterprises, Inc.
OrgId: NUCLE-3
Address: 22681 Modesto Drive
City: Mission Viejo
StateProv: CA
PostalCode: 92691
Country: US
RegDate: 2004-04-16
Updated: 2017-01-28
Ref: https://whois.arin.net/rest/org/NUCLE-3

OrgTechHandle: NUCLE-ARIN
OrgTechName: Nuclearfallout NOC
OrgTechPhone: +1-206-426-5832
OrgTechEmail:
OrgTechRef: https://whois.arin.net/rest/poc/NUCLE-ARIN

OrgAbuseHandle: NUCLE-ARIN
OrgAbuseName: Nuclearfallout NOC
OrgAbusePhone: +1-206-426-5832
OrgAbuseEmail:
OrgAbuseRef: https://whois.arin.net/rest/poc/NUCLE-ARIN

NetRange: 162.248.95.0 - 162.248.95.255
CIDR: 162.248.95.0/24
NetName: NFOSERVERS-NYC-6
NetHandle: NET-162-248-95-0-1
Parent: NFOSERVERS-3 (NET-162-248-88-0-1)
NetType: Reassigned
OriginAS: AS13789
Customer: Nuclearfallout Enterprises, Inc. (C05134254)
RegDate: 2014-06-26
Updated: 2014-06-26
Ref: https://whois.arin.net/rest/net/NET-162-248-95-0-1

CustName: Nuclearfallout Enterprises, Inc.
Address: 75 Broad St
Address: Floor 14
City: New York
StateProv: NY
PostalCode: 10004
Country: US
RegDate: 2014-06-26
Updated: 2014-06-26
Ref: https://whois.arin.net/rest/customer/C05134254

OrgTechHandle: NUCLE-ARIN
OrgTechName: Nuclearfallout NOC
OrgTechPhone: +1-206-426-5832
OrgTechEmail:
OrgTechRef: https://whois.arin.net/rest/poc/NUCLE-ARIN

OrgAbuseHandle: NUCLE-ARIN
OrgAbuseName: Nuclearfallout NOC
OrgAbusePhone: +1-206-426-5832
OrgAbuseEmail:
OrgAbuseRef: https://whois.arin.net/rest/poc/NUCLE-ARIN
"

 

[sfx2000]

I have been checking bufferbloat recently and have been noticing DOS attacks the evening of when I checked.

It's not a DOS - the DSLReports speed test runs multiple streams from many locations...

 

[cc666]

It's not a DOS - the DSLReports speed test runs multiple streams from many locations...

So the Netgear logs are misinterpreting this as a DOS attack?

CC

 

[sfx2000]

So the Netgear logs are misinterpreting this as a DOS attack?

yep

 

[Killhippie]

So the Netgear logs are misinterpreting this as a DOS attack?

CC

Netgear are well know for being a little paranoid log wise, I have so called DOS attacks from various legitimate sources. All of Netgears routers seem to be like this, some because as in this case they are seeing multiple streams from multiple locations, and some because well the routers have always thrown up the occasional false flags with general internet traffic.

 

[AntonK]

The constant "background noise" of the internet.