New ISP [ ANI netwroks ] New Delhi Router hack

  • Thread starter Thread starter Reverb_sr71
  • Start date Start date
  • Replies Replies 6
  • Views Views 6,753
R

Reverb_sr71

Messages
4
Location
Delhi
ISP
Ani Networks
Hello

I am from New Delhi and have recently changed my Internet from MTNL ( :nono: ) to a local provider who connects to ANI Networks .
It has been 4 days and the connection has been relatively stable , yesterday there was an outage but the person responded quickly and rectified the problem . I noticed as i checked my router logs ( when the connection went off) that there have been some very suspicous messages .

Jun 09 21:00:42 UdpEchoChargen Attack Detect (ip=10.19.208.143) Packet Dropped
Jun 09 21:00:42 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 20:59:42 UdpEchoChargen Attack Detect (ip=10.19.208.147) Packet Dropped
Jun 09 20:58:42 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 20:57:42 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 20:56:42 UdpEchoChargen Attack Detect (ip=10.19.208.107) Packet Dropped
Jun 09 20:56:42 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 20:55:42 Per-source ACK Flood Attack Detect (ip=115.112.0.12) Packet Dropped
Jun 09 20:55:42 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 20:54:42 UdpEchoChargen Attack Detect (ip=10.19.208.35) Packet Dropped

The list goes on , it hasnt effected my connection speed or connectivity but i am concerned . Am i getting hacked ? is someone intercepting my traffic ?

Router : D-Link DIR 600L
ISP - ANI Networks ( local) plan 1mbps unlimited no fup .
PC - Win 7 os , browser firefox.

Any help or clarification whould be awesome .
 
Were you using torrent by any chance? Had a similar observation at a cousins place on the very same router though he was using local cable ISP provider having airtel leased line. Bit of searching hinted it might be because of a running torrent sending request to peer ip's. Some hints were of some jerks scanning randomly for unsecured system. Couldn't figure out clear enough.
 
I was using utorrent with the MTNL line but i haven't yet used it with this new connection.
Another interesting bit is the MTNL connection was a dynamic ip , but this one has given me a static ip .

Jun 10 00:07:27 UdpEchoChargen Attack Detect (ip=10.19.208.107) Packet Dropped
Jun 10 00:06:27 UdpEchoChargen Attack Detect (ip=10.19.208.147) Packet Dropped
Jun 10 00:03:27 UdpEchoChargen Attack Detect (ip=10.19.208.138) Packet Dropped
Jun 10 00:02:27 UdpEchoChargen Attack Detect (ip=10.19.208.133) Packet Dropped
Jun 10 00:00:27 Per-source ACK Flood Attack Detect (ip=173.194.36.78) Packet Dropped
Jun 10 00:00:27 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 23:58:27 Per-source ACK Flood Attack Detect (ip=173.194.36.78) Packet Dropped
Jun 09 23:58:27 Whole System ACK Flood Attack from WAN Rule:Default deny
Jun 09 23:57:27 UdpEchoChargen Attack Detect (ip=10.19.208.107) Packet Dropped

The attack or whatever it is is still going on , at the time of me posting this message .
 
I ran Ip lookup on one of the attacking ips and its from atlanta georga . I have been using Hotspot shield VPN for a while . Is it possible its because that ? hotspotshield does connect to servers in the US.

Edit : i ran the ip lookup again on another ip and this is the result :
Host : channel-proxy-shv-06-ash2.facebook.com OK
Country : United States
Now i am pretty sure it is cause by Hotspotshield . Any suggestions on how to stop this ? i understand i could ask my ISP for another static ip but is there another way ? .
I am glad that my router is stopping most of it but it does concern me that this attack keeps happenning all the time.
 
Most of the IPs you have posted are private IPs(10.x.x.x), which almost all VPN use in allocation alongside the google/facebook ips are mentioned too. How about skipping the use of any VPN for a day or two for monitoring. Also clear your router's existing logs and observe if there is still the same messages appear.
I have found so many case of this particular router D-Link - DIR 600L on internet of this very same scenario, so I have my apprehension towards this particular router too.
 
Heyy rj27 thanks for the reply . the attacks are constant , for example its 10:30 at the time of posting this message and i just checked the log and the last attack was at 10:29 and it happens every second . There are atleast 20 blocked attepmts for every second .
I checked some more IPs that were invovled in the logs , one is from kolkata as well - a static ip from vsnl net .
One the flipside though my internet has been working fine . Ill keep monitoring the logs , i've got the firewall up , i am using firefox with https everywhere .
hopefully nothing should happen.
Ill update here if anything else turns up . Ill also try and take it up with my ISP although i am not sure how much they'll be able to help me in this regard.
 
Yup better raise it with the ISP then. Someone technically effecient should be able to get a better hold from their monitoring system/server.
 
You must log in or register to reply here.
Back