Is this some sort of DDoS attack?

Wired and wireless home networking
Post Reply
philled
Posts: 21
Joined: Wed Jul 01, 2009 7:04 pm
Location: Sydney

Is this some sort of DDoS attack?

Post by philled » Fri Feb 28, 2014 11:43 am

I'm an Exetel ADSL2 customer running a Smoothwall box which is essentially a linux-based router. I'm getting endless logs like the ones below in /var/log/messages.

Code: Select all

...
Feb 28 11:28:02 smooth kernel: IN=ppp0 OUT= MAC= SRC=197.32.222.53 DST=220.233.164.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=106 ID=23580 PROTO=UDP SPT=25915 DPT=6881 LEN=111
Feb 28 11:28:04 smooth kernel: IN=ppp0 OUT= MAC= SRC=76.105.18.212 DST=220.233.164.xxx LEN=134 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=51895 DPT=6881 LEN=114
Feb 28 11:28:05 smooth kernel: IN=ppp0 OUT= MAC= SRC=61.231.126.162 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=20519 PROTO=UDP SPT=17651 DPT=6881 LEN=106
Feb 28 11:28:06 smooth kernel: IN=ppp0 OUT= MAC= SRC=182.235.241.222 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=44 ID=42059 PROTO=UDP SPT=16881 DPT=6881 LEN=106
Feb 28 11:28:09 smooth kernel: IN=ppp0 OUT= MAC= SRC=116.55.255.105 DST=220.233.164.xxx LEN=129 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP SPT=20206 DPT=6881 LEN=109
Feb 28 11:28:09 smooth kernel: IN=ppp0 OUT= MAC= SRC=113.6.228.153 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=40 ID=54375 PROTO=UDP SPT=23045 DPT=6881 LEN=106
Feb 28 11:28:09 smooth kernel: IN=ppp0 OUT= MAC= SRC=118.93.45.80 DST=220.233.164.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=119 ID=31569 PROTO=UDP SPT=52226 DPT=6881 LEN=111
Feb 28 11:28:11 smooth kernel: IN=ppp0 OUT= MAC= SRC=83.45.38.252 DST=220.233.164.xxx LEN=129 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=6881 DPT=6881 LEN=109
Feb 28 11:28:11 smooth kernel: IN=ppp0 OUT= MAC= SRC=1.34.175.52 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=117 ID=28205 PROTO=UDP SPT=15353 DPT=6881 LEN=106
Feb 28 11:28:11 smooth kernel: IN=ppp0 OUT= MAC= SRC=182.235.241.222 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=44 ID=42554 PROTO=UDP SPT=16881 DPT=6881 LEN=106
Feb 28 11:28:13 smooth kernel: IN=ppp0 OUT= MAC= SRC=212.21.13.80 DST=220.233.164.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=107 ID=18611 PROTO=UDP SPT=52015 DPT=6881 LEN=111
Feb 28 11:28:13 smooth kernel: IN=ppp0 OUT= MAC= SRC=86.81.146.248 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=103 ID=8821 PROTO=UDP SPT=26309 DPT=6881 LEN=106
Feb 28 11:28:14 smooth kernel: IN=ppp0 OUT= MAC= SRC=122.254.56.92 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=106 ID=2110 PROTO=UDP SPT=21700 DPT=6881 LEN=106
Feb 28 11:28:14 smooth kernel: IN=ppp0 OUT= MAC= SRC=114.46.154.212 DST=220.233.164.xxx LEN=126 TOS=0x00 PREC=0x00 TTL=52 ID=26280 PROTO=UDP SPT=13208 DPT=6881 LEN=106
...
and on and on and on...
220.233.164.xxx is my IP address so am I being attacked here? Does anyone have any idea what's going on here and how I can stop it?

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Is this some sort of DDoS attack?

Post by Dazzled » Fri Feb 28, 2014 2:56 pm

The messages were logged by iptables, and describe packets that got caught by a firewall DROP rule. They were discarded and a note made in the log. The fields used are explained neatly (for the old netfilter, which is similar to iptables) at http://logi.cc/en/2010/07/netfilter-log-format/

When we look at the port to which the packets were addressed, 6681 is commonly used by bit torrent and UPnP. It is a default for some torrent clients, which, as these are UDP protocol, looks to be the case here.

I think that your Smoothwall iptables could be improved a little by having a better explanation than "smooth kernel". To do this you would alter iptables to give different meaningful logged text for several DROP rules. This would have to be done in a way that survives a reboot.

If you wish to read the firewall rules, enter smoothwall and the command is iptables -L. Each incoming packet is tested against each rule in turn in a chain. The bottom rule will catch and discard everything. Note that there can be "sub-chains".

Your packets passed down the rules until they met and satisfied DROP.

Your main protection against attack is the ACCEPT rule that requires "state RELATED,ESTABLISHED" - intruder IPs can't usually qualify as they don't have this entry in the conntrack tables if you aren't currently connected to them. This would be the case here.

Post Reply