I took a look at my routers security log last night, and it was littered with this:

Tue Nov 11 10:37:57 2008 1 Blocked by DoS protection 76.35.112.1
Tue Nov 11 10:37:57 2008 1 Blocked by DoS protection 76.35.112.1
Tue Nov 11 10:38:16 2008 1 Blocked by DoS protection 76.35.112.1
Tue Nov 11 10:38:16 2008 1 Blocked by DoS protection 76.35.112.1
Tue Nov 11 10:38:35 2008 1 Blocked by DoS protection 76.35.112.1
Tue Nov 11 10:38:35 2008 1 Blocked by DoS protection 76.35.112.1

I do not know how long this has been going on, but I have been watching it happen for a good 16 hours now... Thousands of these entries are made in the logs.

My internet connection has not slowed down, or at least not that I can notice. I did visit an old IRC channel with people I used to know way back when just yesterday, however I cannot identify that as the source of this. Is this just random internet clutter hitting my Belkin router? Or a small DoS attempt from a single ip?

Thanks

It could be a DOS attack. But I don’t think you will be able to track it to one single IP address. Usually when people do things like this they have hacked into other people computer and then use their machines to attack yours. So it makes tracking the original IP address pretty hard.

It appears from you log that you have some kind of protection against this. I would keep an eye on it and maybe check out what you can do about it if it really is a denial of service attack. FBI has a cyber crime division and I would check with your local law enforcement or do some research on the internet about what you can do.

Are you running some kind of site that these people would be interested in taking down? A lot of time they try to bring your site down and then they tell you that they will stop the attacks for money or something like that. Just wondering if that could be the reason.

No, I don't operate a website. This my home network.

The IRC channel I visited was on the star-fleet network, the channel consisted of maybe 5 or 6 people, 3 of which I used to help "fix" roms for NES and N64 emulation years ago (like 8 or 9 years ago). I did not really say anything to provoke any of them, just general chat, catching up on things. Out of the 6, only 2 where actually active in the channel. I did a whois on myself and found my IP to be visible so I did a whois on the person who runs the channel to see if it was visible for everyone (me being paranoid did not want to get into the mess that I am possibly in now).

This also could just be some random computer zoning in on my connection. The trace route results say that there are no hops between my network and that IP. A search on the general IP info points to Road Runner in VA. Further lookups revealed the source location to be from just outside of Wichita, KS.

I have always understood a real DoS attack to completely bring down an internet connection, and that instead of 3-6 hits per minute that it would be hundreds per minute. I won't dismiss the idea of it being a real one, but I am looking for confirmation whether it is or not.

This post has been edited by D1gitalIce: 11 Nov, 2008 - 09:53 AM

Rates are increasing. Went from 4-5 per minute to about 10 - 15 per minute. At this point I am helpless, since my ISP assigns static IP addresses. Web sites are running slower as well.

You may want to contact your ISP. Just being on IRC will expose your address, & this was probably not provoked by anyone in that specific chat room.

Zombie nets are bad. And the most common method of hurting the big guys.

However, DoS attacks can come from a single point with little fear of exposure. MAC, IP source and destination are easily spoofed. So, I send you a crap packet. You SYN/ACK back to either a non existent computer or someone who's never heard of you. That other guy will send you a WTF ACK, so you actually get traffic from complete random strangers. Or you wait the ACK that will never come, which is probably worse.

This, boys and girls, it why IPv6 is a "good thing." Of course, it will cost billions to get it working universally, so don't hold your breath.

Hm, .1 is normally a router, probably your ISP's router is sending some packets your router does not understand and the "look-i-m-amazing" DoS protection wants to show it exists? Is the IP address in your IP range?

Simply the Dos Protection software was faking your own network!
76.35.112.1 is your current IP address.

(I checked and reattack again! It's fine), may be the incoming packets from the local ISP were blocked by your firewall or proxy.

Check the network log file again, because the intruder was simple target your network like this. If you are affair something gonna happen to your network, then contact with your network admin!

Good luck!