Thompson 585v7 - fragment Sweeps and Frangement out of order (woes)

Forums › Spark New Zealand (including Skinny and BigPipe) › Thompson 585v7 - fragment Sweeps and Frangement out of order (woes)

kautious

25 posts

Geek

#89547 4-Sep-2011 23:11

hi there,

recently our Internet has been up and down like a yoyo.. we have been hacked in the past and recently I have noticed some dodgy things happening on other forums and our home network.

I decided to go to the router and see what the Intrusion Detection Stats were like as well as the .log's
this is what I have found;

Intrusion Detection:

fragment_sweep 27
fragment_out-of-order 141398

and Log's;

xxx.xxx.xxx.xxx = our IP Address.

Info    05:29:14 (since last boot)   UPnP action 'DeletePortMapping' from ip=192.168.1.xx (Success)

Info    05:29:15 (since last boot)   UPnP action 'DeletePortMapping' from ip=192.168.1.xx (Success)

Error    05:29:02 (since last boot)   FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 46.250.48.74 Dst ip: xxx.xxx.xxx.xxx Type: Destination Unreachable Code: Host Unreacheable

Info    05:28:26 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 7) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 7469:1432@0+

Info    05:24:56 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 9) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 29039:1432@0+

Info    05:20:40 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 6) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 14974:1432@0+

Info    05:19:22 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 5) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 11094:1432@0+

Info    05:15:22 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 150) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 31250:1432@0+

Info    05:14:07 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 4326) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 35924:1376@0+

Error    05:13:42 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 22854:34@1376

Info    05:13:06 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 5721) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 65083:1376@0+

Error    05:12:41 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 47033:34@1376

Info    05:12:05 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 5544) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 19596:1376@0+

Error    05:11:40 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 4379:34@1376

Info    05:11:04 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 4914) : 93.80.212.118 xxx.xxx.xxx.xxx 1396 UDP 59470->28532 frag 17521:1376@0+

Error    05:10:39 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 93.80.212.118 xxx.xxx.xxx.xxx 1396 UDP 59470->28532 frag 60449:1376@0+

Info    05:10:03 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 4993) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 9723:1376@0+

Error    05:09:38 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 62317:34@1376

Info    05:09:02 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 3091) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 38752:1376@0+

Error    05:08:38 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 30300:34@1376

Info    05:08:01 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 1821) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 11827:1376@0+

Error    05:07:36 (since last boot)   IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 60150:34@1376

Warning    05:07:25 (since last boot)   PPP link up (Internet) [xxx.xxx.xxx.xxx]

Info    05:07:25 (since last boot)   PPP PAP Authenticate Ack received

Info    05:07:25 (since last boot)   PPP PAP Authenticate Request sent

Warning    05:07:14 (since last boot)   PPP link down (Internet) [xxx.xxx.xxx.xxx]

Info    05:07:00 (since last boot)   IDS fragment parser : fragment out-of-order (1 of 10925) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 41488:1376@0+

not liking this Telecom Dynamic plan which is falsely advertised. As in Fact we are on a Static IP. Have requested numerous times for a Dynamic IP which TBQH can't be done with Telecom.

any idea's on what to do here would be appreciated.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#516617 4-Sep-2011 23:35

Switch your modem off at night, in the morning you should get a new IP if you're on dynamic and don't have a fixed IP. I think there is a few hours lease time that the IP is held for if you restart your router.

Are you sure you're not infected with a virus / malware? Or running some bittorrent similar software on a machine?

You never know you could have been hit with the virus that hit MetService and went around a few weeks ago: http://www.geekzone.co.nz/freitasm/7776

kautious

25 posts

Geek

#516620 4-Sep-2011 23:49

Hmm , regarding the Modem reset thing. No We've Tried that. spoken to Level 1-7 technicians which have confirmed that with the New Telecom plans (Total Home) All users are in fact on a fixed IP Address and they are not willing to even change it - The IP Address (that is).

Will look into the torrent thing as there are several users on the network +Mobile Devices

have built a Linux firewall Rig which is sitting beside me atm. Have been delaying wiring it up between a sep router and this one as I have no faith in these 'Free' Modems abilities to block anything.

but that requires time and energy which I don't have atm. And will it be effective enough to warrant doing so? .. Iam not sure atm.

thank you very much for your fast reply.

Shall do the MalwareBytes thing in morning and see if it turns up any nasties.

shall also do a sweep for rootkits using;

http://technet.microsoft.com/en-us/sysinternals/bb897445

Again thanks.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#516638 5-Sep-2011 06:33

The IP type you're on is completely irrevelent, port scanners and bots out there on the internet will get you no matter what your IP address is.

kautious

25 posts

Geek

#516777 5-Sep-2011 12:13

Not Exactly true , I was a part of a gaming community for several years , and in last few years I have kept the same IP address (not because I wanted to). This was picked up by some Server Admins who were not well liked in the community and caused alot of strife for us and our players. This is when these Hacking games started.

Now , these guys were attacking players whilst they were in game through Syn Floods / Ddos Attacks and in some cases breaching there computers and effectively killing them. forcing players to R-einstall OS etc.
and lolling in the background.

The thing is with a Dynamic IP , you can re-anonimize yourself by simply resetting your modem. Then they need to find you again by scanning your subnet and looking for your computer/name. Which in effect you change and make it that much more harder for them to detect.

If however you are on a fixed IP address , then they can blast you with every new Exploit available on the Web and or ddos you via some botnet till all their proxies are exhausted. the kinds of people I am talking about here do this kind of thing constantly and have killed a lot of game servers out of spite and for reasons that no one really understands.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#516794 5-Sep-2011 13:14

Annoying some other gamers is completely differnt from bots attacking you - this will occur no matter what the IP is.

With the new 3strikes law and assumption by the law that an IP address is a person I suspect we'll see more ISP's defaulting to static IP's due to the complexities in some cases of having to store IP and user account information as require by law.

kautious

25 posts

Geek

#516801 5-Sep-2011 13:25

Yes indeed. Perhaps they "Telecom" would like to re-phrase their plan Description's from Dynamic IP to Static IP. at least for Legal Purposes.

or should I say: False Advertising.

edit: just done a search for 'dynamic' on their website to which nothing but a glossary of terms was returned. Perhaps they have already rectified this.

I see someone else is having (Static IP) the same problem here;

http://www.geekzone.co.nz/forums.asp?forumid=39&topicid=78926

seems ironic , how just when the law changes regarding downloads and illegal content , that all of a sudden like we are given large boosts in GB's to be allowed to use.with this Catch-22 bundled in. Be warned we are watching what you download and you may expect a visit if you are not careful.

not sure what to liken it to tbh.

An X-Alcoholic in a bar full of free-piss & told that they can only drink water?

cbrpilot

955 posts

Ultimate Geek

Trusted

Spark NZ

#520481 13-Sep-2011 14:32

@yzeguy, I suggest you call Telecom and request a change of IP address.

Telecom never claims to give everyone a dynamic IP. If your IP address does not change when restarting your router and you have not specifically requested a static IP then you will need to call if you have issues with your IP and they will run an order to change it.

My views are my own, and may not necessarily represent those of my employer.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

kautious

25 posts

Geek

#520490 13-Sep-2011 14:53

Have done so on many occasions , spoken to numerous technicians on several occasions in regards to these matters , all of which have stated that we are NOT on Static Ip .. however it is obvious that we are since we have had the same IP for over 12months , resets / no resets still the same.

have contacted them again today to see if they can change it once more. Last time I tried this , there was 1 option , close and re-open account.. kind ironic I think , oh and there's a fee involved for doing this.

Thanks for your feedback , much appreciated.

joeksemail

78 posts

Master Geek

Trusted

#520526 13-Sep-2011 16:01

Can you please PM me your phone number and I can look into this for you.

Cheers,

Joe

kautious

25 posts

Geek

#521063 14-Sep-2011 16:58

pm sent thanks.

kautious

25 posts

Geek

#521693 15-Sep-2011 21:31

Thank you all for the help , hopefully the problem has been resolved , if not I have come closer to the source of it.

after talking to a Technician 5minutes ago (great guy btw) he suggested that I try a very simple proceedure that you may want to pass onto your support team for future reference.

FACTORY RESET MODEM.

Apparently these modems TG585v7's can get congested cache? or something to this effect.

however , after doing the 'Thing which stared me in the face' every time I went to the interface , 'Yet blantantly over-looked' may have been the remedy for cases such as mine.

Anyway , long story short .. you guys have restored my faith in Telecom Services and your help has been Out-Standing!! (looks for the 'shout me a beer - via paypal button') :\

Thank you all that helped rectify this problem.

I shall monitor it for the next few days and report here of the outcome good/bad , that others maybe able to benefit from this post - that have similar issues.

Cheers.

joeksemail

78 posts

Master Geek

Trusted

#521765 16-Sep-2011 08:07

yzeguy: Thank you all for the help , hopefully the problem has been resolved , if not I have come closer to the source of it.

after talking to a Technician 5minutes ago (great guy btw) he suggested that I try a very simple proceedure that you may want to pass onto your support team for future reference.

FACTORY RESET MODEM.

Apparently these modems TG585v7's can get congested cache? or something to this effect.

however , after doing the 'Thing which stared me in the face' every time I went to the interface , 'Yet blantantly over-looked' may have been the remedy for cases such as mine.

Anyway , long story short .. you guys have restored my faith in Telecom Services and your help has been Out-Standing!! (looks for the 'shout me a beer - via paypal button') :\

Thank you all that helped rectify this problem.

I shall monitor it for the next few days and report here of the outcome good/bad , that others maybe able to benefit from this post - that have similar issues.

Cheers.

No worries at all, its what were here for!
:-)

kautious

25 posts

Geek

#521767 16-Sep-2011 08:12

:D she's still humming along quite nicely now. Will see if it degrades over the next few days.

if it does will look into getting a new router.

Cheers.