DDOS attacks when vim is on

VIM1
1

i turn on the vim, with latest ubuntu… i start recieving ddos attacks…i turn off the vim an they stop

2

please give details and traces

3

Is it just Khadas VIM or any other device you plug to the same wire receiving DDOS?

You plug it directly to your internet service provider or via router/nat?

I personally don’t think any DDOS attack would has any sense to be device specific - they are usually targeted to specific public IP addresses.

4

Yeah that doesn’t make a lot of sense unless you’re plugging like… Directly into your modem without NAT and Firewall. You’ll have to provide some firewall logs, or IDS (if you have).

Is this on a clean install of Ubuntu? Malware? Unwanted apps auto starting and stealing your bandwidth?? Just curious how you came to the conclusion of a DDOS? - that would mean you’re being hit from lots of different IP’s, not just a single one flooding you.

5

running a netgear router under cox cable no other devices on the network
[admin login] from source 192.168.0.11 1 Sat Aug 12 19:04:26 2017 0.0.0.0:0 192.168.0.11:0
[DoS attack: Illegal Fragments] from 137.1.14.0, port 0 2 Sat Aug 12 18:55:07 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Teardrop or derivative] from 137.1.14.0, port 0 2 Sat Aug 12 18:54:17 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Illegal Fragments] from 137.1.14.0, port 0 1 Sat Aug 12 18:53:17 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 1 Sat Aug 12 18:52:02 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Teardrop or derivative] from 137.1.14.0, port 0 1 Sat Aug 12 18:51:07 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Illegal Fragments] from 137.1.14.0, port 0 2 Sat Aug 12 18:51:02 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Teardrop or derivative] from 137.1.14.0, port 0 1 Sat Aug 12 18:49:57 2017 68.3.106.124:0 137.1.14.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 1 Sat Aug 12 18:48:48 2017 68.3.106.124:0 137.1.14.0:0

6

the same ip 137.1…

7

DHCP IP: 192.168.0.14] to MAC address 94:fd:2e:03:51:15 1 Sun Aug 13 19:18:44 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 10 Sun Aug 13 19:18:15 2017 9.50.194.194:0 137.1.14.0:0
[admin login] from source 192.168.0.11 1 Sun Aug 13 19:16:04 2017 0.0.0.0:0 192.168.0.11:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 142 Sun Aug 13 19:15:57 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.14] to MAC address 94:fd:2e:03:51:15 1 Sun Aug 13 18:40:21 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 827 Sun Aug 13 18:40:02 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.11] to MAC address 00:23:54:03:57:9e 1 Sun Aug 13 15:23:08 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 285 Sun Aug 13 15:22:18 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.14] to MAC address 94:fd:2e:03:51:15 1 Sun Aug 13 14:13:47 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 93 Sun Aug 13 14:13:19 2017 9.50.194.194:0 137.1.14.0:0
[admin login] from source 192.168.0.11 1 Sun Aug 13 13:50:50 2017 0.0.0.0:0 192.168.0.11:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 184 Sun Aug 13 13:48:58 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.14] to MAC address 94:fd:2e:03:51:15 1 Sun Aug 13 13:07:09 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 159 Sun Aug 13 13:06:49 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.12] to MAC address b0:72:bf:f5:a7:31 1 Sun Aug 13 12:27:06 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 23 Sun Aug 13 12:26:49 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.12] to MAC address b0:72:bf:f5:a7:31 1 Sun Aug 13 12:20:11 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 131 Sun Aug 13 12:19:14 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.12] to MAC address b0:72:bf:f5:a7:31 1 Sun Aug 13 11:44:51 2017 0.0.0.0:0 0.0.0.0:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 20 Sun Aug 13 11:44:34 2017 9.50.194.194:0 137.1.14.0:0
[admin login] from source 192.168.0.11 1 Sun Aug 13 11:42:19 2017 0.0.0.0:0 192.168.0.11:0
[admin login failure] from source 192.168.0.11 1 Sun Aug 13 11:42:04 2017 0.0.0.0:0 192.168.0.11:0
[DoS attack: Ping Of Death] from 137.1.14.0, port 0 6 Sun Aug 13 11:40:59 2017 9.50.194.194:0 137.1.14.0:0
[DHCP IP: 192.168.0.15] to MAC address 44:2c:05:89:c7:4f 1 Sun Aug 13 11:39:36 2017 0.0.0.0:0 0.0.0.0:0
[admin login] from source 192.168.0.11 1 Sun Aug 13 11:37:51 2017 0.0.0.0:0 192.168.0.11:0
[admin login failure] from source 192.168.0.11 1 Sun Aug 13 11:37:36 2017 0.0.0.0:0 192.168.0.11:0
[admin login] from source 192.168.0.11 2 Sun Aug 13 11:14:19 2017 0.0.0.0:0 192.168.0.11:0
[admin login failure] from source 192.168.0.11 1 Sun Aug 13 11:14:08 2017 0.0.0.0:0 192.168.0.11:0
[admin login] from source 192.168.0.11 1 Sun Aug 13 11:05:16 2017 0.0.0.0:0 192.168.0.11:0
[admin login failure] from source 192.168.0.11 1 Sun Aug 13 11:05:06 2017 0.0.0.0:0 192.168.0.11:0
[admin login] from source 192.168.0.11 1 Sun Aug 13 10:53:49 2017 0.0.0.0:0 192.168.0.11:0
[admin login failure] from source 192.168.0.11 1 Sun Aug 13 10:53:34 2017 0.0.0.0:0 192.168.0.11:0

this log is prior to turning off the vim

8

turns out its only the wifi mac affected

9

Need a fair bit more info on this matter really; what apps you have installed?Does this happen also if you connect via eth?
It isn’t a distributed attack as all comes from same source, and that source according to whois is:

OrgName: 754th Electronic Systems Group
OrgId: 7ESG
Address: 501 E. Moore Drive
City: MAFB-Gunter Annex
StateProv: AL
PostalCode: 36114
Country: US
RegDate: 2008-06-05
Updated: 2011-08-17

A quick search reveals this Reddit:
https://www.reddit.com/r/sysadmin/comments/2b1xfh/repeated_dos_attacks_from_754th_electronic/

Seems this AF base has a bit of previous about 3 years ago, but no follow up.

Also be sure you don’t have any unknown (or unsecured) public facing ports open also, so scan fromthe Gibson reaserch Shields Up! page to check…

10

so just now i turned the vim on and ran on ethernet for 10 minuits no problem.
the vim had been off for 2 days with no attacks .
then i switched to wifi and turned off the ethernet
2 minuits passed and WHAM that 137,1.14.0 DDOS attack
ubuntu mate 16.04 17605 with supertuxkart,steam,kapman,stellerium ,libre office kodi hexchat
turned on ethernet and turned off wifi an it stopped completely.
so im saying that this vim is hacked

11

i guess no body has had this problem?

12

Nothing to do with vim.

Sounds like the old netgear problem. Try disabling everything ipv6 in your house. Or do what the current solution is - replace netgear switch with another brand.

The reason I say this is because the IP address is bullshit - you cannot be getting attacked by an IP ending in 0
Your original IP was 68.3.106.124 - which is your ip cox.
Later your IP was 9.50.194.194 - and I am guessing that you dont work for IBM.

Google “DoS attack, Teardrop or derivative, Ping of Death” - you’ll get netgear all over, including obscure problems resulting from.

2 Likes
13

no problems here---------

14

ok sorry for the false alarm:slight_smile:

15

"Later your IP was 9.50.194.194 - and I am guessing that you dont work for IBM"
im failing to see that ip on any of my logs , where did u come up with that?

16

[DoS attack: Ping Of Death] from 137.1.14.0, port 0 1 Sat Aug 12 18:52:02 2017 68.3.106.124:0 137.1.14.0:0

[DoS attack: Ping Of Death] from 137.1.14.0, port 0 10 Sun Aug 13 19:18:15 2017 9.50.194.194:0 137.1.14.0:0

And if you are not seeing it (in other logs), then it is even more evidence that it is the netgear ‘mistranslation’ of ipv6 addresses to ipv4

1 Like
17

so today i recieved more ddos from 137… and the vim was off so not the vim … thanks for your troubleshooting !

1 Like