DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Mail Alert from Router - derived from envelope?
- glynh
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 25
- Thank you received: 0
16 Aug 2010 10:13 #63361
by glynh
Mail Alert from Router - derived from envelope? was created by glynh
Hi there,
Having had my 2820Vn for a long time just yesterday I got a flurry of messages that seem to originate from it.
The 15 or so messages started just after midnight and continued until 6pm Sunday evening and the sender claims to be 'derived from envelope' and the subject is 'Mail Alert from Router'
The message body contains lines similar to below;
2010/08/15 17:54:09 -- [DOS][Block][trace_route][209.234.238.100:17011->My.WAN.IP.Address:33436][UDP][HLen=20, TLen=32]
2010/08/15 14:33:33 -- [DOS][Block][trace_route][66.151.125.24:10415->My.WAN.IP.Address:33441][UDP][HLen=20, TLen=32]
2010/08/09 17:13:36 -- [DOS][Block][trace_route][67.228.119.250:17081->My.WAN.IP.Address:33438][UDP][HLen=20, TLen=32]
They all appear to be from the above 3 IP addresses (or variations of) although the port number varies and they all seem to be targeted specifically towards ports 33436-33441 on my system if I am understanding the lines above.
A quick WhoIs turned up three American Companies, Wall Street on Demand, Internap Network Services Corporation & Softlayer Technologies but of course those IP addresses could have been easily spoofed.
It looks to me like my router has detected a DOS attack of some sorts but I was wondering if anyone has a better idea of how/what/why etc?
In the very first message there was a different line amongst the usual text shown above;
2010/08/11 18:22:35 -- [DOS][Block][syn_flood, timeout=10][My.LAN.IP.Address:60574->82.132.141.69:110][TCP][HLen=20, TLen=44, Flag=S, Seq=7532617, Ack=0, Win=1608]
This differed from all of the others as not only was it ][syn_flood, timeout=10] instead of the usual [trace_route] but it mentioned an internal LAN IP Address specifically which belongs to a Siemens VoIP handset on my network. It also targeted a different port number from all of the others and the WhoIs traces back to my own ISP so I guessing it is not connected to the rest of the messages?
It could of course have nothing whatsoever to do with the 2820Vn but I am puzzled by what this all means anyway so if anyone is able to shed any light on it I would appreciate it.
Thanks & kind regards,
-=Glyn=-
Having had my 2820Vn for a long time just yesterday I got a flurry of messages that seem to originate from it.
The 15 or so messages started just after midnight and continued until 6pm Sunday evening and the sender claims to be 'derived from envelope' and the subject is 'Mail Alert from Router'
The message body contains lines similar to below;
2010/08/15 17:54:09 -- [DOS][Block][trace_route][209.234.238.100:17011->My.WAN.IP.Address:33436][UDP][HLen=20, TLen=32]
2010/08/15 14:33:33 -- [DOS][Block][trace_route][66.151.125.24:10415->My.WAN.IP.Address:33441][UDP][HLen=20, TLen=32]
2010/08/09 17:13:36 -- [DOS][Block][trace_route][67.228.119.250:17081->My.WAN.IP.Address:33438][UDP][HLen=20, TLen=32]
They all appear to be from the above 3 IP addresses (or variations of) although the port number varies and they all seem to be targeted specifically towards ports 33436-33441 on my system if I am understanding the lines above.
A quick WhoIs turned up three American Companies, Wall Street on Demand, Internap Network Services Corporation & Softlayer Technologies but of course those IP addresses could have been easily spoofed.
It looks to me like my router has detected a DOS attack of some sorts but I was wondering if anyone has a better idea of how/what/why etc?
In the very first message there was a different line amongst the usual text shown above;
2010/08/11 18:22:35 -- [DOS][Block][syn_flood, timeout=10][My.LAN.IP.Address:60574->82.132.141.69:110][TCP][HLen=20, TLen=44, Flag=S, Seq=7532617, Ack=0, Win=1608]
This differed from all of the others as not only was it ][syn_flood, timeout=10] instead of the usual [trace_route] but it mentioned an internal LAN IP Address specifically which belongs to a Siemens VoIP handset on my network. It also targeted a different port number from all of the others and the WhoIs traces back to my own ISP so I guessing it is not connected to the rest of the messages?
It could of course have nothing whatsoever to do with the 2820Vn but I am puzzled by what this all means anyway so if anyone is able to shed any light on it I would appreciate it.
Thanks & kind regards,
-=Glyn=-
Please Log in or Create an account to join the conversation.
- glynh
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 25
- Thank you received: 0
18 Aug 2010 10:11 #63401
by glynh
Replied by glynh on topic Mail Alert from Router - derived from envelope?
I had 3 more emails this morning - similar MO to above.
Anyone?
Thanks & kind regards,
-=Glyn=-
Anyone?
Thanks & kind regards,
-=Glyn=-
Please Log in or Create an account to join the conversation.
- glynh
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 25
- Thank you received: 0
30 Aug 2010 21:21 #63604
by glynh
Replied by glynh on topic Mail Alert from Router - derived from envelope?
Although the frequency appears to have decreased I am still getting the above emails...
Still not sure even whether they do originate from my 2820Vn and I'm guessing from the lack of a response neither do any of you guys here?:wink:
I still would like to find out exactly what is causing this and how/if I can stop this from happening?
Thanks & kind regards,
-=Glyn=-
Still not sure even whether they do originate from my 2820Vn and I'm guessing from the lack of a response neither do any of you guys here?
I still would like to find out exactly what is causing this and how/if I can stop this from happening?
Thanks & kind regards,
-=Glyn=-
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
31 Aug 2010 09:33 #63606
by voodle
Replied by voodle on topic Mail Alert from Router - derived from envelope?
That's definitely warning you that it's seeing a DoS attack, the first traceroute ones are bit suspicious especially if they were going all day, probably some bot that's trying to traceroute the internet and will keep going on a specific route if it can't get traceroute info straight away.
That last syn_flood one appears to be your voip handset accessing a POP3 email server, so the DoS defense setting thresholds are probably getting triggered too easily.
If you check under the DoS defense page, you can either disable the options such as syn_flood and traceroute to stop those messages or increase the threshold for the relevant triggers so that normal traffic doesn't set it off anymore.
That last syn_flood one appears to be your voip handset accessing a POP3 email server, so the DoS defense setting thresholds are probably getting triggered too easily.
If you check under the DoS defense page, you can either disable the options such as syn_flood and traceroute to stop those messages or increase the threshold for the relevant triggers so that normal traffic doesn't set it off anymore.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek